Sorry, I know this list is super busy and that there are a number of other more important issues that need to be worked through but I'm hoping one of the maintainers has been able to confirm this bug?
Thanks, -Paul > On Jan 17, 2018, at 10:27 AM, Paul Lockaby <plock...@uw.edu> wrote: > > Ok I've tracked this problem down specifically to the usage of check tracking. > > That is to say, the backend "example-api" is set to track the backend > "example-http". When that tracking is enabled and one of the servers in the > backend goes down then all of haproxy goes down and never recovers. > > So this works: > > server myhost myhost.example.com:8445 ssl ca-file > /usr/local/ssl/certs/cacerts.cert > > > But this does not: > > server myhost myhost.example.com:8445 track example-http/myhost ssl > ca-file /usr/local/ssl/certs/cacerts.cert > > > This is definitely a regression from 1.7 because I used this feature in 1.7 > without issue. > > >> On Jan 16, 2018, at 10:36 PM, Paul Lockaby <plock...@uw.edu> wrote: >> >> I'm experiencing a problem that I can't diagnose but I can recreate pretty >> consistently. I have a single server that responds for example.com and >> api.example.com and it runs haproxy. All the names run through an SSL front >> door but an ACL makes it such that requests for example.com get sent to 8443 >> where Apache runs and requests for api.example.com get sent to 8445 where >> the same instance of haproxy runs and does further examination of the >> request and sends it to an application server running on localhost. >> >> This configuration works great except when I take a server out of the >> rotation by disabling it with disable-on-404. As soon as I take any server >> out of the rotation, haproxy completely stops responding to ANY requests for >> ANY backend even things that aren't part of the group such as the stats >> backend and frontend. If I put the server back in to service haproxy does >> not recover. I must restart haproxy on all hosts to recover. Nothing shows >> up in the logs and I can't figure out how to debug it such that I can >> provide more information but it's very consistently reproducible using the >> configuration below. I am running 1.8.3 and I have not tried this on 1.7 or >> earlier versions of 1.8. >> >> Thanks for your help. >> -Paul >> >> >> >> global >> log /dev/log local0 >> user nobody >> group nobody >> tune.ssl.default-dh-param 2048 >> stats socket /var/run/haproxy.sock user nobody group nobody >> daemon >> >> defaults >> timeout connect 5000ms >> timeout client 600000ms >> timeout server 600000ms >> >> option httplog >> option forwardfor >> option http-server-close >> option contstats >> >> frontend stats-frontend >> bind *:2999 >> mode http >> log global >> stats enable >> stats uri /haproxy >> >> backend stats-backend >> mode http >> log global >> server stats /var/run/haproxy.sock check >> >> frontend secured >> # get the list of certificate options from a list in a file >> bind *:443 ssl crt-list /srv/haproxy/certificates.lst >> mode http >> log global >> >> # tell backend connections what our ssl client cn is >> http-request set-header X-SSL-Client-Verify %[ssl_c_verify] >> http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn] >> http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] >> http-request set-header X-SSL-Issuer-DN %{+Q}[ssl_c_i_dn] >> http-request set-header X-SSL-Issuer-CN %{+Q}[ssl_c_i_dn(cn)] >> >> acl server-status path_beg /server- >> use_backend bogus-http if server-status >> >> # connection requests for apis go to the api backends >> acl request_api hdr_beg(Host) -i api. >> use_backend example-api if request_api >> >> default_backend example-http >> >> backend example-http >> mode http >> log global >> balance source >> hash-type consistent >> option httpchk GET /haproxy/alive.txt >> http-check disable-on-404 >> server myhost myhost.example.com:8443 check ssl ca-file >> /usr/local/ssl/certs/cacerts.cert >> >> backend bogus-http >> mode http >> errorfile 503 /netops/www/haproxy/403.http >> >> backend example-api >> mode http >> log global >> balance roundrobin >> option httpchk GET /haproxy/alive.txt >> http-check disable-on-404 >> server myhost myhost.example.com:8445 track example-http/myhost ssl >> ca-file /usr/local/ssl/certs/cacerts.cert >> >> frontend localhost-api-frontend >> bind *:8445 ssl crt /usr/local/ssl/certs/example.com.pem >> mode http >> log global >> option forwardfor if-none >> option dontlog-normal >> >> # the alerts api backend >> acl alerts-api_host hdr_beg(Host) -i api.alerts >> use_backend localhost-api-backend-alerts if alerts-api_host >> >> default_backend bogus-http >> >> backend localhost-api-backend-alerts >> mode http >> log global >> option forwardfor if-none >> option dontlog-normal >> server localhost localhost:4002 >> >> >> >> >> >> >> >> And the certificates.lst file referenced above looks like this: >> >> >> # this order is because we need to work with older clients that don't >> # speak sni and this works for them in our setup. >> /usr/local/ssl/certs/example.com.pem * >> /usr/local/ssl/certs/example.com.pem [ca-file >> /usr/local/ssl/certs/example-ca.cert verify optional] api.example.com >> >> >> > >