Check if backup server is active

[Aleksandar Lazic]

Hi.

I try to use automatically the backend server when the primary serve is not 
available.

The following snipplet is my solution with haproxy (2.1.3-3ppa1~bionic).
Is there a bette solution or is this a okay solution from HAProxy point of view?

```
backend be_static
  log global
  option httpchk GET {{ http_checks["static_http"]}} HTTP/1.1\r\nHost:\ {{ 
hosts["static_http"]}}

  # check if the primary server is up
  acl use_prim srv_is_up(static_prim)
  http-request set-header Host {{ hosts["static_http"] }} if use_prim

  http-request set-header Host {{ hosts["static_storage"] }} if ! use_prim
  http-request set-path /v1/AUTH_OBJ-URL/Static%[path] if ! use_prim

  server static_prim {{ hosts["static_http"] }}:443 resolvers mydns ssl check check-ssl check-sni 
{{ hosts["static_http"] }} sni str({{ hosts["static_http"] }}) ca-file 
/etc/haproxy/letsencryptauthorityx3.pem
  server static_stor {{ hosts["static_storage"] }}:443 resolvers mydns ssl check check-ssl 
check-sni {{ hosts["static_storage"] }} sni str({{ hosts["static_storage"] }}) ca-file 
/etc/haproxy/Sectigo_RSA_Domain_Validation_Secure_Server_CA.pem backup
```

Best regards

Aleks

Re: Crazy anomaly!

[Aleksandar Lazic]

Hi Nicolas.

On 08.04.20 20:34, Nicolas Pujol wrote:

Hi,

I installed haproxy and two test servers with the basic configuration of nginx 
+ listening on port 443. The HAProxy server provides the Let's encrypt SSL 
certificates.

When I consult the 2 sites in HTTP, I have no problem.

With HTTPS it works *_sometimes_*. Mostly from smartphone but not from compuers 
(it depends...)!

So when I try to understand:
#haproxy -d -f /etc/haproxy/haproxy.cfg


Please can you tell us which haproxy version you use and what's the config is.

haproxy -vv
cat /etc/haproxy/haproxy.cfg


When the browser display the page, I have only one line on the logs:

:https_bind.accept(0008)=000b from [ip_fom_home:41009] ALPN=


When that's don't work, mostly from a computer but sometimes from smartphone 
even if the browser displayed the page some seconds before I had always 10 
accept lines:

001e:https_bind.accept(0008)=000f from [ip_from_home:41133] ALPN=
001e:https_bind.clicls[000f:]
001e:https_bind.closed[000f:]
001f:https_bind.accept(0008)=000f from [ip_from_home:41135] ALPN=
001f:https_bind.clicls[000f:]
001f:https_bind.closed[000f:]
0020:https_bind.accept(0008)=000f from [ip_from_home:41137] ALPN=
0020:https_bind.clicls[000f:]
0020:https_bind.closed[000f:]
0021:https_bind.accept(0008)=000f from [ip_from_home:41139] ALPN=
0021:https_bind.clicls[000f:]
0021:https_bind.closed[000f:]
0022:https_bind.accept(0008)=000f from [ip_from_home:41141] ALPN=
0022:https_bind.clicls[000f:]
0022:https_bind.closed[000f:]
0023:https_bind.accept(0008)=000f from [ip_from_home:41143] ALPN=
0023:https_bind.clicls[000f:]
0023:https_bind.closed[000f:]
0024:https_bind.accept(0008)=000f from [ip_from_home:41145] ALPN=
0024:https_bind.clicls[000f:]
0024:https_bind.closed[000f:]
0025:https_bind.accept(0008)=000f from [ip_from_home:41147] ALPN=
0025:https_bind.clicls[000f:]
0025:https_bind.closed[000f:]
0026:https_bind.accept(0008)=000f from [ip_from_home:41149] ALPN=
0026:https_bind.clicls[000f:]
0026:https_bind.closed[000f:]
0027:https_bind.accept(0008)=000f from [ip_from_home:41151] ALPN=
0027:https_bind.clicls[000f:]
0027:https_bind.closed[000f:]


Do you know where the problem come from? I don't understand why that's work but 
not every time.

