After switched to haproxy 1.9 with threads activated, i noticed a significant 
memory leak.
With threads disable (and bind process omitted) leak disappear.

This seems to be related to stick-table/peers with regard to the (simplified) 


HA-Proxy version 1.9.8-1 2019/05/15 - https://haproxy.org/
Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fPIE -fstack-protector-strong -Wformat 
-Werror=format-security -D_FORTIFY_SOURCE=2

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : BoringSSL 7f4f41fa
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.35 2014-04-04
Running on PCRE version : 8.35 2014-04-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with multi-threading support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE
              h2 : mode=HTTP       side=FE
       <default> : mode=HTX        side=FE|BE
       <default> : mode=TCP|HTTP   side=FE|BE

Available filters :
        [SPOE] spoe
        [COMP] compression
        [CACHE] cache
        [TRACE] trace

minimal configuration to reproduce the leak:
    user haproxy
    group haproxy

    # ssl(odd) http(even)
    nbthread 2

    stats socket /var/run/haproxy_L6.sock mode 660 level admin expose-fd 

    log /dev/log daemon warning

    # hard limit
    hard-stop-after 2h
    maxconn 262144

    log global
    log-tag "haproxy_L6"
    option dontlognull
    mode tcp
    maxconn 100000
    timeout connect 500ms
    timeout client 610s
    retries 3
    timeout server 610s

peers front-peers

    peer L6_1 x.y.z.1:943

    peer L6_2 x.y.z.2:943

    peer L6_3 x.y.z.3:943

frontend ssl-front

    bind :443          process 1/odd
    bind :::443 v6only process 1/odd

    tcp-request inspect-delay 5s
    tcp-request content reject if !{ req_ssl_sni -m found }
    default_backend ssl-back

backend ssl-back
    balance roundrobin
    option ssl-hello-chk

    stick-table type binary len 32 size 1m expire 5m peers front-peers

    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    tcp-response content accept if serverhello

    stick on payload_lv(43,1) if clienthello
    stick store-response payload_lv(43,1) if serverhello

    server ssl_1 a.b.c.1:463 check send-proxy 

    server ssl_2 a.b.c.2:463 check send-proxy 

    server ssl_3 a.b.c.3:463 check send-proxy 

frontend http-front
    bind :80          process 1/even
    bind :::80 v6only process 1/even

    default_backend http-back

backend http-back
    balance roundrobin

    server L7_1 a.b.c.1:480 check send-proxy 

    server L7_2 a.b.c.1:480 check send-proxy 

    server L7_3 a.b.c.3:480 check send-proxy 

Reply via email to