Re: Weird encryption errors with IIS

Wed, 11 Dec 2019 02:10:31 -0800 

Am 10.12.2019 um 00:47 schrieb NublaII Lists:




What's in the haproxy log at this time?


I was only logging errors at the time, and nothing showed up.



Okay can you add 'option httplog' to the default block, this should create more 
valueable logs.



Could this message hide dome overload state?


I doubt it... the load on these systems is fairly low.


    What's your settings for the following parameters?

https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxconn
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxconnrate
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxsessrate
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxsslconn
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxsslrate



See the conf I pasted underneath. The only one on it is maxconn. What are the 
default values for the other ones?



Timeout*

It's called Circuit Breaker pattern.

https://martinfowler.com/bliki/CircuitBreaker.html 


I'll send this to the devs to take a look at, thank you.


In general can you share your minimal config?



Here you have a streamlined version:

global
maxconn 50000
ulimit-n 175000
nbproc 1
log /var/lib/haproxy/dev/log    local0 err
stats socket /var/run/haproxy.sock mode 0666 level admin
tune.maxrewrite 4096
tune.bufsize 65536
tune.ssl.default-dh-param 2048

         ssl-default-bind-ciphers 
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

         ssl-default-bind-options no-sslv3 no-tls-tickets

         ssl-default-server-ciphers 
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

         ssl-default-server-options no-sslv3 no-tls-tickets
spread-checks 4
daemon

defaults
         mode                    http
         balance                 roundrobin
         option                  tcpka
         option                  forwardfor
         option                  redispatch
         option                  contstats
         cookie                  SERVERID insert indirect
         retries                 10
         maxconn                 50000
         timeout http-request    300s
         timeout client          1200s
         timeout server          1200s
         timeout connect         100s
         timeout tarpit          200s
         timeout http-keep-alive 300s
         timeout check           5s
         errorfile               408 /dev/null
         errorfile               403 /etc/haproxy/errors/403error.http
         errorfile               503 /etc/haproxy/errors/maintenance.http

frontend https

         bind 10.10.10.254:443 ssl crt 
/etc/ssl/private/star.domain.chain+dh.pem crt /etc/ssl/private/other.pem crt 
/etc/ssl/private/otherother.pem

         log                     global
         option                  forwardfor

use_backend             backend_api_https if { hdr(host) api.domain }
use_backend             backend_app_https if { hdr(host) app.domain }

backend backend_api_https
         mode                    http
         redirect                scheme https if !{ ssl_fc }

         option                  httpchk HEAD /status.html HTTP/1.0\r\nHost:\ 
api.domain\r\nUser-Agent:\ haproxy
         server                  api01 10.10.10.1:443 <http://10.10.10.1:443> 
cookie api01-https ssl verify none check inter 7000 fall 5 weight 20
         server                  api02 10.10.10.2:443 <http://10.10.10.2:443> 
cookie api02-https ssl verify none check inter 7000 fall 5 weight 20
         server                  api03 10.10.10.3:443 <http://10.10.10.3:443> 
cookie api03-https ssl verify none check inter 7000 fall 5 weight 20
         server                  api04 10.10.10.4:443 <http://10.10.10.4:443> 
cookie api04-https ssl verify none check inter 7000 fall 5 weight 20


backend backend_app_https
         mode                    http
         redirect                scheme https if !{ ssl_fc }

         option                  httpchk HEAD /status.html HTTP/1.0\r\nHost:\ 
app.domain\r\nUser-Agent:\ haproxy
         server                  app01 10.10.10.11:443 <http://10.10.10.11:443> 
cookie app01-https ssl verify none check inter 7000 fall 5 weight 20
         server                  app02 10.10.10.12:443 <http://10.10.10.12:443> 
cookie app02-https ssl verify none check inter 7000 fall 5 weight 20




@haproxy.com: It would be nice to have a blog post
which talks about the
excellent options for Circuit Breaker in haproxy like the timeouts, queues and
the other options.



It most definitely would.

























					Reply via email to