Re: Apache translates 500 to 502 from haproxy

[Willy Tarreau]

On Tue, Jun 14, 2011 at 11:25:19AM +0530, Sachin Shetty wrote:
 Hey Willy,
 
 We have 1.4.11 - so how do we use the workaround - This is already in prod
 and I need to work around it before we can get to the root cause.

The workaround is part of the code, so you're hitting a different issue
I think. Please do not hesitate to send me a network capture of what
passes between apache and haproxy. Maybe it's not hard to improve the
workaround to cover your case if that's the issue.

Regards,
Willy

RE: Apache translates 500 to 502 from haproxy

[Sachin Shetty]

Hey Willy,

tcpdump would be fine?

Thanks
Sachin

-Original Message-
From: Willy Tarreau [mailto:w...@1wt.eu] 
Sent: Tuesday, June 14, 2011 12:14 PM
To: Sachin Shetty
Cc: 'Cassidy, Bryan'; haproxy@formilux.org
Subject: Re: Apache translates 500 to 502 from haproxy

On Tue, Jun 14, 2011 at 11:25:19AM +0530, Sachin Shetty wrote:
 Hey Willy,
 
 We have 1.4.11 - so how do we use the workaround - This is already in prod
 and I need to work around it before we can get to the root cause.

The workaround is part of the code, so you're hitting a different issue
I think. Please do not hesitate to send me a network capture of what
passes between apache and haproxy. Maybe it's not hard to improve the
workaround to cover your case if that's the issue.

Regards,
Willy

Re: Apache translates 500 to 502 from haproxy

[Willy Tarreau]

On Tue, Jun 14, 2011 at 12:22:03PM +0530, Sachin Shetty wrote:
 Hey Willy,
 
 tcpdump would be fine?

Yes, for instance :

   tcpdump -s0 -npi eth0 port 80 -w trace1.cap

Please note that -s0 is very important otherwise packets will be truncated.

Regards,
Willy

Re: Apache translates 500 to 502 from haproxy

[Willy Tarreau]

On Tue, Jun 14, 2011 at 01:09:12PM +0530, Sachin Shetty wrote:
 here is the tcp dump containing that precise request:
 
 tcpdump -s0 -npi lo port 9910 -w trace1.cap

There is nothing abnormal there, the response was complete and not truncated.
The connection was eventually closed before all of the request was read, but
I see nothing wrong with that and it is quite common with redirects or 401.

It's very strange that your apache does return a 502 here, because it received
the response long before the connection was closed, so it should already have
forwarded it. Also many people are using apache in front of haproxy without
such a problem.

Are you sure there is not anything in your apache config/modules which buffers
the whole response before responding ? It might explain this different
behaviour.

Willy

can't figure out why this is causing a CQ

[Hank A. Paulson]

I can't see what I am missing here.
Any help is appreciated

Jun 14 02:00:00 localhost haproxy[3052]: 10.101.1.2:2892 
[14/Jun/2011:02:00:00.088] w wi/wi-9 35/111/-1/-1/146 503 212 W=9 - CQ-- 
202/202/27/18/0 1/0 {w.x.y.z|Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) 
AppleWebKit/534.7 (KHTML, like Gecko) Chrome/1.0.11.4 
Safari/534.7|1549|http://w.x.y.z/w/web/w.jsp?ID=1sid=42||lang=en; 
auth=5/z/Z; W=9||} {} POST /w/web/w.jsp?ID=1sid=42 HTTP/1.1


config:

defaults
#option splice-auto
option tcp-smart-connect
option http-server-close
timeout queue 21s
timeout http-request 5s
timeout client 38s
timeout connect 8s
timeout server 38s
timeout http-keep-alive 8s
timeout tarpit 120s

global
node   w1
loglocalhost local0
#   loglocalhost local0 err
maxconn32768
uid99
gid99
chroot /var/empty
pidfile/var/run/haproxy.pid
daemon
quiet
spread-checks 6

frontend w
bind 10.1.1.1:80
mode http
log  global
option   httplog
option http-server-close
option   log-separate-errors
maxconn  32768

capture request  header Host   len 32
capture request  header User-Agent len 256
capture request  header Content-Length len 10
capture request  header Refererlen 384
capture request  header Vialen 64
capture request  header Cookie len 128
capture request  header X-xylen 64
capture response header Content-Length len 10
capture request  header X-xxlen 32

