Here's my configuration: $ haproxy -vv HA-Proxy version 2.0.7-1ppa1~bionic 2019/09/28 - https://haproxy.org/ Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-TXZjzi/haproxy-2.0.7=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1
Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=4). Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018 Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.3 Built with network namespace support. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with zlib version : 1.2.11 Running on zlib version : 1.2.11 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE2 version : 10.31 2018-02-12 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with the Prometheus exporter as a service Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE mux=H2 h2 : mode=HTTP side=FE mux=H2 <default> : mode=HTX side=FE|BE mux=H1 <default> : mode=TCP|HTTP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace $ cat /etc/haproxy/haproxy.cfg global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon maxconn 16384 nbproc 1 nbthread 4 cpu-map auto:1/1-4 0-3 # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ... ssl-default-bind-ciphersuites ... ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets tune.ssl.default-dh-param 2048 defaults log global mode http option httpchk HEAD /health HTTP/1.1\r\nHost:\ example.com\r\nX-Forwarded-Proto:\ https option httplog option dontlognull option dontlog-normal option forwardfor option http-server-close option redispatch timeout client 10s timeout client-fin 5s timeout http-request 5s timeout server 30s timeout server-fin 10s timeout connect 10s timeout queue 10s errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen stats bind :8000 bind-process 1 mode http stats enable stats hide-version stats realm HAProxy\ Stats stats uri / stats auth theuser:thepassword frontend www-frontend bind :::80 v4v6 bind :::443 v4v6 ssl crt /etc/ssl/private/ev-2019.pem default_backend www-backend compression algo gzip compression type text/html text/css text/javascript application/javascript application/json backend www-backend http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] if { hdr_beg(host) -i www. } http-request add-header X-Forwarded-Proto https redirect scheme https if !{ ssl_fc } balance roundrobin default-server maxconn 256 inter 10s fall 3 rise 2 check server web0 10.113.220.155:6000 server web1 10.113.221.156:6000 server web2 10.113.222.157:6000 On Tue, Oct 1, 2019 at 11:02 AM Aleksandar Lazic <al-hapr...@none.at> wrote: > Hi. > > Am 01.10.19 um 10:46 schrieb Marco Colli: > > Hello! > > > > I use HAProxy to load balance HTTP(S) traffic to some web servers. Web > servers > > then connect to a database. I have noticed that when we restart the > database > > some errors occur (and that is normal during the restart). > > > > However the problem is that **a few hundreds connections remain open from > > HAProxy to the Puma web servers forever**. That slow down HAProxy. > > > > When we restart HAProxy then everything works fine again and the number > of > > backend connections drops to zero, which is the normal value since we > use option > > http-server-close. We have also configured the following timeouts but > nothing > > has changed (some connections to backend remain open forever): > > > > timeout client 10s > > timeout client-fin 5s > > timeout http-request 5s > > timeout server 30s > > timeout server-fin 10s > > timeout connect 10s > > timeout queue 10s > > > > HAProxy Version: 2.0 > > Please can you post the full haproxy -vv as there are many fixes in the > laster > versions. > > Are there any checks in the config? > Can you share the (minimal) config so that we can see some more > information's > about your setup. > > Regards > Aleks >