Hi Franks,
On 28/03/2018 14:11, Franks Andy (IT Technical Architecture Manager) wrote: > > Hi all, > > Hopefully an easy one, but I can’t really find the solution. > > We’ve come up with a control system for haproxy, where we manually can > clear stick table entries from a GUI. We’re also using a cookie to set > the server in a backend as we’re expecting to deal with clients behind > a nat device. > > > > It’s the customers (just internal IT in another dept) request that > they should be able to close down a stick table entry and have the > client not be able to go to that stick-table selected server AT ALL, > even when presenting a cookie. > > It seems to me that HA is designed to allow these cookie selected > server connections irrespective of the stick table entries, so there > are two ways to continue to me: > > > > 1) Have the application remove the separate cookie we insert when > the application gets logged off or times out (timeout happens at 15 > minutes of app idle time). > > 2) We get HAProxy to control the expiry time of the cookie we > send over, and refresh that expiry each time a transaction happens. > > 3) Live with the imbalance of clients from NATted source ip > addresses and ditch the cookie insertion. > > > > We would all prefer #2, since the devs don’t want to spend time > redeveloping, and HAProxy can seemingly do just about anything! #3 > would work, but removing entries from the stick table during testing > or certain maintenance may well remove more than just the intended target. > > > > Any ideas? > > Thanks > > Andy > For solution #2 you can use the "maxlife" param of the "cookie" directive: http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-cookie When the date in maxlife has expired the cookie will be ignored which means haproxy will choose a different server but there is no clean way to refresh the expiry date without updating the date in the cookie with the "replace-header" action. This won't be easy because the date is an internal haproxy format. So if you don't want to spend time redeveloping the application you can still go with solution #1 by removing the persistence cookie in haproxy using something like ( http-request replace-header Cookie SRV=[^;]*;? ' ' if ACL ) -- Moemen MHEDHBI