Same.

I had to disable HTX because I had issues with some corrupted payloads.
I'll give a new try to HTX as 2.0.6 corrects issues with TLS.

-- 
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

----- Mail original -----
De: "Aleksandar Lazic" <al-hapr...@none.at>
À: "Ionel GARDAIS" <ionel.gard...@tech-advantage.com>
Cc: "haproxy" <haproxy@formilux.org>
Envoyé: Samedi 14 Septembre 2019 14:16:30
Objet: Re: Issue with checks after 2.0.6

When you enable htx do you have the same problems?
 
Comment in `no option http-use-htx`
 
Regards Aleks


Sat Sep 14 14:12:30 GMT+02:00 2019 GARDAIS Ionel 
<ionel.gard...@tech-advantage.com>:
 
> Also, haproxy and servers are on the same subnet : no filtering nor routing 
> between them.
> Ping as no troubles, servers are not overloaded by other connections.
> 
> -- 
> Ionel GARDAIS
> Tech'Advantage CIO - IT Team manager
> 
> ----- Mail original -----
> De: "Ionel GARDAIS" <ionel.gard...@tech-advantage.com>
> À: "Aleksandar Lazic" <al-hapr...@none.at>
> Cc: "haproxy" <haproxy@formilux.org>
> Envoyé: Samedi 14 Septembre 2019 14:07:42
> Objet: Re: Issue with checks after 2.0.6
> 
> Sure.
> Note : as soon as I remove the check from the server line then 'systemctl 
> reload haproxy', access is OK.
> 
> # haproxy -vv
> HA-Proxy version 2.0.6-1~bpo9+1 2019/09/14 - https://haproxy.org/
> Build options :
>   TARGET  = linux-glibc
>   CPU     = generic
>   CC      = gcc
>   CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-2.0.6=. 
> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
> -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement 
> -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter 
> -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered 
> -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value 
> -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
>   OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 
> USE_ZLIB=1 USE_SYSTEMD=1
> 
> Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT 
> +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM 
> -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT 
> +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 
> +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL 
> +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
> 
> Default settings :
>   bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
> 
> Built with multi-threading support (MAX_THREADS=64, default=2).
> Built with OpenSSL version : OpenSSL 1.1.0k  28 May 2019
> Running on OpenSSL version : OpenSSL 1.1.0k  28 May 2019
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
> Built with Lua version : Lua 5.3.3
> Built with network namespace support.
> Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
> IP_FREEBIND
> Built with zlib version : 1.2.8
> Running on zlib version : 1.2.8
> Compression algorithms supported : identity("identity"), deflate("deflate"), 
> raw-deflate("deflate"), gzip("gzip")
> Built with PCRE2 version : 10.22 2016-07-29
> PCRE2 library supports JIT : yes
> Encrypted password support via crypt(3): yes
> Built with the Prometheus exporter as a service
> 
> Available polling systems :
>       epoll : pref=300,  test result OK
>        poll : pref=200,  test result OK
>      select : pref=150,  test result OK
> Total: 3 (3 usable), will use epoll.
> 
> Available multiplexer protocols :
> (protocols marked as <default> cannot be specified using 'proto' keyword)
>               h2 : mode=HTX        side=FE|BE     mux=H2
>               h2 : mode=HTTP       side=FE        mux=H2
>        <default> : mode=HTX        side=FE|BE     mux=H1
>        <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS
> 
> Available services :
>       prometheus-exporter
> 
> Available filters :
>       [SPOE] spoe
>       [COMP] compression
>       [CACHE] cache
>       [TRACE] trace
> 
> 
> 
> 
> 
> 
> # cat /etc/haproxy/haproxy.cfg
> global
>       log /dev/log    local0 info
>       log /dev/log    local1 notice
>       chroot /var/lib/haproxy
>       stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd 
> listeners
>       stats timeout 30s
>       user haproxy
>       group haproxy
>       daemon
> 
>       # Default SSL material locations
>       ca-base /etc/ssl/certs
>       crt-base /etc/ssl/private
> 
