Here's my configuration:
$ haproxy -vv
HA-Proxy version 2.0.7-1ppa1~bionic 2019/09/28 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -O2
-fdebug-prefix-map=/build/haproxy-TXZjzi/haproxy-2.0.7=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement
-fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare
-Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers
-Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough
-Wno-stringop-overflow -Wtype-limits -Wshift-negative-value
-Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1
USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1
Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE
-PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED
+REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE
+LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4
-MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS
-51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.31 2018-02-12
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
<default> : mode=HTX side=FE|BE mux=H1
<default> : mode=TCP|HTTP side=FE|BE mux=PASS
Available services :
prometheus-exporter
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
$ cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd
listeners
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 16384
nbproc 1
nbthread 4
cpu-map auto:1/1-4 0-3
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See:
https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ...
ssl-default-bind-ciphersuites ...
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httpchk HEAD /health HTTP/1.1\r\nHost:\
example.com\r\nX-Forwarded-Proto:\
https
option httplog
option dontlognull
option dontlog-normal
option forwardfor
option http-server-close
option redispatch
timeout client 10s
timeout client-fin 5s
timeout http-request 5s
timeout server 30s
timeout server-fin 10s
timeout connect 10s
timeout queue 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind :8000
bind-process 1
mode http
stats enable
stats hide-version
stats realm HAProxy\ Stats
stats uri /
stats auth theuser:thepassword
frontend www-frontend
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/ssl/private/ev-2019.pem
default_backend www-backend
compression algo gzip
compression type text/html text/css text/javascript
application/javascript application/json
backend www-backend
http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] if {
hdr_beg(host) -i www. }
http-request add-header X-Forwarded-Proto https
redirect scheme https if !{ ssl_fc }
balance roundrobin
default-server maxconn 256 inter 10s fall 3 rise 2 check
server web0 10.113.220.155:6000
server web1 10.113.221.156:6000
server web2 10.113.222.157:6000
On Tue, Oct 1, 2019 at 11:02 AM Aleksandar Lazic <[email protected]> wrote:
> Hi.
>
> Am 01.10.19 um 10:46 schrieb Marco Colli:
> > Hello!
> >
> > I use HAProxy to load balance HTTP(S) traffic to some web servers. Web
> servers
> > then connect to a database. I have noticed that when we restart the
> database
> > some errors occur (and that is normal during the restart).
> >
> > However the problem is that **a few hundreds connections remain open from
> > HAProxy to the Puma web servers forever**. That slow down HAProxy.
> >
> > When we restart HAProxy then everything works fine again and the number
> of
> > backend connections drops to zero, which is the normal value since we
> use option
> > http-server-close. We have also configured the following timeouts but
> nothing
> > has changed (some connections to backend remain open forever):
> >
> > timeout client 10s
> > timeout client-fin 5s
> > timeout http-request 5s
> > timeout server 30s
> > timeout server-fin 10s
> > timeout connect 10s
> > timeout queue 10s
> >
> > HAProxy Version: 2.0
>
> Please can you post the full haproxy -vv as there are many fixes in the
> laster
> versions.
>
> Are there any checks in the config?
> Can you share the (minimal) config so that we can see some more
> information's
> about your setup.
>
> Regards
> Aleks
>
