HAProxy 2.0 "stick on src table mypeers/mytable" does not result in peers binding to socket address

[Bruno Henc]

Greetings,

Using "stick on src table mypeers/stickysrc" in a backend results in HAProxy 
deciding not to bind to the appropriate peers address for the local host (i.e. 
HAProxy thinks there are no stick tables in use). However using a http-request 
track-sc0 line will result in haproxy listening on the peers address. Also, 
defining the stick table in the backend itself or in a dummy backend also works.

The configuration below illustrates the issue:
peers mypeers
bind 159.65.21.107:1024
#peer hpx01 159.65.21.142:1024
#peer hpx02 159.65.21.107:1024
server hpx01 159.65.21.142:1024
server hpx02
table src_tracking type string size 10m store 
http_req_rate(10s),http_req_cnt
table stickysrc type ip size 1m expire 1h store gpc0

listen ft_main
mode http
bind *:80
stick on src table mypeers/stickysrc #peers mypeers #DOES NOT WORK
#stick-table type ip size 1m expire 1h store gpc0 peers mypeers
#stick on src #WORKS
#stick on src track_src #WORKS
#http-request track-sc0 src table mypeers/src_tracking #WORKS
#http-request track-sc0 src table mypeers/stickysrc#WORKS
server local 127.0.0.1:81 check

#backend track_src
#stick-table type ip size 1m expire 1h store gpc0 peers mypeers

Issue affects old (peers) and new (server/bind) peers section syntax. The issue 
only appears where there is only stick tables defined in the peers section - 
defining a dummy backend results in HAProxy binding to the peers socket address.

Limited testing shows that the mypeers/stickysrc isn't being populated on new 
connections either.

Issue reported by duggles on freenode.
The new syntax was introduced in 
[https://github.com/haproxy/haproxy/commit//1b8e68e89a](https://github.com/haproxy/haproxy/commit/1b8e68e89a)

Regards,

Bruno Henc

Re: HA-Proxy version 1.8.13 2018/07/30.

[GARDAIS Ionel]

Hi Leonardo, 

What are you trying to achieve ? 
What is your current setup ? 

-- 
Ionel GARDAIS 
Tech'Advantage CIO - IT Team manager 


De: "BISSOLI Leonardo"  
À: "haproxy"  
Envoyé: Vendredi 30 Août 2019 17:05:57 
Objet: HA-Proxy version 1.8.13 2018/07/30. 



Hi All. 



My name is Leonardo Bissoli and we’re working in a project that use HAProxy. 



We can successfully deploy 2 Load Balance Servers with 2 Web Servers the only 
issue that we’re facing is when we reboot the Load Balance Server (the page 
couldn’t be reached anymore) but there is no error in the HAProxy. 



Do you have any cue where I can start do search? I’ve tried forums, manual etc 
but we couldn’t find yet the reason that stop to work after the reboot. 



If we reboot the Web Servers there is no issue, all back to work as usual. The 
problem is only when we reboot the LB Servers. 



Using curl is working as well 



curl [ http://localhost:7025/helloworld/hi.jsp | 
http://localhost:7025/helloworld/hi.jsp ] 

 

 

 

JSP Test 



 

 

Hello, World. This is from Web Server 02 

Fri Aug 30 14:57:52 UTC 2019 

 

 



curl [ http://localhost:7025/helloworld/hi.jsp | 
http://localhost:7025/helloworld/hi.jsp ] 

 

 

 

JSP Test 



 

 

Hello, World. This is from Web Server 01 

Fri Aug 30 14:57:57 UTC 2019 

 

 



Thank you. 






Best Regards, 



Leonardo Bissoli 
QUMAS SW Dev & Cloud 








Office: +353 2 1491 5106 
[ mailto:leonardo.biss...@3ds.com | leonardo.biss...@3ds.com ]  




[ http://www.3ds.com/ENOVIA | 3DS.COM/ENOVIA ] 



Dassault Systemes Limited | Phoenix House | Monahan Rd | Cork | Ireland 




This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged. 

If you are not one of the named recipients or have received this email in 
error, 

(i) you should not read, disclose, or copy it, 

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments, 

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email. 


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at [ mailto:3ds.compliance-priv...@3ds.com | 3ds.compliance-priv...@3ds.com ] 




For other languages, go to https://www.3ds.com/terms/email-disclaimer 

--

232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON

Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301

HA-Proxy version 1.8.13 2018/07/30.

[BISSOLI Leonardo]

Hi All.

My name is Leonardo Bissoli and we’re working in a project that use HAProxy.

We can successfully deploy 2 Load Balance Servers with 2 Web Servers the only 
issue that we’re facing is when we reboot the Load Balance Server (the page 
couldn’t be reached anymore) but there is no error in the HAProxy.

