Hi Caleb Anthony. Caleb Anthony have written on Wed, 17 May 2017 15:42:44 -0600:
> Hello, > > Compression is enabled on a few backends, but not on the backend that > traffic is going to for these requests. However, IIS is configured to > compress the traffic. > > HA-Proxy version 1.6.11 2016/12/25 [snipp] > Here is my config, hopefully with the internal things sanitized with > "XXX" it still makes sense. If not I can send one off list. I also > removed all the backends other than the one that the traffic is going > to. I also am doing this on my phone, so hopefully the formatting > isn't a total mess... Well sorry but which frontend / backend combo is relevant in this XXX stuff?! > global > > daemon > > description XXX > > group haproxy > > log 127.0.0.1 local0 > > node XXX > > spread-checks 3 > > tune.bufsize 32768 > > user haproxy > > > > defaults > > balance source > > errorfile 408 /dev/null > > mode http > > option abortonclose > > option allbackups > > option contstats > > option forwardfor > > option http-keep-alive > > option httpchk > > option httplog > > option prefer-last-server > > option redispatch > > option splice-auto > > option tcp-smart-accept > > option tcp-smart-connect Are you sure that all this options are requierd for all your backends? Regards Aleks > stats enable > > stats refresh 30s > > stats show-desc XXX > > stats show-legends > > stats show-node XXX > > stats uri /haproxy_stats > > timeout client 180s # Timeout applies when the > client is expected to acknowledge or send data > > timeout connect 15s # Maximum time to wait for a > connection attempt to a server to succeed > > timeout http-keep-alive 30s # How long to wait for a new > HTTP request after a response was sent > > timeout http-request 30s # This timeout only applies > to the header part of the request > > timeout server 180s # Timeout applies when the > server is expected to acknowledge or send data > > > > mailers XXX_Mailers > > mailer XXX_SMTP XXX:25 > > > > # XXX > > resolvers XXX_Resolvers > > nameserver XXX > > nameserver XXX > > > > resolvers XXX_Resolvers > > nameserver XXX > > nameserver XXX > > > > resolvers XXX_Resolvers > > nameserver XXX > > nameserver XXX > > > > resolvers XXX_Resolvers > > nameserver XXX > > nameserver XXX > > > > resolvers XXX_Resolvers > > nameserver XXX > > nameserver XXX > > > > frontend XXX_HTTP > > bind *:80 defer-accept > > > > # Host header ACLs > > #----------------------------------------------------------- > -------------------------------------- > > acl XXX hdr(host) -m reg -i XXX > > acl XXX_val hdr(host) -m reg -i XXX > > acl XXX_dev hdr(host) -m reg -i XXX > > > > acl XXX hdr(host) -m reg -i XXX > > acl XXX_val hdr(host) -m reg -i XXX > > acl XXX_dev hdr(host) -m reg -i XXX > > > > acl XXX hdr(host) -m reg -i XXX > > acl XXX hdr(host) -m reg -i XXX > > acl XXX hdr(host) -m reg -i XXX > > > > # Project ACLs > > #----------------------------------------------------------- > -------------------------------------- > > acl XXX url_beg -i /XXX > > acl XXX url_beg -i /XXX > > acl XXX url_beg -i /XXX > > acl XXX url_beg -i /XXX > > acl XXX url_beg -i /XXX > > acl XXX url_beg -i /XXX > > acl XXX url_beg -i /XXX > > > > # Crawler ACLs > > #----------------------------------------------------------- > -------------------------------------- > > acl crawler hdr(User-Agent) -m sub -i XXX > > > > # Backend ACLs > > #----------------------------------------------------------- > -------------------------------------- > > acl XXX nbsrv(XXX) eq 1 > > acl XXX nbsrv(XXX) eq 1 > > > > # Bypass ACLs > > #----------------------------------------------------------- > -------------------------------------- > > acl XXX req.cook(XXX) -m found > > > > log global > > > > # Delete some headers > > #----------------------------------------------------------- > -------------------------------------- > > # Force the use of NTLM > > # rspidel ^WWW-Authenticate:\ Negotiate$ > > > > # Request routing > > #----------------------------------------------------------- > -------------------------------------- > > # XXX > > use_backend XXX if XXX > > use_backend XXX if XXX > > > > # XXX > > use_backend XXX if XXX > > > > # If XXX cookie is set, go direct to the