Re: SOLVEDRe: haproxy + RDP
Hi Antonio Trujillo Carmona. cool thanks for sharing. Regards Aleks Antonio Trujillo Carmona have written on Wed, 24 May 2017 09:01:16 +0200: > El 16/05/17 a las 23:17, Aleksandar Lazic escribió: > Hi Antonio Trujillo Carmona. > > > > Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16 > > +0200: > > > > El 12/05/17 a las 11:55, Aleksandar Lazic escribió: > >> Hi Antonio Trujillo Carmona. > >>> > >>> Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59 > >>> +0200: > >>> > >>> El 11/05/17 a las 15:06, Aleksandar Lazic escribió: > .../ > > How about to activate the 'option tcp-check' as mentioned in the > > Warning? > > In the config below is it's commented, any reason why? > > > > It's also active in the doc which you maybe know. > > > > https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html > > > > Does this changes anything? > > ok cleaing up a liter I try: > frontend RDP > mode tcp > bind *:3389 > timeout client 1h > tcp-request inspect-delay 5s > tcp-request content accept if RDP_COOKIE > default_backend bk_rdp > # > backend bk_rdp > mode tcp > balance leastconn > #balance rdp_coockie > timeout server 1h > timeout connect 4s > log global > option tcplog > stick-table type string len 32 size 10k expire 1h peers > pares stick on rdp_cookie(msthash) > # persist rdp-cookie > option tcp-check > # option ssl-hello-chk > # option tcpka > tcp-check connect port 3389 ssl > > # server gr43sterminal01 10.104.22.142:3389 weight 1 check > verify none inter 2000 rise 2 fall 3 > # server gr43sterminal02 10.104.23.141:3389 weight 1 check > verify none inter 2000 rise 2 fall 3 > # > default-server inter 3s rise 2 fall 3 > server gr43sterminal01 10.104.22.142:3389 weight 1 check > server gr43sterminal02 10.104.23.141:3389 weight 1 check > > And I got: > [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server > 'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is > enabled by default but no CA file specified. If you're running > on a LAN where you're certain to trust the server's certificate, > please set an explicit 'verify none' statement on the 'server' > line, or use 'ssl-server-verify none' in the global section to > disable server-side verifications by default. [ALERT] 131/100222 > (8564) : Proxy 'bk_rdp', server > 'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is > enabled by default but no CA file specified. If you're running > on a LAN where you're certain to trust the server's certificate, > please set an explicit 'verify none' statement on the 'server' > line, or use 'ssl-server-verify none' in the global section to > disable server-side verifications by default. [ALERT] 131/100222 > (8564) : Fatal errors found in configuration. > > So I try adding verify none in server line > > and haproxy see both server up (but one is down). > I try withou ssl: > > tcp-check connect port 3389 > server gr43sterminal01 10.104.22.142:3389 weight 1 check > server gr43sterminal02 10.104.23.141:3389 weight 1 check > > but the result is the same haproxy see both server up (but one is > down) > > only if I leve only option tcp-check (or none) it seem work > > > # > # persist rdp-cookie > option tcp-check > # option ssl-hello-chk > # option tcpka > # tcp-check connect port 3389 ssl > # tcp-check connect port 3389 > > # server gr43sterminal01 10.104.22.142:3389 weight 1 check > verify none inter 2000 rise 2 fall 3 > # server gr43sterminal02 10.104.23.141:3389 weight 1 check > verify none inter 2000 rise 2 fall 3 > # > default-server inter 3s rise 2 fall 3 > server gr43sterminal01 10.104.22.142:3389 weight 1 check > server gr43sterminal02 10.104.23.141:3389 weight 1 check > ## > > > output: > > [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is > DOWN, reason: Layer4 timeout, info: " at initial connection step > of tcp-check", check duration: 3001ms. 1 active and 0 backup > servers left. 0 sessions active, 0 requeued, 0 remaining in > queue. So finally it works. > >>> > >>> Regards > >>> Aleks > >>> But in that mode it check server available,
SOLVEDRe: haproxy + RDP
El 16/05/17 a las 23:17, Aleksandar Lazic escribió: Hi Antonio Trujillo Carmona. Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16 +0200: El 12/05/17 a las 11:55, Aleksandar Lazic escribió: Hi Antonio Trujillo Carmona. Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59 +0200: El 11/05/17 a las 15:06, Aleksandar Lazic escribió: .../ How about to activate the 'option tcp-check' as mentioned in the Warning? In the config below is it's commented, any reason why? It's also active in the doc which you maybe know. https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html Does this changes anything? ok cleaing up a liter I try: frontend RDP mode tcp bind *:3389 timeout client 1h tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE default_backend bk_rdp # backend bk_rdp mode tcp balance leastconn #balance rdp_coockie timeout server 1h timeout connect 4s log global option tcplog stick-table type string len 32 size 10k expire 1h peers pares stick on rdp_cookie(msthash) # persist rdp-cookie option tcp-check # option ssl-hello-chk # option tcpka tcp-check connect port 3389 ssl # server gr43sterminal01 10.104.22.142:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # server gr43sterminal02 10.104.23.141:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # default-server inter 3s rise 2 fall 3 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check And I got: [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. [ALERT] 131/100222 (8564) : Fatal errors found in configuration. So I try adding verify none in server line and haproxy see both server up (but one is down). I try withou ssl: tcp-check connect port 3389 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check but the result is the same haproxy see both server up (but one is down) only if I leve only option tcp-check (or none) it seem work # # persist rdp-cookie option tcp-check # option ssl-hello-chk # option tcpka # tcp-check connect port 3389 ssl # tcp-check connect port 3389 # server gr43sterminal01 10.104.22.142:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # server gr43sterminal02 10.104.23.141:3389 weight 1 check verify none inter 2000 rise 2 fall 3 # default-server inter 3s rise 2 fall 3 server gr43sterminal01 10.104.22.142:3389 weight 1 check server gr43sterminal02 10.104.23.141:3389 weight 1 check ## output: [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is DOWN, reason: Layer4 timeout, info: " at initial connection step of tcp-check", check duration: 3001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. So finally it works. Regards Aleks But in that mode it check server available, not service, if RDP service is down haproxy don't detect it. Maybe you will need some tcp-check squence to check the service. http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send-binary I have found a perl script which checks the rdp maybe this will help you to find the right sequence. https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl Regards Aleks Finally it work. The configuration last in: # frontend RDP mode tcp bind *:3389 timeout client 1h tcp-request inspect-delay 25s