   # block any unwanted source IP addresses or networks
   acl forbidden_src src  0.0.0.0/7 224.0.0.0/3
#   acl forbidden_src src_port 0:1023
   block if forbidden_src

   default_backend wi

   capture cookie W= len 13

backend wi
modehttp
balance roundrobin
cookie W
server wi-7 10.1.1.7:80 cookie 7 check observe layer7 inter 90s 
fastinter 12s downinter 18s rise 2 fall 4  slowstart 360s weight 100 maxconn 
18 maxqueue 64
server wi-9 10.1.1.9:80 cookie 9 check observe layer7 inter 90s 
fastinter 12s downinter 18s rise 2 fall 4  slowstart 360s weight 100 maxconn 
18 maxqueue 64
	server wi-0 10.1.1.0:80 cookie 0 check observe layer7 inter 90s fastinter 12s 
downinter 18s rise 2 fall 4  slowstart 360s weight 100 maxconn 18 maxqueue 64
	server wi-1 10.1.1.1:80 cookie 1 check observe layer7 inter 90s fastinter 12s 
downinter 18s rise 2 fall 4  slowstart 360s weight 100 maxconn 18 maxqueue 64
	server wi-2 10.1.1.2:80 cookie 2 check observe layer7 inter 90s fastinter 12s 
downinter 18s rise 2 fall 4  slowstart 360s weight 100 maxconn 18 maxqueue 64
	server wi-3 10.1.1.3:80 cookie 3 check observe layer7 inter 90s fastinter 12s 
downinter 18s rise 2 fall 4  slowstart 360s weight 100 maxconn 18 maxqueue 64
	server wi-8 10.1.1.8:80 cookie 8 check observe layer7 inter 90s fastinter 12s 
downinter 18s rise   fall 4  slowstart 360s weight 100 maxconn 18 maxqueue 64
#server wi-2 10.1.1.2:80 cookie 2 check observe layer7 inter 90s 
fastinter 12s downinter 18s rise 2 fall 4  slowstart 360s backup weight 100 
maxconn 24

option redispatch
retries 3

option forwardfor
option http-server-close
#option forceclose
option abortonclose

Re: Apache translates 500 to 502 from haproxy

[Willy Tarreau]

On Tue, Jun 14, 2011 at 02:14:15PM +0530, Sachin Shetty wrote:
 I looked at all the apache modules we have and haven't seen anything glaring
 there.
 
 Attached tcpdump from cherrypy server when Apache is bypassing haproxy and
 forwarding to cherrypy directly. Obviously cherrypy does it in order, loads
 the whole file and then sends the response back which works ok for Apache.

I understand, but I see nothing in HTTP which makes it mandatory to read all
the content once you have responded. If you respond, you don't need those
data anymore. The common practice is to read at least some of them in order
to avoid the issue with the close causing a reset. Haproxy reads as much as
it can until the close. Once the connection is closed, it cannot read anymore.
Apache accepts to read a lot more of data,but with a limit too.

Willy

RE: Apache translates 500 to 502 from haproxy

[Sachin Shetty]

Yeah, I understand.

So what could we do? I am really stuck with this and not able to figure out
any workaround either.

-Original Message-
From: Willy Tarreau [mailto:w...@1wt.eu] 
Sent: Tuesday, June 14, 2011 4:17 PM
To: Sachin Shetty
Cc: 'Cassidy, Bryan'; haproxy@formilux.org
Subject: Re: Apache translates 500 to 502 from haproxy

On Tue, Jun 14, 2011 at 02:14:15PM +0530, Sachin Shetty wrote:
 I looked at all the apache modules we have and haven't seen anything
glaring
 there.
 
 Attached tcpdump from cherrypy server when Apache is bypassing haproxy and
 forwarding to cherrypy directly. Obviously cherrypy does it in order,
loads
 the whole file and then sends the response back which works ok for Apache.

I understand, but I see nothing in HTTP which makes it mandatory to read all
the content once you have responded. If you respond, you don't need those
data anymore. The common practice is to read at least some of them in order
to avoid the issue with the close causing a reset. Haproxy reads as much as
it can until the close. Once the connection is closed, it cannot read
anymore.
Apache accepts to read a lot more of data,but with a limit too.

Willy

Re: Apache translates 500 to 502 from haproxy

[Willy Tarreau]

On Tue, Jun 14, 2011 at 04:27:00PM +0530, Sachin Shetty wrote:
 Yeah, I understand.
 
 So what could we do? I am really stuck with this and not able to figure out
 any workaround either.

I really have no idea, because the server already replies before the
data are sent. Maybe you could disable the http-server-close option
so that haproxy works in tunnel mode. It will then not analyse any
request nor response beyond headers and will let client and server
agree on when to close the connection. You may even resort to the
plain old option httpclose so that each other are aware that the
connection is used only for one request.

