Re: tcp loadbalancing
Thks for the reply.. here is the capture TCP packet ( i hope it correct ) 861.531811000192.168.77.1192.168.77.50TCP60 [TCP ZeroWindow] 37535 > esri-sde [ACK] Seq=1 Ack=1 Win=0 Len=0 871.531829000192.168.77.50192.168.77.1TCP66 [TCP ACKed unseen segment] esri-sde > 37535 [ACK] Seq=1 Ack=2 Win=64887 Len=0 TSval=14742645 TSecr=349169802 25911.533777000192.168.77.1192.168.77.50TCP 60[TCP ZeroWindow] 37535 > esri-sde [ACK] Seq=1 Ack=1 Win=0 Len=0 as you can see, 192.168.77.50 is the ip of application server, and 192.168.77.1 is the ip of Haproxy server.. so if the "HAProxy manages buffers and just forward them in both ways (client to server and vice-versa)" .. it should be passing the tcp ack to the client side/ip ( CMIIW ), which is public ip.. On 4/24/13 12:29 PM, Baptiste wrote: Hi, Could you take a capture of this check from the server? In TCP mode, HAProxy manages buffers and just forward them in both ways (client to server and vice-versa). Baptiste On Wed, Apr 24, 2013 at 4:59 AM, ZeN wrote: Hello please bear with because i'm new with haproxy. recently i tried to loadbalance tcp base applications which bind/listen into specific ports. the behavior of the applications ( server side ) is : check time out to the connected client ( 20 seconds), than close/terminated the staled clients connections. but with haproxy, i still cannot manage this behavior to work, because the server send the time out checking to the haproxy server, not directly to the clients. may be some of you who has more expertize with haproxy could point me what is wrong with my setup. i'm running HA-Proxy version 1.4.23 2013/04/03 from FreeBSD ports under FreeBSD 9.1-RELEASE-p2 here is my simple haproxy conf: global log 127.0.0.1 local0 debug maxconn 4096 #ulimit-n 1024 uid 1 gid 1 daemon pidfile /var/run/haproxy.pid listen stats :8081 balance mode http stats enable stats auth blah:blahpass stats refresh 5s listen TEST :5150 ##bind to all interfaces## mode tcp option tcpka option clitcpka option srvtcpka option tcp-smart-accept option tcplog timeout client 320s timeout connect 30s timeout server 30s timeout check 30s option abortonclose option redispatch retries 3 log global balance roundrobin server piglet 192.168.5.18:5150 maxconn 2000 server tigger 192.168.5.30:5150 maxconn 2000 any help will be much appreciated TIA ZeN
Re: Failed to use the source address for outgoing connections
Hi Godbach, On Tue, Apr 23, 2013 at 04:08:30PM +0800, Godbach wrote: > Here is the patch to fix the bug of source function in attachment for > your information. (...) I've applied it now. Thank you ! Willy
Re: appsession not sticking?
Hi Mattew, You can first send us your configuration :) Browser are supposed to send cookies over 2 different connections for the same domain. So maybe you could log the Host header and the Set-Cookie header as well. Baptiste On Tue, Apr 23, 2013 at 11:54 AM, Matthew Wild wrote: > Hi, > > I'm setting up a new haproxy deployment, and am having some problems > trying to get sessions correctly sticking to backend servers. > > Since it's new, it's worth firstly checking that I haven't made any > configuration mistakes, I'm currently testing with this: > https://gist.github.com/mwild1/19560e39196f49da4ae2 > > I've done some debugging, and this is the usual flow I see: > > -- Connection 1 > OPTIONS->OK (backend 1) ; cross-domain pre-flight request > POST->OK (backend 1) (cookie is set in this response) > POST->OK (backend 1) > POST-> (backend 1) ; Here backend 1 holds the connection open (long poll) > > ; The client makes a new request, and the browser opens a new > connection because connection 1 is blocked > -- Connection 2 > POST->ERROR (backend 2) > > All the POST requests made by the browser (Chrome) have the correct > cookie once it is set in the first POST response. > > One possibility - perhaps haproxy only stores the cookie value when > the connection closes? Since connection 1 doesn't close, connection 2 > does not get associated with the correct backend. Just a theory... > > Any advice or suggestions? I hope it is something simple I'm missing :) > > Regards, > Matthew >
