Re: Random 502's and instant 504's after upgrading

Fri, 19 Jul 2019 00:37:49 -0700 

Hi Lukas and Christopher,

I've combined the answer of your 2 mails.

On 2019-07-18 17:17, Lukas Tribus wrote:

Could be related to:
https://github.com/haproxy/haproxy/issues/176
Probably, but I'm not doing HTTP/1 and I have not found a request to reproduce it with. It happens at random. 


Can you provide the "show errors" output from the admin cli for those
requests, and possible try one of the mentioned workarounds
(http-reuse never or http-server-close)?


The show errors:

---
Total events captured on [19/Jul/2019:08:34:25.093] : 31

[19/Jul/2019:08:34:23.405] backend cluster1-xx (#11): invalid response
frontend webservices (#18), server xxx (#2), event #30, src x.x.x.x:63290 
  buffer starts at 0 (including 0 out), 16268 free,
  len 116, wraps at 16384, error at position 0
  H1 connection flags 0x00000000, H1 stream flags 0x00004094
  H1 msg state MSG_RPBEFORE(8), H1 msg flags 0x00001404
  H1 chunk len 0 bytes, H1 body len 0 bytes :
00000 {"metadata":{"pagination":{"total":0,"rows":25,"currentPage":1,"pages" 
  00070+ :0},"facets":[],"activeFacets":[]},"media":[]}
---
I also did this request with wget to see what the response should be, and it seems that this is the first part of the 297229 bytes long body. The response headers are: 

---
  HTTP/1.1 200 OK
  Server: nginx
  Date: Fri, 19 Jul 2019 07:32:03 GMT
  Content-Type: application/json; charset=UTF-8
  Transfer-Encoding: chunked
  Vary: Accept-Encoding
  Vary: Accept-Encoding
  Cache-Control: private, must-revalidate
  ETag: "178c3f242b0151fe57e02f6e8817ce3a"
  Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, PATCH, DELETE, HEAD 
Length: unspecified [application/json]
---

Maybe the 'Length: unspecified' has something to do with it.
If I enable http-reuse the problem is still there. Only no option http-use-htx 'fixes' it. 

I've stripped my config to the parts that I think are related:

---
global
        master-worker
        log     /dev/log        local0
        log     /dev/log        local1 notice

        daemon
        user            haproxy
        group           haproxy
        maxconn         32768
        spread-checks   3
        nbproc          1
        nbthread        4
        stats socket    /var/run/haproxy.stat mode 666 level admin
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS 
        ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS 
        ssl-default-server-options no-sslv3 no-tls-tickets

        tune.ssl.default-dh-param 2048

###
# Defaults
###
defaults
        log                     global
        timeout check           2s
        timeout client          60s
        timeout connect         10s
        timeout http-keep-alive 4s
        timeout http-request    15s
        timeout queue           30s
        timeout server          60s
        timeout tarpit          120s

        errorfile 400 /etc/haproxy/errors.loc/400.http
        errorfile 403 /etc/haproxy/errors.loc/403.http
        errorfile 500 /etc/haproxy/errors.loc/500.http
        errorfile 502 /etc/haproxy/errors.loc/502.http
        errorfile 503 /etc/haproxy/errors.loc/503.http
        errorfile 504 /etc/haproxy/errors.loc/504.http

frontend webservices
        bind x.x.x.x:80 transparent
bind x.x.x.x:443 transparent ssl crt /etc/haproxy/ssl/somecert.pem alpn h2,http/1.1 
        bind 2001:xxx:xxx:x::xx:80 transparent
bind 2001:xxx:xxx:x::xx:443 transparent ssl crt /etc/haproxy/ssl/somecert.pem alpn h2,http/1.1 

        mode            http
        maxconn         4096

        option  httplog
        option  dontlog-normal
        option http-ignore-probes
        option  forwardfor
        option  splice-auto

        acl in_whitelist src -f /etc/haproxy/filters/filter1.txt
        acl in_whitelist src -f /etc/haproxy/filters/filter2.txt
        acl in_blacklist src -f /etc/haproxy/filters/filter3.txt
        acl in_badstuff url_reg -i -f /etc/haproxy/filters/filter1.reg
        acl in_badstuff url_sub -i -f /etc/haproxy/filters/filter4.txt

        # Remove http-proxy header if set from outside
        http-request del-header Proxy

        # Add X-Forwarded-Proto headers
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
        http-request set-header X-Forwarded-Ssl on if { ssl_fc }

        http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
        http-request set-header X-Forwarded-Ssl off if !{ ssl_fc }

        # Remove bogus X-Forwarded-For headers
        # We don't care about RFC1918
        http-request del-header ^X-Forwarded-For:\ 127\.
        http-request del-header ^X-Forwarded-For:\ 192\.168\.
        http-request del-header ^X-Forwarded-For:\ 10\.
        http-request del-header ^X-Forwarded-For:\ 172\.1[6-9]\.
        http-request del-header ^X-Forwarded-For:\ 172\.2[0-9]\.
        http-request del-header ^X-Forwarded-For:\ 172\.3[0-1]\.

        use_backend     blacklisted     if in_blacklist !in_whitelist
        use_backend     badstuff        if in_badstuff
        default_backend cluster1-xx


backend cluster1-xx
        fullconn        4096
        mode    http

        balance roundrobin

        option abortonclose
        option prefer-last-server
        option redispatch
        option httpchk GET /php-fpm-ping HTTP/1.0
        http-check expect status 200
server xxx x.x.x.x:80 cookie xxx weight 100 minconn 150 maxconn 180 check inter 2000 rise 3 fall 3 slowstart 5m server yyy x.x.x.x:80 cookie yyy weight 100 minconn 150 maxconn 180 check inter 2000 rise 3 fall 3 slowstart 5m 

        # Sorry Server
        server outage 127.0.0.1:80 backup track cluster1-yy/outage

        retries 1
---

Regards,

Sander

Attachment: 0x2E78FBE8.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to