Willy

RE: Apache translates 500 to 502 from haproxy

[Sachin Shetty]

man

We already had option httpclose in our config and removing it fixed it. We
haven't tweaked any configs for a few months, I dont even know why we had
this in the first place :)

I read through the documentation, I dont think we need it. Do you have any
reservations about taking it out?

Thanks
Sachin

-Original Message-
From: Willy Tarreau [mailto:w...@1wt.eu] 
Sent: Tuesday, June 14, 2011 5:15 PM
To: Sachin Shetty
Cc: 'Cassidy, Bryan'; haproxy@formilux.org
Subject: Re: Apache translates 500 to 502 from haproxy

On Tue, Jun 14, 2011 at 04:27:00PM +0530, Sachin Shetty wrote:
 Yeah, I understand.
 
 So what could we do? I am really stuck with this and not able to figure
out
 any workaround either.

I really have no idea, because the server already replies before the
data are sent. Maybe you could disable the http-server-close option
so that haproxy works in tunnel mode. It will then not analyse any
request nor response beyond headers and will let client and server
agree on when to close the connection. You may even resort to the
plain old option httpclose so that each other are aware that the
connection is used only for one request.

Willy

Re: Apache translates 500 to 502 from haproxy

[Willy Tarreau]

On Tue, Jun 14, 2011 at 06:16:23PM +0530, Sachin Shetty wrote:
 man
 
 We already had option httpclose in our config and removing it fixed it. We
 haven't tweaked any configs for a few months, I dont even know why we had
 this in the first place :)
 
 I read through the documentation, I dont think we need it. Do you have any
 reservations about taking it out?

If you don't have the option, then only the first request and first response
of each connection is analysed. So if Apache does keep-alive with the server
over haproxy, then haproxy won't parse the second and subsequent requests.

If you were already having httpclose, then haproxy did not close by itself,
so that means that the server was closing the connection after it had nothing
else to send. In other words, we have two servers (haproxy and the server
behind it) who agree on acting the same way and the Apache definitely is the
issue here.

Could you just make a try with option http-server-close then ? I think it
won't work due to the server closing, but if it does it would be better.

I'll have to think about implementing a drain mode over keep-alive
connections for this precise case : if the connection to the server is
dead while the connection to the client is active with data still coming,
we should silently drain those data.

Regards,
Willy

Re: acl and multiple header values

[Willy Tarreau]

On Tue, Jun 14, 2011 at 04:43:47PM -0700, John Fieber wrote:
 I want to create an ACL based on X-Forwarded-For:
 
 acl whitelist hdr_ip(X-Forwarded-For) -f whitelist.txt
 block unless whitelist
 
 Which is just grand, EXCEPT I'm only interested in (and trust) the last 
 address in the X-Forwarded-For header.  The above acl matches any address in 
 the header.  I've been digging for a good chunk of the day how to do that and 
 come up empty handed.  Help?

Since we have not yet reworked the ACLs to rely on the pattern subsystem,
it's still not possible to make use of hdr_ip(X-f-f,-1) as we do on the
balance or source keywords.

One thing you could do, despite not being very good, is to remove all
occurrences of values in the header. Basically, remove everything from
the first char to the last comma :

   reqirep ^(X-Forwarded-For:\ ).*,([^,]*) \1\2

Then your ACL could match based on what is left in this header.

Regards,
Willy

Re: can't figure out why this is causing a CQ

[Willy Tarreau]

Hi Hank,

On Tue, Jun 14, 2011 at 03:12:27AM -0700, Hank A. Paulson wrote:
 I can't see what I am missing here.
 Any help is appreciated
 
 Jun 14 02:00:00 localhost haproxy[3052]: 10.101.1.2:2892 
 [14/Jun/2011:02:00:00.088] w wi/wi-9 35/111/-1/-1/146 503 212 W=9 - CQ-- 
 202/202/27/18/0 1/0 {w.x.y.z|Mozilla/5.0 (Windows; U; Windows NT 5.1; 
 en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/1.0.11.4 
 Safari/534.7|1549|http://w.x.y.z/w/web/w.jsp?ID=1sid=42||lang=en; 
 auth=5/z/Z; W=9||} {} POST /w/web/w.jsp?ID=1sid=42 HTTP/1.1

You're not missing anything, CQ means the client disconnected while
the request was waiting in the queue. The client aborted 111 ms after
his request went into the queue, and since you have option abortonclose
the request was never forwarded to the server.

Regards,
Willy