Re: fullconn
Hi, Long time nobody asked for fullconn information :) fullconn allows HAProxy to manage connections on your server. It means that HAProxy will increase connection opened on the server, from minconn to maxconn. And maxconn will be reached when the number of connection on the backend is equal to fullconn. I hope this is a bit more clearer. Baptiste On Tue, Apr 23, 2013 at 11:22 AM, Jose María Zaragoza wrote: > > Hello: > > > I'm reading about fullconn parameter in > > https://code.google.com/p/haproxy-docs/wiki/fullconn > > and I don't get the example > > > # The servers will accept between 100 and 1000 concurrent connections each > # and the maximum of 1000 will be reached when the backend reaches 1 > # connections. > backend dynamic > fullconn 1 > server srv1 dyn1:80 minconn 100 maxconn 1000 > server srv2 dyn2:80 minconn 100 maxconn 1000 > > > I don't understand what minconn is for . Is it a lower limit for concurrent > connections? > "The server will accept between 100 and 1000 concurrent connections" > And if is there 50 concurrent connections to backend ? > > If the server accepts up to 1000 concurrent connections, I guess 1000 is > always the upper limit > So, what fullconn is for ? is for concurrent connections to backend ? > > I don't understand this limits > > Thanks and regards > > > >
Re: tcp loadbalancing
Hi, Could you take a capture of this check from the server? In TCP mode, HAProxy manages buffers and just forward them in both ways (client to server and vice-versa). Baptiste On Wed, Apr 24, 2013 at 4:59 AM, ZeN wrote: > Hello > please bear with because i'm new with haproxy. > recently i tried to loadbalance tcp base applications which bind/listen into > specific ports. > the behavior of the applications ( server side ) is : > > check time out to the connected client ( 20 seconds), than close/terminated > the staled clients connections. > > but with haproxy, i still cannot manage this behavior to work, because the > server send the time out checking to the haproxy server, not directly to the > clients. > may be some of you who has more expertize with haproxy could point me what > is wrong with my setup. > > i'm running HA-Proxy version 1.4.23 2013/04/03 from FreeBSD ports under > FreeBSD 9.1-RELEASE-p2 > > here is my simple haproxy conf: > > > global > log 127.0.0.1 local0 debug > maxconn 4096 > #ulimit-n 1024 > uid 1 > gid 1 > daemon > pidfile /var/run/haproxy.pid > > listen stats :8081 > balance > mode http > stats enable > stats auth blah:blahpass > stats refresh 5s > > listen TEST :5150 ##bind to all interfaces## > mode tcp > option tcpka > option clitcpka > option srvtcpka > option tcp-smart-accept > option tcplog > timeout client 320s > timeout connect 30s > timeout server 30s > timeout check 30s > option abortonclose > option redispatch > retries 3 > log global > balance roundrobin > > > server piglet 192.168.5.18:5150 maxconn 2000 > server tigger 192.168.5.30:5150 maxconn 2000 > > > any help will be much appreciated > > TIA > > ZeN > > > > > > > > > >
tcp loadbalancing
Hello please bear with because i'm new with haproxy. recently i tried to loadbalance tcp base applications which bind/listen into specific ports. the behavior of the applications ( server side ) is : check time out to the connected client ( 20 seconds), than close/terminated the staled clients connections. but with haproxy, i still cannot manage this behavior to work, because the server send the time out checking to the haproxy server, not directly to the clients. may be some of you who has more expertize with haproxy could point me what is wrong with my setup. i'm running HA-Proxy version 1.4.23 2013/04/03 from FreeBSD ports under FreeBSD 9.1-RELEASE-p2 here is my simple haproxy conf: global log 127.0.0.1 local0 debug maxconn 4096 #ulimit-n 1024 uid 1 gid 1 daemon pidfile /var/run/haproxy.pid listen stats :8081 balance mode http stats enable stats auth blah:blahpass stats refresh 5s listen TEST :5150 ##bind to all interfaces## mode tcp option tcpka option clitcpka option srvtcpka option tcp-smart-accept option tcplog timeout client 320s timeout connect 30s timeout server 30s timeout check 30s option abortonclose option redispatch retries 3 log global balance roundrobin server piglet 192.168.5.18:5150 maxconn 2000 server tigger 192.168.5.30:5150 maxconn 2000 any help will be much appreciated TIA ZeN
