Hello,
> Daniel, if using ssl to the backends shouldn't you use http mode? > Per your config you are using tcp which is default one. Afaik tcp > is for ssl passthrough. For the record, this is not true. Just because you need TCP mode for TLS passthrough, doesn't mean you have to use HTTP mode when terminating TLS. Actually, terminating TLS while using TCP mode is a quite common configuration (for example with HTTP/2). >> Try adding: >> option httpclose >> in the backend and see if that helps. > > Sorry, replace httpclose with http-server-close Actually, I would have suggested the opposite: making the whole thing less expensive, by going full blown keep-alive with http-reuse: option http-keep-alive option prefer-last-server timeout http-keep-alive 30s http-reuse safe > global > ulimit-n 20000 Why specify ulimit? Haproxy will do this for you, you are just asking for trouble. I suggest you remove this. Maybe something on your backend (conntrack or the application) is rate-limiting per IP, or the aggressive client your are facing is keep-aliving properly with the backend, while it doesn't when using haproxy. I would apply the keep-alive configurations above and I would also suggest that you check the CPU load on your backend server as connections through haproxy become unresponsive, because that CPU can be saturated due to TLS negotiations as well. Regards, Lukas
