Intermittent HTTP 503 Error (Service Unavailable) with about 250 Connections

[Shishir Kumar Yadav]

Hi All,

I am using haproxy 1.8.3 as a front end for a webserver. haproxy listens on
port 80 while the webserver listen on port 8080. Our webserver can handle
large read/write requests (HTTP GET). I am testing a setup where a bunch of
clients are generating number of GET requests and when number of connection
reaches somewhere around 250, the clients intermittently get 503 Service
Unavailable error. I have not put any connection limit or timeout in my
haproxy.cfg. I am puzzled about what is going on here. The GET requests can
read upto 128 MB of data. If someone can points me to a possible reason
then that would be great. I have verified that haproxy is sending the 503
error and not the webserver. No HTTPS connections are involved.

One thing that I have noticed is that during the workload Recv-Q of the
Haproxy - Webserver connection and also Send-Q of haproxy - client
connection has large number of buffers (upto 5 MB) but not sure if it has
any role.

#########################

global
        # paths setup
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy

        # stats setup
        # Can use this socket to check the stats of the first process.
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats bind-process 1
        stats timeout 30s

        # protocols setup
        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

        # mode setup
        # master-worker mode, introduced in 1.8, is the only mode suitable
to our use case.
        # For more details, see
https://www.haproxy.com/blog/whats-new-haproxy-1-8/.
        master-worker

        nbproc 6

        # DH key setup
        # Sets the maximum size of the Diffie-Hellman parameters used for
generating
        # the ephemeral/temporary Diffie-Hellman key in case of DHE key
exchange.
        tune.ssl.default-dh-param 2048

defaults
        mode    http
        log     global
        option  httplog     # Enable logging of HTTP request, session state
and timers
        option  dontlognull # Disable logging of null connections

frontend haproxy-frontend
        bind :::80 v4v6
        bind :::443 v4v6 ssl crt /ssd/net/ca/gui.pem
        default_backend ir-http-server-backend

backend ir-http-server-backend
        server server1 127.0.0.1:8080



Here is the Haproxy build that I am using -

######################

HA-Proxy version 1.8.3-205f675 2017/12/30
Copyright 2000-2017 Willy Tarreau <wi...@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
-fwrapv -Wno-unused-label
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200