Re: Unable to load SSL private key from PEM file
On 04/23/2013 06:31 AM, Tim Verhoeven wrote: Hi, I'm trying to get haproxy 1.5 dev18 to load my production certificate (it is working fine with a self-signed one). And I'm getting this error: [ALERT] 112/151354 (11224) : parsing [/etc/haproxy/haproxy.cfg:69] : 'bind <>:443' : unable to load SSL private key from PEM file '/etc/pki/tls/certs/<>.pem'. [ALERT] 112/151354 (11224) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 112/151354 (11224) : Proxy 'https-in': no SSL certificate specified for bind '<>:443' at [/etc/haproxy/haproxy.cfg:69] (use 'crt'). [ALERT] 112/151354 (11224) : Fatal errors found in configuration. Errors in configuration file, check with haproxy check. This cert is a EV multidomain one from Digicert and uses a intermediate cert. I'm made the pem file by concatenting all the keys and certs like this : -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN INTERMEDIATE CERTIFICATE- -END INTERMEDIATE CERTIFICATE- -BEGIN ROOT CERTIFICATE- -END ROOT CERTIFICATE- The private key should go after your certificate, not before. The rest of your order is OK. So: cat mycrt.pem mykey.pem intermediate.pem root.pem > combined.pem Ian
Re: Haproxy support for passing HTTP CONNECT requests directly to the backend
On Tue, Apr 23, 2013 at 04:10:55PM +0200, Willy Tarreau wrote: > On Tue, Apr 23, 2013 at 04:30:12PM +0300, Pasi Kärkkäinen wrote: > > On Tue, Apr 23, 2013 at 07:50:56AM +0200, Willy Tarreau wrote: > > > Hi, > > > > > > On Tue, Apr 23, 2013 at 05:29:26AM +0300, Pasi Kärkkäinen wrote: > > > > Hello, > > > > > > > > Is it currently possible to pass "HTTP CONNECT" requests directly to > > > > the backend server? > > > > > > > > So haproxy itself shouldn't try to connect anywhere, but instead > > > > directly pass > > > > the request to the backend, and let backend handle it. > > > > > > Not only it is possible, but it is the only thing it can do :-) Keep in > > > mind that haproxy is a reverse-proxy and not a proxy, so it will not try > > > to resolve a host to connect to a specific location for example. Thus, if > > > it receives a request such as "CONNECT foo:443 HTTP/1.1", it will not try > > > to resolved "foo", it will send it to one of the servers declared in the > > > backend. And it is the same for all methods, there is nothing specific to > > > CONNECT. > > > > > > > Hmm, I remember trying it earlier (a couple of years ago), and then it > > didn't work.. > > There is no reason. It's been used since maybe version 1.1 (10 years ago) > in front of proxies where this was already working. So if you see any > failure, please report ! > Ok, will do. -- Pasi
Re: Haproxy support for passing HTTP CONNECT requests directly to the backend
On Tue, Apr 23, 2013 at 04:30:12PM +0300, Pasi Kärkkäinen wrote: > On Tue, Apr 23, 2013 at 07:50:56AM +0200, Willy Tarreau wrote: > > Hi, > > > > On Tue, Apr 23, 2013 at 05:29:26AM +0300, Pasi Kärkkäinen wrote: > > > Hello, > > > > > > Is it currently possible to pass "HTTP CONNECT" requests directly to the > > > backend server? > > > > > > So haproxy itself shouldn't try to connect anywhere, but instead directly > > > pass > > > the request to the backend, and let backend handle it. > > > > Not only it is possible, but it is the only thing it can do :-) Keep in > > mind that haproxy is a reverse-proxy and not a proxy, so it will not