XXX backend, > otherwise > > # try the XXX backend first, with a failover to the XXX > backend if needed > > # XXX Production > > use_backend XXX if XXX > > use_backend XXX if XXX > > use_backend XXX if XXX > > > > use_backend XXX if XXX > > use_backend XXX if XXX > > use_backend XXX if XXX > > > > # XXX Validation > > use_backend XXX if XXX > > use_backend XXX if XXX > > use_backend XXX if XXX > > > > use_backend XXX if XXX > > use_backend XXX if XXX > > use_backend XXX if XXX > > > > # XXX Development > > use_backend XXX if XXX > > use_backend XXX if XXX > > use_backend XXX if XXX > > > > use_backend XXX if XXX > > use_backend XXX if XXX > > use_backend XXX if XXX > > > > #XXX > > use_backend XXX if XXX > > > > #XXX > > use_backend XXX if XXX > > > > # XXX > > use_backend XXX if XXX > > > > # XXX > > use_backend XXX if XXX > > > > # All other traffic > > use_backend XXX if XXX > > use_backend XXX if XXX > > use_backend XXX if XXX > > > > frontend XXX_Monitor > > bind *:81-83 > > log global > > monitor-uri / > > option forceclose > > > > #----------------------------------------------------------- > ---------------------------------------------------------------- > > > > backend XXX_Production_HTTP > > email-alert mailers XXX_Mailers > > email-alert from XXX > > email-alert level notice > > email-alert to XXX > > > > server XXX XXX:80 check inter 5s port 81 resolvers > XXX_Resolvers slowstart 60s > > server XXX XXX:80 check inter 5s port 81 resolvers > XXX_Resolvers slowstart 60s > > > > server XXX XXX:80 backup check inter 5s port 81 resolvers > XXX_Resolvers > > server XXX XXX:80 backup check inter 5s port 81 resolvers > XXX_Resolvers > > server XXX XXX:80 backup check inter 5s port 81 resolvers > XXX_Resolvers > > server XXX XXX:80 backup check inter 5s port 81 resolvers > XXX_Resolvers > > server XXX XXX:80 backup check inter 5s port 81 resolvers > XXX_Resolvers > > server XXX XXX:80 backup check inter 5s port 81 resolvers > XXX_Resolvers > > server XXX XXX:80 backup check inter 5s port 81 resolvers > XXX_Resolvers > > server XXX XXX:80 backup check inter 5s port 81 resolvers > XXX_ResolversOn May 16, 2017 3:08 PM, "Aleksandar Lazic" > <al-hapr...@none.at> wrote: > > Hi Caleb Anthony. > > Caleb Anthony have written on Mon, 15 May 2017 19:10:30 -0600: > > > Hello All, > > > > I've got a strange issue with our deployment of HAProxy 1.6 where a > > user will make a request to a page, and as each page element comes > > in, the time taken shown on each file downloaded in the IE developer > > tools increases by a factor of 3, until finally the user is prompted > > for credentials, but the page load never continues. I should mention > > that this is an ASP.NET web application running with Integrated > > Windows Authentication on IIS 8. I know, I know, IE + IIS + IWA = > > terrible, but it's hard for the enterprise to not use these > > platforms internally, especially the IWA single sign on part. > > > > So a request looks like this in the developer tools: > > > > mainpage.aspx - HTTP 200 - 130.04KB - 421ms > > css file - HTTP 200 - 1.51KB - 296ms > > css file - HTTP 200 - 14.93KB - 0.96s > > css file - HTTP 200 - 13.99KB - 2.73s > > css file - HTTP 200 - 29.92KB - 8.14s > > css file - HTTP 200 - 23.44KB - 24.36s > > webresource.axd - Pending - Pending - Pending (this is where the > > user is prompted for credentials) > > > > And on that last file is where it then prompts for credentials, > > which never works because I believe that HAProxy has hit the > > timeout and closed the connection, and breaking IWA. > > > > I should mention that our HAProxy server works great 99.9% of the > > time, and we do a lot of L7 load balancing on different URLs, and > > host headers, and we handle a good amount of traffic that returns > > page elements in ms, and it also handles Integrated Windows Auth > > fine > > - most of the time. It's just these occasional things that have me > > at a loss. > > > > Any suggestions from the mailing list? > > Is compression enabled? > In more general way. > Please can you send us the output of haproxy -vv and the haproxy conf, > thanks > > Can you reproduce this behavior only for one client/enduser or for > several? > > Regards > aleks >