Do you have any cue where I can start do search? I’ve tried forums, manual etc 
but we couldn’t find yet the reason that stop to work after the reboot.

If we reboot the Web Servers there is no issue, all back to work as usual. The 
problem is only when we reboot the LB Servers.

Using curl is working as well

curl http://localhost:7025/helloworld/hi.jsp



JSP Test



Hello, World. This is from Web Server 02
Fri Aug 30 14:57:52 UTC 2019



curl http://localhost:7025/helloworld/hi.jsp



JSP Test



Hello, World. This is from Web Server 01
Fri Aug 30 14:57:57 UTC 2019



Thank you.


Best Regards,

Leonardo Bissoli
QUMAS SW Dev & Cloud






Office: +353 2 1491 5106
leonardo.biss...@3ds.com

[3DS Logo]

3DS.COM/ENOVIA


Dassault Systemes Limited | Phoenix House | Monahan Rd | Cork | Ireland



This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at 3ds.compliance-priv...@3ds.com


For other languages, go to https://www.3ds.com/terms/email-disclaimer

Setting retry-on causes segmentation fault with TCP backends

[Louis Chanouha]

Hello,

I upgraded to HAProxy 2.0.5 (from 1.9) and found an issue when i tried to add 
retry-on option. TCP backend seems to answer to one or two requests and then 
crash HAProxy:

My simplified conf:

defaults
   [...]
   retries 3
   option abortonclose
   http-reuse  safe
   retry-on conn-failure 0rtt-rejected 503

listen SMTPS2_PROD
   bind    0.0.0.0:587
   mode    tcp
   balance roundrobin

   server  s1 1.1.1.1:586
   server  s2 1.1.1.2:586

I get in logs:

Aug 30 14:48:49 s1 haproxy[3071]: [ALERT] 241/144849 (3071) : Current worker #1 
(3072) exited with code 139 (Segmentation fault)

With option, i get:

└──╼ openssl s_client -connect server:587  -starttls smtp
CONNECTED(0003)
Didn't find STARTTLS in server response, trying anyway...
write:errno=32
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 23 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Sow few requests success..

Without option, server is stable:

──╼ openssl s_client -connect server:587 -starttls smtp
^[[A
CONNECTED(0003)
[...]
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3843 bytes and written 483 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: yyy
    Session-ID-ctx: 
    Master-Key: 5xxx
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1567167549
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

Louis

---

--

Louis Chanouha | Infrastructures informatiques
Service Numérique de l'Université de Toulouse
Université Fédérale Toulouse Midi-Pyrénées
Maison de la Recherche et de la Valorisation - MRV
118 route de Narbonne - 31062 Toulouse Cedex 09
Tél. : +33 5 61 10 80 45 /poste int. : 12 80 45
louis.chano...@univ-toulouse.fr
Facebook | Twitter | www.univ-toulouse.fr

Haproxy timeouts and returns NULL as response

[Santhosh Kumar]

Hi,

 We have a client-haproxy-server setup like this https://imgur.com/bxV3BA9,
we use apache and jetty httpclient for http1.1 and http2 requests
respectively. Our http request will take 2 secs to 10 mins for processing a
request depends on the request type. Some of the requests returns null as
response(whereas, the request is received and processed succesfully by
server which I can verify via server logs) which triggers
*org.apache.http.MalformedChunkCodingException:
Unexpected content at the end of chunk *on the client side and this problem
is happening with http1.1 requests for a speicifc type of requests, I tried
tweaking timeouts and tried to fix this but its doesnt help me and timeout
does not have a pattern. Each request timeout is having diff timeout values
like 5 secs, 12secs, 27 secs or even 45secs. This error dissapears if I
remove haproxy and connect directly yo server. my config file as follows,

global
log 127.0.0.1 local2
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

tune.ssl.cachesize 20
ssl-dh-param-file /etc/haproxy/dhparam.pem

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Obtained from
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

ssl-default-server-ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11

defaults
log global
maxconn 2000
modehttp
option  dontlognull
option httplog
timeout connect 5000

frontendhttps
timeout client  10m
timeout http-keep-alive 10m
timeout http-request 10m

# add X-FORWARDED-FOR & X-CLIENT-IP (IP forwarding to access logs)
#http-request add-header X-CLIENT-IP %[src]
option forwardfor

bind*:6060  ssl crt /etc/haproxy/sample-key.pem alpn h2,http/1.1
default_backend desired_backend

backend desired_backend
timeout server  10m
fullconn 2000
server http1.1 localhost:5050 check

It wil be great if someone can shed some light on it, TIA

-- 
*With Regards,*
*Santhosh Kumar J*

does anybody knows something about https://gitlab.com/haproxy ?

[Илья Шипицин]