Le 29/01/2020 à 05:14, Igor Cicimov a écrit :
Hi all,
I'm asking this question here since I read in the docs that if I see "Ixxx" in
the session "termination_state" log I should do so :-)
The error I got while experimenting with the HAP config is as follows:
Jan 29 03:33:44 ip-172-31-45-201 haproxy[124024]: <CLIENT_IP>:44296
[29/Jan/2020:03:33:44.952] fe_https~ host.mydomain.com/
<http://host.mydomain.com/><NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 1/1/5/0/3 0/0
"GET /api/search HTTP/1.1"
The command that produced it:
$ curl -vsSNiL -H "Host: host.mydomain.com <http://host.mydomain.com>"
https://haproxy.example.com:8443/api/search
And the relevant haproxy-2.0.12 configuration (it's in AWS):
resolvers vpc
nameserver dns1 172.31.0.2:53 <http://172.31.0.2:53>
accepted_payload_size 8192
resolve_retries 30
timeout resolve 1s
timeout retry 2s
hold valid 30s
hold other 30s
hold refused 30s
hold nx 30s
hold timeout 30s
hold obsolete 30s
frontend fe_https
bind *:8443 ssl crt /etc/haproxy/ssl.d/ alpn h2,http/1.1
mode http
option httplog
use_backend %[req.hdr(host),word(1,:),lower]
backend host.mydomain.com <http://host.mydomain.com>
mode tcp
option tcp-check
tcp-check connect port 443 ssl
balance source
default-server inter 60s downinter 30s rise 2 fall 2 slowstart 10s weight
100 ca-file /etc/ssl/certs/ca-certificates.crt on-marked-down shutdown-sessions
server myhost host.mydomain.com:443 <http://host.mydomain.com:443> verify
none check resolvers vpc resolve-prefer ipv4
Hi Igor,
You cannot plug an HTTP frontend to a TCP backend. There are some checks during
the configuration parsing to prevent this mistake. Unfortunately, you are using
a dynamic expression to choose your backend. So it is not possible to warn you
at startup. Use the http mode for your backend. It should solve your issue.
--
Christopher Faulet