Hello, Compression is enabled on a few backends, but not on the backend that traffic is going to for these requests. However, IIS is configured to compress the traffic.
HA-Proxy version 1.6.11 2016/12/25 Copyright 2000-2016 Willy Tarreau <[email protected]> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Running on zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.38 2015-11-23 Running on PCRE version : 8.38 2015-11-23 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with Lua version : Lua 5.3.1 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Here is my config, hopefully with the internal things sanitized with "XXX" it still makes sense. If not I can send one off list. I also removed all the backends other than the one that the traffic is going to. I also am doing this on my phone, so hopefully the formatting isn't a total mess... global daemon description XXX group haproxy log 127.0.0.1 local0 node XXX spread-checks 3 tune.bufsize 32768 user haproxy defaults balance source errorfile 408 /dev/null mode http option abortonclose option allbackups option contstats option forwardfor option http-keep-alive option httpchk option httplog option prefer-last-server option redispatch option splice-auto option tcp-smart-accept option tcp-smart-connect stats enable stats refresh 30s stats show-desc XXX stats show-legends stats show-node XXX stats uri /haproxy_stats timeout client 180s # Timeout applies when the client is expected to acknowledge or send data timeout connect 15s # Maximum time to wait for a connection attempt to a server to succeed timeout http-keep-alive 30s # How long to wait for a new HTTP request after a response was sent timeout http-request 30s # This timeout only applies to the header part of the request timeout server 180s # Timeout applies when the server is expected to acknowledge or send data mailers XXX_Mailers mailer XXX_SMTP XXX:25 # XXX resolvers XXX_Resolvers nameserver XXX nameserver XXX resolvers XXX_Resolvers nameserver XXX nameserver XXX resolvers XXX_Resolvers nameserver XXX nameserver XXX resolvers XXX_Resolvers nameserver XXX nameserver XXX resolvers XXX_Resolvers nameserver XXX nameserver XXX frontend XXX_HTTP bind *:80 defer-accept # Host header ACLs #----------------------------------------------------------- -------------------------------------- acl XXX hdr(host) -m reg -i XXX acl XXX_val hdr(host) -m reg -i XXX acl XXX_dev hdr(host) -m reg -i XXX acl XXX hdr(host) -m reg -i XXX acl XXX_val hdr(host) -m reg -i XXX acl XXX_dev hdr(host) -m reg -i XXX acl XXX hdr(host) -m reg -i XXX acl XXX hdr(host) -m reg -i XXX acl XXX hdr(host) -m reg -i XXX # Project ACLs #----------------------------------------------------------- -------------------------------------- acl XXX url_beg -i /XXX acl XXX url_beg -i /XXX acl XXX url_beg -i /XXX acl XXX url_beg -i /XXX acl XXX url_beg -i /XXX acl XXX url_beg -i /XXX acl XXX url_beg -i /XXX # Crawler ACLs #----------------------------------------------------------- -------------------------------------- acl crawler hdr(User-Agent) -m sub -i XXX # Backend ACLs #----------------------------------------------------------- -------------------------------------- acl XXX nbsrv(XXX) eq 1 acl XXX nbsrv(XXX) eq 1 # Bypass ACLs #----------------------------------------------------------- -------------------------------------- acl XXX req.cook(XXX) -m found log global # Delete some headers #----------------------------------------------------------- -------------------------------------- # Force the use of NTLM # rspidel ^WWW-Authenticate:\ Negotiate$ # Request routing #----------------------------------------------------------- -------------------------------------- # XXX use_backend XXX if XXX use_backend XXX if XXX # XXX use_backend XXX if XXX # If XXX cookie is set, go direct to the XXX backend, otherwise # try the XXX backend first, with a failover to the XXX backend if needed # XXX Production use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX # XXX Validation use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX # XXX Development use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX #XXX use_backend XXX if XXX #XXX use_backend XXX if XXX # XXX use_backend XXX if XXX # XXX use_backend XXX if XXX # All other traffic use_backend XXX if XXX use_backend XXX if XXX use_backend XXX if XXX frontend XXX_Monitor bind *:81-83 log global monitor-uri / option forceclose #----------------------------------------------------------- ---------------------------------------------------------------- backend XXX_Production_HTTP email-alert mailers XXX_Mailers email-alert from XXX email-alert level notice email-alert to XXX server XXX XXX:80 check inter 5s port 81 resolvers XXX_Resolvers slowstart 60s server XXX XXX:80 check inter 5s port 81 resolvers XXX_Resolvers slowstart 60s server XXX XXX:80 backup check inter 5s port 81 resolvers XXX_Resolvers server XXX XXX:80 backup check inter 5s port 81 resolvers XXX_Resolvers server XXX XXX:80 backup check inter 5s port 81 resolvers XXX_Resolvers server XXX XXX:80 backup check inter 5s port 81 resolvers XXX_Resolvers server XXX XXX:80 backup check inter 5s port 81 resolvers XXX_Resolvers server XXX XXX:80 backup check inter 5s port 81 resolvers XXX_Resolvers server XXX XXX:80 backup check inter 5s port 81 resolvers XXX_Resolvers server XXX XXX:80 backup check inter 5s port 81 resolvers XXX_ResolversOn May 16, 2017 3:08 PM, "Aleksandar Lazic" <[email protected]> wrote: Hi Caleb Anthony. Caleb Anthony have written on Mon, 15 May 2017 19:10:30 -0600: > Hello All, > > I've got a strange issue with our deployment of HAProxy 1.6 where a > user will make a request to a page, and as each page element comes > in, the time taken shown on each file downloaded in the IE developer > tools increases by a factor of 3, until finally the user is prompted > for credentials, but the page load never continues. I should mention > that this is an ASP.NET web application running with Integrated > Windows Authentication on IIS 8. I know, I know, IE + IIS + IWA = > terrible, but it's hard for the enterprise to not use these platforms > internally, especially the IWA single sign on part. > > So a request looks like this in the developer tools: > > mainpage.aspx - HTTP 200 - 130.04KB - 421ms > css file - HTTP 200 - 1.51KB - 296ms > css file - HTTP 200 - 14.93KB - 0.96s > css file - HTTP 200 - 13.99KB - 2.73s > css file - HTTP 200 - 29.92KB - 8.14s > css file - HTTP 200 - 23.44KB - 24.36s > webresource.axd - Pending - Pending - Pending (this is where the user > is prompted for credentials) > > And on that last file is where it then prompts for credentials, which > never works because I believe that HAProxy has hit the timeout and > closed the connection, and breaking IWA. > > I should mention that our HAProxy server works great 99.9% of the > time, and we do a lot of L7 load balancing on different URLs, and > host headers, and we handle a good amount of traffic that returns > page elements in ms, and it also handles Integrated Windows Auth fine > - most of the time. It's just these occasional things that have me at > a loss. > > Any suggestions from the mailing list? Is compression enabled? In more general way. Please can you send us the output of haproxy -vv and the haproxy conf, thanks Can you reproduce this behavior only for one client/enduser or for several? Regards aleks
