Sure.
Note : as soon as I remove the check from the server line then 'systemctl 
reload haproxy', access is OK.

# haproxy -vv
HA-Proxy version 2.0.6-1~bpo9+1 2019/09/14 - https://haproxy.org/
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-2.0.6=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter 
-Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered 
-Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value 
-Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 
USE_ZLIB=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT 
+PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM 
-STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT 
+CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB 
-SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD 
-OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.0k  28 May 2019
Running on OpenSSL version : OpenSSL 1.1.0k  28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.22 2016-07-29
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE     mux=H2
              h2 : mode=HTTP       side=FE        mux=H2
       <default> : mode=HTX        side=FE|BE     mux=H1
       <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS

Available services :
        prometheus-exporter

Available filters :
        [SPOE] spoe
        [COMP] compression
        [CACHE] cache
        [TRACE] trace






# cat /etc/haproxy/haproxy.cfg
global
        log /dev/log    local0 info
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd 
listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers 
EECDH+AES:+AES128:+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
        ssl-default-bind-options no-sslv3
        tune.ssl.default-dh-param 2048

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

        option forwardfor       except 127.0.0.1/8
        option                  redispatch
        option http-keep-alive
        no option http-use-htx

frontend ssl
    bind ${HAPROXY_VRRP}:443 ssl crt tad-2019-chain.crt
    bind ${HAPROXY_IPV4}:443 ssl crt tad-2019-chain.crt
    bind ${HAPROXY_IPV6}:443 ssl crt tad-2019-chain.crt

#    capture request  header Host len 50
#    capture response header Location len 50
#    capture request header User-Agent len 50

    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Port 443
    http-request set-header X-Forwarded-Host %[ssl_fc_sni]

    http-response set-header Strict-Transport-Security max-age=31536000;\ 
includeSubDomains

    acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
    rspirep ^(Set-Cookie:.*) \1;\ Secure unless secured_cookie

    acl host-tools      hdr(host) tools.example.com

    acl to-etap         path_beg /etap

    use_backend bck-etap if host-tools to-etap

backend bck-etap
    server etap 192.168.1.69:8080 check



>From haproxy.log :

Sep 14 13:57:35 haproxy-1 haproxy[9978]: Server bck-etap/etap is DOWN, reason: 
Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers left. 0 
sessions active, 0 dequeued, 0 remaining in queue.
Sep 14 13:57:35 haproxy-1 haproxy[9976]: [WARNING] 256/135735 (9978) : Server 
bck-etap/etap is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 active 
and 0 backup servers left. 0 sessions active, 0 dequeued, 0 remaining in queue.
Sep 14 13:57:35 haproxy-1 haproxy[9978]: Server bck-etap/etap is DOWN, reason: 
Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers left. 0 
sessions active, 0 dequeued, 0 remaining in queue.
Sep 14 13:57:35 haproxy-1 haproxy[9978]: backend bck-etap has no server 
available!
Sep 14 13:57:35 haproxy-1 haproxy[9978]: backend bck-etap has no server 
available!
Sep 14 13:57:35 haproxy-1 haproxy[9976]: [ALERT] 256/135735 (9978) : backend 
'bck-etap' has no server available!


Sep 14 13:58:16 haproxy-1 haproxy[9978]: 172.17.10.1:51523 
[14/Sep/2019:13:58:16.024] ssl~ bck-etap/<NOSRV> 0/-1/-1/-1/0 503 213 - - SC-- 
16/15/0/0/0 0/0 "GET /etap/ HTTP/1.1"
^C


-- 
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

----- Mail original -----
De: "Aleksandar Lazic" <al-hapr...@none.at>
À: "Ionel GARDAIS" <ionel.gard...@tech-advantage.com>, "haproxy" 
<haproxy@formilux.org>
Envoyé: Samedi 14 Septembre 2019 13:12:49
Objet: Re: Issue with checks after 2.0.6

Hi.

Am 14.09.2019 um 13:08 schrieb GARDAIS Ionel:
> Hi,
> 
> I've just upgraded to 2.0.6 and all server checks went erratic.
> I had to disable checks for the servers to be reachable.
> 
> The observed behavior was a flip-flap (but mostly down) of server availability
> with L4TOUT when the server was considered unresponsive.

Please can you share some more informations like some configs and log lines.

> Ionel

Best regards
Aleks
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301


Reply via email to