try > > to resolve a host to connect to a specific location for example. Thus, if > > it receives a request such as "CONNECT foo:443 HTTP/1.1", it will not try > > to resolved "foo", it will send it to one of the servers declared in the > > backend. And it is the same for all methods, there is nothing specific to > > CONNECT. > > > > Hmm, I remember trying it earlier (a couple of years ago), and then it didn't > work.. There is no reason. It's been used since maybe version 1.1 (10 years ago) in front of proxies where this was already working. So if you see any failure, please report ! Thanks, Willy
Unable to load SSL private key from PEM file
Hi, I'm trying to get haproxy 1.5 dev18 to load my production certificate (it is working fine with a self-signed one). And I'm getting this error: [ALERT] 112/151354 (11224) : parsing [/etc/haproxy/haproxy.cfg:69] : 'bind <>:443' : unable to load SSL private key from PEM file '/etc/pki/tls/certs/<>.pem'. [ALERT] 112/151354 (11224) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 112/151354 (11224) : Proxy 'https-in': no SSL certificate specified for bind '<>:443' at [/etc/haproxy/haproxy.cfg:69] (use 'crt'). [ALERT] 112/151354 (11224) : Fatal errors found in configuration. Errors in configuration file, check with haproxy check. This cert is a EV multidomain one from Digicert and uses a intermediate cert. I'm made the pem file by concatenting all the keys and certs like this : -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN INTERMEDIATE CERTIFICATE- -END INTERMEDIATE CERTIFICATE- -BEGIN ROOT CERTIFICATE- -END ROOT CERTIFICATE- I'm using the identical PEM file successfully with vsftpd and I've also tested it with Apache mod_ssl where is also worked fine. So why is haproxy giving me this error? How can I debug this issue? Thanks, Tim -- Tim Verhoeven - tim.verhoeven...@gmail.com - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds)
Re: Haproxy support for passing HTTP CONNECT requests directly to the backend
On Tue, Apr 23, 2013 at 07:50:56AM +0200, Willy Tarreau wrote: > Hi, > > On Tue, Apr 23, 2013 at 05:29:26AM +0300, Pasi Kärkkäinen wrote: > > Hello, > > > > Is it currently possible to pass "HTTP CONNECT" requests directly to the > > backend server? > > > > So haproxy itself shouldn't try to connect anywhere, but instead directly > > pass > > the request to the backend, and let backend handle it. > > Not only it is possible, but it is the only thing it can do :-) Keep in > mind that haproxy is a reverse-proxy and not a proxy, so it will not try > to resolve a host to connect to a specific location for example. Thus, if > it receives a request such as "CONNECT foo:443 HTTP/1.1", it will not try > to resolved "foo", it will send it to one of the servers declared in the > backend. And it is the same for all methods, there is nothing specific to > CONNECT. > Hmm, I remember trying it earlier (a couple of years ago), and then it didn't work.. I'll have to try it again! Thanks a lot, -- Pasi
Re: HA Proxy FTP Load Balancing Timeout
Hi Ben, Is there any suggestion, that I can try in our HA Proxy config. Regards, Alok From: Ben Timby To: Alok Kumar Cc: "haproxy@formilux.org" Sent: Thursday, April 18, 2013 3:46 PM Subject: Re: HA Proxy FTP Load Balancing Timeout On Thu, Apr 18, 2013 at 3:38 PM, Alok Kumar wrote: Hi Ben, >In my case we are load balancing across FTP servers. > >FTP uses two data channel and command channel port for data transfer. > I use haproxy for the same purpose. Closing the command channel will not affect a transfer in any way, unless you have something else set up wrong. In other words, the command channel is needed only to START the upload, once started the data channel will complete the upload. If the command channel closes in the meantime, what does it matter? I am trying to understand WHY this is a problem, as in my experience closing the idle command channel is a GOOD thing with no negative side-effects.
appsession not sticking?
