Haproxy 2.8 with Proxy Protocol v2 does not close connections

Thu, 07 Sep 2023 05:04:20 -0700 

Hello,

After upgrading Haproxy from 2.7 to 2.8, with Nginx (1.25.0) as
backends and Proxy Protocol v2, the connections are not closed,
CLOSE_WAIT is increasing over time. No configuration changes apart from
the Haproxy version. 

Using Haproxy as backend will not create the same issue.

Not Working: Haproxy 2.8 -> Nginx (TLS Offloading)   -> Varnish 
Working:     Haproxy 2.8 -> Haproxy (TLS Offloading) -> Varnish
 


Ubuntu 22.04
HAProxy version 2.7.10-1ppa1~jammy 2023/08/12
or 
HAProxy version 2.8.2-1ppa1~jammy 2023/08/12

(Thanks again Vincent Bernat for the PPA)


Config:

global
  crt-base  /etc/ssl/private
  group  haproxy
  log  127.0.0.1 local0
  ssl-default-bind-ciphers  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-
RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-bind-ciphersuites 
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA
256
  ssl-default-bind-options  prefer-client-ciphers ssl-min-ver TLSv1.2
no-tls-tickets
  ssl-default-server-ciphers  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-
RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-server-ciphersuites 
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA
256
  ssl-default-server-options  ssl-min-ver TLSv1.2 no-tls-tickets
  stats  socket /var/run/haproxy.sock  user haproxyapi  group
haproxyapi  mode 660  level admin  expose-fd listeners
  tune.ssl.default-dh-param  2048 
  user  haproxy

defaults
  log  global
  maxconn  8000
  option  redispatch
  retries  3
  stats  enable
  timeout  http-request 10s
  timeout  queue 1m
  timeout  connect 10s
  timeout  client 1m
  timeout  server 1m
  timeout  check 10s

listen http
  bind [redacted]:80 interface ens224
  mode tcp
  balance roundrobin
  log global
  option tcplog
  server web1 [redacted]:2080 check send-proxy-v2
  server web2 [redacted]:2080 check send-proxy-v2
  server web3 [redacted]:2080 check send-proxy-v2
  server web4 [redacted]:2080 check send-proxy-v2


listen https
  bind [redacted]:443 interface ens224
  mode tcp
  balance roundrobin
  log global
  option tcplog
  server web1 [redacted]:2443 check send-proxy-v2
  server web2 [redacted]:2443 check send-proxy-v2
  server web3 [redacted]:2443 check send-proxy-v2
  server web4 [redacted]:2443 check send-proxy-v2


-- 
Tom Braarup
Senior IT-Administrator / Commercial and Tech Operations

​

Reply via email to