On 02/12/2018 04:28 PM, Franks Andy (IT Technical Architecture Manager) wrote:
Hi Fred,

Hi Franks,

Please bottom post when you reply.

   Thanks for the reply.
I have two peers synchronising (we use keepalived over the two to control which 
is live).

HAProxy config:

peers lb_replication
   peer server1 10.128.176.141:1024
   peer server2 10.128.176.142:1024

backend sourceaddr
        stick-table type ip size 10240k expire 30m peers lb_replication

frontend ft_web_ssl
        bind 0.0.0.0:443 name https ssl crt /etc/haproxy/certs/main.pem
        mode http
        option httplog

         acl is_from_outside src 192.168.110.0/24
         acl is_empty_path path /
        acl is_webmail hdr(host) -i webmail
        acl is_webmail_fqdn hdr(host) -i webmail.domain

        redirect location /owa/ code 302 if is_webmail is_empty_path ! 
is_from_outside
        redirect location /owa/ code 302 if is_webmail_fqdn is_empty_path ! 
is_from_outside
        default_backend bk_web_ssl

backend bk_web_ssl
        mode http
        option httplog
        cookie SERVERID insert nocache indirect
        stick on src table sourceaddr
        server server1 10.128.176.150:443 check ssl
        server server2 10.51.0.150:443 check ssl backup

It's fine for new connections - it records the correct server1/server2 
information. It's hard to demonstrate, but I can see when I use haproxyctl to 
clear an entry :

Haproxyctl clear table sourceaddr key <key>

Haproxy stick-table are synchronized between peers but only to create or update entries. The deletions are not synchronized.

The stick-table synchronizations are performed thanks to peers protocol (see doc/peers* files). There is nothing in this protocol which synchronize the deletions.

So you cannot reproduce your issue with haproxyctl.

The stick-table entries are cleared when they expire (exp == 0) and when there is no more usage of these entries (use == 0). As the expiry values are synchronized,the stick-table are supposed to be purged at almost the same time.

.. it doesn't clear the secondary node entry. When that entry for the client 
re-presents the expiry time on the secondary updates but the entry never clears.

I can't really include pictures on these emails, but the tables are kind of 
standard:

e.g.

0x7fa8b247a4f4: key=217.40.203.34 use=0 exp=1574957 server_id=1

Thanks
Andy

-----Original Message-----
From: Frederic Lecaille [mailto:flecai...@haproxy.com]
Sent: 12 February 2018 12:56
To: Franks Andy (IT Technical Architecture Manager); 'haproxy@formilux.org'
Subject: Re: Peer tables don't synch on clear

On 02/08/2018 11:22 AM, Franks Andy (IT Technical Architecture Manager)
wrote:
Hi all,

Hello Franks,

    Haproxy 1.6.13

    I've checked the documentation again but can't see an option for this.

We sometimes clear backup path server use for individual connections and
whilst the peers synchronisation works for new connections, it doesn't
clear on the secondary peer node we're using.

Is this by design or an option I'm not seeing?

Please give us more information about your configuration. If possible,
also provide us with the information of stick-table entries concerned
with this issue (see "show table" CLI command).

Do not forget to obfuscate the critical data.

Regards,

Fred.





Reply via email to