Hi, I'm setting up a new haproxy deployment, and am having some problems trying to get sessions correctly sticking to backend servers. Since it's new, it's worth firstly checking that I haven't made any configuration mistakes, I'm currently testing with this: https://gist.github.com/mwild1/19560e39196f49da4ae2 I've done some debugging, and this is the usual flow I see: -- Connection 1 OPTIONS->OK (backend 1) ; cross-domain pre-flight request POST->OK (backend 1) (cookie is set in this response) POST->OK (backend 1) POST-> (backend 1) ; Here backend 1 holds the connection open (long poll) ; The client makes a new request, and the browser opens a new connection because connection 1 is blocked -- Connection 2 POST->ERROR (backend 2) All the POST requests made by the browser (Chrome) have the correct cookie once it is set in the first POST response. One possibility - perhaps haproxy only stores the cookie value when the connection closes? Since connection 1 doesn't close, connection 2 does not get associated with the correct backend. Just a theory... Any advice or suggestions? I hope it is something simple I'm missing :) Regards, Matthew
SV: SV: VS: Haparoxy hangs in one minute on config reload
Hi Willy, Thanks, we will try this ASAP. Regards Terje -Opprinnelig melding- Fra: Willy Tarreau [mailto:w...@1wt.eu] Sendt: tirsdag, april 23, 2013 11:26 Til: Borgen, Terje Kopi: 'haproxy@formilux.org' Emne: Re: SV: VS: Haparoxy hangs in one minute on config reload Hi Terje, On Tue, Apr 23, 2013 at 11:17:13AM +0200, Borgen, Terje wrote: > Hi Willy. > I am sorry it took so long. We got another problem that got my full > attention for months. Firewall issues with database connections. This > is now solved and today this HAProxy reload problem occurred again. > We have checked the logs and it's not the first time after we added "option > nolinger". > > You mentioned that using port 8080 could be part of the problem. Our > other setup which runs on port 80 have never had this problem. > Do You think changing the listen port to eg 85 might solve the problem? Yes definitely, please try this. Regards, Willy
Re: SV: VS: Haparoxy hangs in one minute on config reload
Hi Terje, On Tue, Apr 23, 2013 at 11:17:13AM +0200, Borgen, Terje wrote: > Hi Willy. > I am sorry it took so long. We got another problem that got my full attention > for months. Firewall issues with database connections. This is now solved and > today this HAProxy reload problem occurred again. > We have checked the logs and it's not the first time after we added "option > nolinger". > > You mentioned that using port 8080 could be part of the problem. Our other > setup which runs on port 80 have never had this problem. > Do You think changing the listen port to eg 85 might solve the problem? Yes definitely, please try this. Regards, Willy
fullconn
Hello: I'm reading about fullconn parameter in https://code.google.com/p/haproxy-docs/wiki/fullconn and I don't get the example # The servers will accept between 100 and 1000 concurrent connections each # and the maximum of 1000 will be reached when the backend reaches 1 # connections. backend dynamic fullconn 1 server srv1 dyn1:80 minconn 100 maxconn 1000 server srv2 dyn2:80 minconn 100 maxconn 1000 I don't understand what minconn is for . Is it a lower limit for concurrent connections? "The server will accept between 100 and 1000 concurrent connections" And if is there 50 concurrent connections to backend ? If the server accepts up to 1000 concurrent connections, I guess 1000 is always the upper limit So, what fullconn is for ? is for concurrent connections to backend ? I don't understand this limits Thanks and regards
SV: VS: Haparoxy hangs in one minute on config reload
Hi Willy. I am sorry it took so long. We got another problem that got my full attention for months. Firewall issues with database connections. This is now solved and today this HAProxy reload problem occurred again. We have checked the logs and it's not the first time after we added "option nolinger". You mentioned that using port 8080 could be part of the problem. Our other setup which runs on port 80 have never had this problem. Do You think changing the listen port to eg 85 might solve the problem? Best regards Terje -Opprinnelig melding- Fra: Borgen, Terje Sendt: torsdag, desember 06, 2012 16:56 Til: Willy Tarreau Kopi: haproxy@formilux.org Emne: SV: VS: Haparoxy hangs in one minute on config reload Hi Willy, Nice to know that a fix is on its way. Looking forward to that. We are in a process of migrating from Windows/WebSphere and have another twenty-five Jetty-apps that will run on this environment. With health checks from all these applications the problem might be bigger than it is today. I have put "option nolinger" in all the backends with backend-check in our test-environment. This change will be merged into production on Monday, but it might take some time before we know for sure if this has improved the situation. Its only one week left to do changes before Christmas, so I am an not sure how many reloads there will be before next Year. Thanks for great help so far. I will update You as soon as we get five or more successful reloads (or worst case, a reload that hangs in one minute again) Regards Terje -Opprinnelig melding- Fra: Willy Tarreau [mailto:w...