SOLVEDRe: haproxy + RDP

[Antonio Trujillo Carmona]

El 16/05/17 a las 23:17, Aleksandar Lazic escribió: Hi Antonio Trujillo Carmona. Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16 +0200: El 12/05/17 a las 11:55, Aleksandar Lazic escribió: Hi Antonio Trujillo Carmona. Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59 +0200: El 11/05/17 a las 15:06, Aleksandar Lazic escribió: .../ How about to activate the 'option tcp-check' as mentioned in the Warning? In the config below is it's commented, any reason why? It's also active in the doc which you maybe know. https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html Does this changes anything? ok cleaing up a liter I try: frontend RDP mode tcp bind *:3389 timeout client 1h tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE default_backend bk_rdp ############################################################# backend bk_rdp mode tcp balance leastconn #balance rdp_coockie timeout server 1h timeout connect 4s log global option tcplog stick-table type string len 32 size 10k expire 1h peers pares stick on rdp_cookie(msthash) # persist rdp-cookie option tcp-check # option ssl-hello-chk # option tcpka tcp-check connect port 3389 ssl # server gr43sterminal01 10.104.22.142:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # server gr43sterminal02 10.104.23.141:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # default-server inter 3s rise 2 fall 3 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check And I got: [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. [ALERT] 131/100222 (8564) : Fatal errors found in configuration. So I try adding verify none in server line and haproxy see both server up (but one is down). I try withou ssl: tcp-check connect port 3389 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check but the result is the same haproxy see both server up (but one is down) only if I leve only option tcp-check (or none) it seem work ################# # persist rdp-cookie option tcp-check # option ssl-hello-chk # option tcpka # tcp-check connect port 3389 ssl # tcp-check connect port 3389 # server gr43sterminal01 10.104.22.142:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # server gr43sterminal02 10.104.23.141:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # default-server inter 3s rise 2 fall 3 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check ################## output: [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is DOWN, reason: Layer4 timeout, info: " at initial connection step of tcp-check", check duration: 3001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. So finally it works. Regards Aleks But in that mode it check server available, not service, if RDP service is down haproxy don't detect it. Maybe you will need some tcp-check squence to check the service. http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send-binary I have found a perl script which checks the rdp maybe this will help you to find the right sequence. https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl Regards Aleks Finally it work. The configuration last in: ############################################################# frontend RDP     mode tcp     bind *:3389     timeout client 1h     tcp-request inspect-delay 25s     tcp-request content accept if RDP_COOKIE     default_backend bk_rdp #############################################################    backend bk_rdp     mode tcp     balance leastconn     timeout server 1h     timeout connect 25s     log global     option tcplog     stick-table type string len 32 size 10k expire 1h peers pares     stick on rdp_cookie(msthash)     option tcp-check     default-server inter 3s rise 2 fall 3     server gr43sterminal01  10.107.20.38:3389 weight 1 check port 3389 inter 2000 rise 2 fall 3     server gr43sterminal02  10.107.20.39:3389 weight 1 check port 3389 inter 2000 rise 2 fall 3 The fact is that this configuration was tested priorly and it don't work, I must re-type it, and it work, maybe a typon with a unsee character was the matter. Thank for the help. -- Antonio Trujillo Carmona Técnico de redes y sistemas. Subdirección de Tecnologías de la Información y Comunicaciones Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía antonio.trujillo.s...@juntadeandalucia.es Tel. +34 670947670 747670)