When that's don't work, I restart haproxy and that's work again or I refresh 
the browser page around 15 times and the page is displayed again!

Thanks

Nicolas

Crazy anomaly!

[Nicolas Pujol]

Hi,

I installed haproxy and two test servers with the basic configuration of
nginx + listening on port 443. The HAProxy server provides the Let's
encrypt SSL certificates.

When I consult the 2 sites in HTTP, I have no problem.

With HTTPS it works *sometimes*. Mostly from smartphone but not from
compuers (it depends...)!

So when I try to understand:
#haproxy -d -f /etc/haproxy/haproxy.cfg

When the browser display the page, I have only one line on the logs:

:https_bind.accept(0008)=000b from [ip_fom_home:41009] ALPN=


When that's don't work, mostly from a computer but sometimes from
smartphone even if the browser displayed the page some seconds before I had
always 10 accept lines:

001e:https_bind.accept(0008)=000f from [ip_from_home:41133] ALPN=
001e:https_bind.clicls[000f:]
001e:https_bind.closed[000f:]
001f:https_bind.accept(0008)=000f from [ip_from_home:41135] ALPN=
001f:https_bind.clicls[000f:]
001f:https_bind.closed[000f:]
0020:https_bind.accept(0008)=000f from [ip_from_home:41137] ALPN=
0020:https_bind.clicls[000f:]
0020:https_bind.closed[000f:]
0021:https_bind.accept(0008)=000f from [ip_from_home:41139] ALPN=
0021:https_bind.clicls[000f:]
0021:https_bind.closed[000f:]
0022:https_bind.accept(0008)=000f from [ip_from_home:41141] ALPN=
0022:https_bind.clicls[000f:]
0022:https_bind.closed[000f:]
0023:https_bind.accept(0008)=000f from [ip_from_home:41143] ALPN=
0023:https_bind.clicls[000f:]
0023:https_bind.closed[000f:]
0024:https_bind.accept(0008)=000f from [ip_from_home:41145] ALPN=
0024:https_bind.clicls[000f:]
0024:https_bind.closed[000f:]
0025:https_bind.accept(0008)=000f from [ip_from_home:41147] ALPN=
0025:https_bind.clicls[000f:]
0025:https_bind.closed[000f:]
0026:https_bind.accept(0008)=000f from [ip_from_home:41149] ALPN=
0026:https_bind.clicls[000f:]
0026:https_bind.closed[000f:]
0027:https_bind.accept(0008)=000f from [ip_from_home:41151] ALPN=
0027:https_bind.clicls[000f:]
0027:https_bind.closed[000f:]


Do you know where the problem come from? I don't understand why that's work
but not every time.

When that's don't work, I restart haproxy and that's work again or I
refresh the browser page around 15 times and the page is displayed again!

Thanks

Nicolas

Re: List of ports opened for Listening by HAProxy

[Lukas Tribus]

Hello,

On Wed, 8 Apr 2020 at 13:59, kkazmierc...@wp.pl  wrote:
>
> Hello,
> We need to know which ports on the server need to be reopened in order to 
> appropriate work of HAProxy.

Haproxy does not listen to any ports by default. It listens only to
those ports that you configured haproxy to listen on.

Some packages may provide a default configuration, with a bind
statement. In that case, read the configuration, consult the package
documentation or contact the maintainer.


Lukas

List of ports opened for Listening by HAProxy

[kkazmierczyk]

Hello,  We need to know which ports on the server need to be reopened in order 
to appropriate work of HAProxy. Based on  www.haproxy.com www.haproxy.com  I 
see bind proprty and stats socket property which determine on which ports the 
server is listening to. Are there any other ports on which HAProxy is listening?

RE: [RFC] BUG/MEDIUM: Checks: support for HTTP health checks with POST and data corrupted by extra connection close

[Kiran Gavali]

Hi Christopher And Willy,

Please review the RT test results.

Thanks,
Kiran Gavali

-Original Message-
From: Kiran Gavali
Sent: Monday, March 30, 2020 6:59 PM
To: Christopher Faulet ; Willy Tarreau 
Cc: haproxy@formilux.org; Shivharsh Singh ; 
Priya Ranjan ; Ramanpreet Singh Bakshi 
; Kiran Gavali 
Subject: RE: [RFC] BUG/MEDIUM: Checks: support for HTTP health checks with POST 
and data corrupted by extra connection close

Thank you Christopher for providing HAProxy reg-test suite !