@1wt.eu] Sendt: 5. desember 2012 22:43 Til: Borgen, Terje Kopi: haproxy@formilux.org Emne: Re: VS: Haparoxy hangs in one minute on config reload Hi Terje, On Wed, Dec 05, 2012 at 09:33:19AM +0100, Borgen, Terje wrote: > Hi Willy, > Thanks for Your quick response. > I think You might be onto something here. We have a similar setup with > haproxy using port 80 and have never experienced this problem in that > environment. OK. > /proc/sys/net/ipv4/ip_local_port_range says 32768-61000, so nothing > special here. We have another similar problem when restarting the > Jetty-servers on the same server. We always get an error saying that > the port is in use and we have to wait one minute before it can start > again. The Jetty ports (as You can see in the config) are also outside > the ip_local_port_range. But this might be another problem since it happens > every restart. Yes, typically a listening port bound without SO_REUSEADDR. Very common in fact. > Some additional info: > - We have two identical servers running apache http server, haproxy > and jetty servers. Most of the traffic hits the main server, and the > reload problem have never happened on the failover server. So this > problem might be "traffic-related". > - For one week we changed the inter-parameter on the clusters from > default 2000 to 6 leaving rise/fall as default. In that period the > problem never occurred. OK, I see. The health checks are causing too many time-wait sockets. This issue was very recently fixed (in 1.5-dev14) as haproxy now closes health check sockets with a TCP reset, thus avoiding the TIME_WAIT. I'm pretty sure they're the one causing the issue as I've experienced a similar one recently (reason why I fixed it :-)). I have not backported this yet as I wanted to keep an observation period. However you can try something : put "option nolinger" in your BACKENDS, not your frontends, otherwise some clients will experience truncated responses!!! All backend connections (including checks) will be closed by a reset and you should see much less TIME_WAIT sockets between haproxy and the servers. Regards, Willy
Re: Failed to use the source address for outgoing connections
On Tue, Apr 23, 2013 at 02:44:17PM +0800, Godbach wrote: Hi, (it's strange I didn't get the original e-mail). On Tue, Apr 23, 2013 at 6:27 AM, Godbach wrote: Hi, all I have tested 'source' config in haproxy-1.5-dev18, but it didn't work with the following line in default section: source 0.0.0.0 usesrc clientip Other related settings by iptables and ip rule have been set correctly. There are some codes in cfg_parse_listen() (Line 1812-1815 in lastest commit) to do source function init for a new backend proxy as below if (defproxy.conn_src.iface_name) curproxy->conn_src.iface_name = strdup(defproxy.conn_src.iface_name); curproxy->conn_src.iface_len = defproxy.conn_src.iface_len; curproxy->conn_src.opts = defproxy.conn_src.opts & ~CO_SRC_TPROXY_MASK; The last line of codes will set the value of opts represents such as 'client', 'clientip' and so on in defproxy to current backend proxy. But I was confused that why clear the low three bits. CO_SRC_TPROXY_MASK is defined in include/types/connection.h as below: /* source address settings for outgoing connections */ enum { /* Tproxy exclusive values from 0 to 7 */ CO_SRC_TPROXY_ADDR = 0x0001,/* bind to this non-local address when connecting */ CO_SRC_TPROXY_CIP = 0x0002,/* bind to the client's IP address when connecting */ CO_SRC_TPROXY_CLI = 0x0003,/* bind to the client's IP+port when connecting */ CO_SRC_TPROXY_DYN = 0x0004,/* bind to a dynamically computed non-local address */ CO_SRC_TPROXY_MASK = 0x0007,/* bind to a non-local address when connecting */ CO_SRC_BIND= 0x0008,/* bind to a specific source address when connecting */ }; The low three bits store the configuration of usesrc, they should be copied to the backend proxy without modified. But they were clear in backend proxy actually. Then I put source configuration 'source 0.0.0.0 usesrc clientip' in backend section, the source function can work well. So in my opinion, the code curproxy->conn_src.opts = defproxy.conn_src.opts & ~CO_SRC_TPROXY_MASK; shoulde be modifed as below: curproxy->conn_src.opts = defproxy.conn_src.opts; Godbach, thanks for your analysis, you're