>       # Default ciphers to use on SSL-enabled listening sockets.
>       # For more information, see ciphers(1SSL). This list is from:
>       #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
>       ssl-default-bind-ciphers 
> EECDH+AES:+AES128:+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
>       ssl-default-bind-options no-sslv3
>       tune.ssl.default-dh-param 2048
> 
> defaults
>       log     global
>       mode    http
>       option  httplog
>       option  dontlognull
>         timeout connect 5000
>         timeout client  50000
>         timeout server  50000
>       errorfile 400 /etc/haproxy/errors/400.http
>       errorfile 403 /etc/haproxy/errors/403.http
>       errorfile 408 /etc/haproxy/errors/408.http
>       errorfile 500 /etc/haproxy/errors/500.http
>       errorfile 502 /etc/haproxy/errors/502.http
>       errorfile 503 /etc/haproxy/errors/503.http
>       errorfile 504 /etc/haproxy/errors/504.http
> 
>       option forwardfor       except 127.0.0.1/8
>       option                  redispatch
>       option http-keep-alive
>       no option http-use-htx
> 
> frontend ssl
>     bind ${HAPROXY_VRRP}:443 ssl crt tad-2019-chain.crt
>     bind ${HAPROXY_IPV4}:443 ssl crt tad-2019-chain.crt
>     bind ${HAPROXY_IPV6}:443 ssl crt tad-2019-chain.crt
> 
> #    capture request  header Host len 50
> #    capture response header Location len 50
> #    capture request header User-Agent len 50
> 
>     http-request set-header X-Forwarded-Proto https
>     http-request set-header X-Forwarded-Port 443
>     http-request set-header X-Forwarded-Host %[ssl_fc_sni]
> 
>     http-response set-header Strict-Transport-Security max-age=31536000;\ 
> includeSubDomains
> 
>     acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
>     rspirep ^(Set-Cookie:.*) \1;\ Secure unless secured_cookie
> 
>     acl host-tools    hdr(host) tools.example.com
> 
>     acl to-etap               path_beg /etap
> 
>     use_backend bck-etap if host-tools to-etap
> 
> backend bck-etap
>     server etap 192.168.1.69:8080 check
> 
> 
> 
> From haproxy.log :
> 
> Sep 14 13:57:35 haproxy-1 haproxy[9978]: Server bck-etap/etap is DOWN, 
> reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers 
> left. 0 sessions active, 0 dequeued, 0 remaining in queue.
> Sep 14 13:57:35 haproxy-1 haproxy[9976]: [WARNING] 256/135735 (9978) : Server 
> bck-etap/etap is DOWN, reason: Layer4 timeout, check duration: 2001ms. 0 
> active and 0 backup servers left. 0 sessions active, 0 dequeued, 0 remaining 
> in queue.
> Sep 14 13:57:35 haproxy-1 haproxy[9978]: Server bck-etap/etap is DOWN, 
> reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup servers 
> left. 0 sessions active, 0 dequeued, 0 remaining in queue.
> Sep 14 13:57:35 haproxy-1 haproxy[9978]: backend bck-etap has no server 
> available!
> Sep 14 13:57:35 haproxy-1 haproxy[9978]: backend bck-etap has no server 
> available!
> Sep 14 13:57:35 haproxy-1 haproxy[9976]: [ALERT] 256/135735 (9978) : backend 
> 'bck-etap' has no server available!
> 
> 
> Sep 14 13:58:16 haproxy-1 haproxy[9978]: 172.17.10.1:51523 
> [14/Sep/2019:13:58:16.024] ssl~ bck-etap/<NOSRV> 0/-1/-1/-1/0 503 213 - - 
> SC-- 16/15/0/0/0 0/0 "GET /etap/ HTTP/1.1"
> ^C
> 
> 
> -- 
> Ionel GARDAIS
> Tech'Advantage CIO - IT Team manager
> 
> ----- Mail original -----
> De: "Aleksandar Lazic" <al-hapr...@none.at>
> À: "Ionel GARDAIS" <ionel.gard...@tech-advantage.com>, "haproxy" 
> <haproxy@formilux.org>
> Envoyé: Samedi 14 Septembre 2019 13:12:49
> Objet: Re: Issue with checks after 2.0.6
> 
> Hi.
> 
> Am 14.09.2019 um 13:08 schrieb GARDAIS Ionel:
> > Hi,
> > 
> > I've just upgraded to 2.0.6 and all server checks went erratic.
> > I had to disable checks for the servers to be reachable.
> > 
> > The observed behavior was a flip-flap (but mostly down) of server 
> > availability
> > with L4TOUT when the server was considered unresponsive.
> 
> Please can you share some more informations like some configs and log lines.
> 
> > Ionel
> 
> Best regards
> Aleks
> --
> 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
> Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
> --
> 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
> Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
>
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301


Reply via email to