perfectly right. I've looked at the code and before dev15, the bind options were set in the proxy's options, covered by PR_O_TPXY_MASK, and these bits were not cleared when creating a new backend from the default section. Since commit ef9a3605, we have dedicated options for this and indeed the bits are cleared. Please confirm the modification you suggest works (specifically binding to an explicit sources address such as "source 0.0.0.0 usesrc 1.2.3.4"), and if that's OK, please send a patch which I'll happily apply. You can reuse your analysis above as the commit message, it's perfectly clear! Best regards, Willy Hi, Willy I have tested the configuration you suggested with the following patch: diff --git a/src/cfgparse.c b/src/cfgparse.c index cc515a2..3514e83 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -1812,7 +1812,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) if (defproxy.conn_src.iface_name) curproxy->conn_src.iface_name = strdup(defproxy.conn_src.iface_name); curproxy->conn_src.iface_len = defproxy.conn_src.iface_len; - curproxy->conn_src.opts = defproxy.conn_src.opts & ~CO_SRC_TPROXY_MASK; + curproxy->conn_src.opts = defproxy.conn_src.opts; } if (curproxy->cap & PR_CAP_FE) { With explicit source address set, it still can not work well in default section, and can work well in backend section. Wiht 'usesrc client' configuration, it can work well both in default and backend section after applying the above patch. I will go on debugging this problem. Thanks, so maybe that was the reason for clearing the flags, which was still a stupid solution in my opinion :-/ I *believe* we don't keep the address in the default proxy, this is something to be confirmed anyway, as it would be possible that we simply don't copy it in fact. Best regards, Willy Hi, Willy Here is the patch to fix the bug of source function in attachment for your information. Commit log as below: Bugfix: copy conn_src.opts and conn_src.tproxy_addr from defproxy to backend proxy correctly Source function will not work with the following line in default section: source 0.0.0.0 usesrc clientip even that related settings by iptables and ip rule have been set correctly. But it can work well in backend setcion. The reason is that the operation in line 1815 in cfgparse.c as below: curproxy->conn_src.opts = defproxy.conn_src.opts & ~CO_SRC_TPROXY_MASK; clears three low bits of conn_src.opts which stores the configuration of 'use
Re: To detect when TCP connection goes down
Hi, Baptiste Hi, > > 1. you can use a client timeout (and a server timeout too) > > 2. You can use the "observe" feature for this purpose. Read the doc, > it points to a few other keyword which may help as well. > > Baptiste > > Thanks for your answer If a client ( socket ) tries to connect to HA Proxy and all backend servers are DOWN , neither connection error (checking layer 4) or timeout happens because HA Proxy returns an EOF (better explained, my underlaying networking software returns EOF ) OK , I can detect this case but I don't like it , because I don't know what is returning an EOF ( HA Proxy / backend server ) The real problem is when a backend server goes DOWN after client sent data Client ( socket ) doesn't receive a "Connection reset" because it is still connected to HA Proxy I guess the underlaying networking software discards an incomplete data and returns an EOF . So, in the worst option, I can check if client gets an EOF and , in this case, to retry the connection I just wonder if it would be possible to transfer the connection errors when happening in HA-Proxy <--->backend link, to client . For example, Connection reset by peer, Connect refused , etc. Thanks > On Mon, Apr 22, 2013 at 6:26 PM, Jose María Zaragoza > wrote: > > > > Hi: > > > > I've got basic questions about HA Proxy ( 1.4.22, 64 bit ) , running as > TCP > > proxy > > > > 1) My haproxy.cfg is like > > > > backend servers > > mode tcp > > balance roundrobin > > server machine1 machine1:4101 weight 50 check > > server machine2 machine2:4102 weight 50 check > > default-server slowstart 3000 > > > > > > When both of servers are DOWN , and a client opens a new connection, it > > never receives a 'Connection refused' . I guess that this client can > connect > > to haproxy, so that error doesn't happen > > > > How I can detect that all of servers are DOWN when a client (socket) > opens a > > connection ? > > > > > > 2) If both of servers are UP, and, suddenly, one of them goes DOWN , I > > would like a client ( TCP socket) who sent data by this connection, could > > know that response can contain corrupt data > > > > How I can detect that a current TCP connection went down ? > > So, I could to implement a retry > > > > > > Thanks and regards > > > > > > > > > > > > > > >
unsubscribe
unsubscribe