>About the regression tests, we use varnishtest 
>(https://github.com/vtest/VTest).
>All our tests are placed in the "reg-tests" subdirectory. Here is a 
>documentation to write VTC tests:
>https://varnish-cache.org/docs/trunk/reference/vtc.html.

>To run tests, you may use the script "scripts/run-regtests.sh" or the "make 
>reg-tests" command.

We have executed the regression tests using varnishtest 
(https://github.com/vtest/VTest).
Please find the attached HAProxy regression test result, there is no any test 
case failed , All tests are passed.

## Starting vtest ## Testing 
with haproxy version: 2.2-dev4-0576db-97
0 tests failed, 0 tests skipped, 62 tests passed

Please confirm the RT execution and suggest us further any work is need to 
resolve this bug.

Thanks,
Kiran Gavali

-Original Message-
From: Christopher Faulet [mailto:cfau...@haproxy.com]
Sent: Thursday, March 26, 2020 2:15 PM
To: Kiran Gavali ; Willy Tarreau 
Cc: haproxy@formilux.org; Shivharsh Singh ; 
Priya Ranjan ; Ramanpreet Singh Bakshi 

Subject: Re: [RFC] BUG/MEDIUM: Checks: support for HTTP health checks with POST 
and data corrupted by extra connection close

Le 26/03/2020 à 09:24, Kiran Gavali a écrit :
> Thank you Christopher and Willy for your responses !
>
> We have discussed the resolution for the issue on GitHub at following
> link: https://github.com/haproxy/haproxy/issues/16
> However to further explain the patch fix, we have introduced new options, 
> "header" and "body" in http-check directive. Based on the content for these 
> options configured in haproxy.cfg and if expect option is also configured for 
> http-check, the header is added to a buffer followed by the "Connection: 
> close" string which is further followed by the body.
> For cases, when either header or body or both is not configured in 
> haproxy.cfg, we have used default values to create the data packet in the 
> buffer.
> We would definitely update the documentation once the patch is finalized and 
> therefore shared it with RFC tag.
Ah, ok. I understand now. I missed the RFC tag in the email subject, sorry :)

>
> To answer your  query on reg-test, We have performed regression testing of 
> the patch using the RT suite available at our end. We can share with you the 
> test report, if required. However, if there is any community RT suite that 
> you would like us to follow, please do let me know.
>

About the regression tests, we use varnishtest (https://github.com/vtest/VTest).
All our tests are placed in the "reg-tests" subdirectory. Here is a 
documentation to write VTC tests:
https://varnish-cache.org/docs/trunk/reference/vtc.html.

To run tests, you may use the script "scripts/run-regtests.sh" or the "make 
reg-tests" command.

> As far as the relevance of this patch is concerned, considering the
> planned http-check refactoring at your end, we were already aware that
> the patch might not be merged due to the  fact that the check system
> is currently being reworked to support muxes for HTTP/1 and HTTP/2 so
> that there are better checks in 2.2
>

As Willy said, have a solution for current versions is also important. But the 
syntax must be compatible with the next one. This part must be discussed first.

--
Christopher Faulet

 The contents of this e-mail and any attachment(s) are confidential and 
intended for the named recipient(s) only. It shall not attach any liability on 
the originator or NECTI or its affiliates. Any views or opinions presented in 
this email are solely those of the author and may not necessarily reflect the 
opinions of NECTI or its affiliates. Any form of reproduction, dissemination, 
copying, disclosure, modification, distribution and / or publication of this 
message without the prior written consent of the author of this e-mail is 
strictly prohibited. If you have received this email in error please delete it 
and notify the sender immediately.
[root@haproxy haproxy]# sh scripts/run-regtests.sh

## Preparing to run tests ##
Testing with haproxy version: 2.2-dev4-0576db-97
Target : linux-glibc
Options : +EPOLL -KQUEUE +NETFILTER +PCRE +PCRE_JIT -PCRE2 -PCRE2_JIT +POLL 
-PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 
+TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL 
+LUA +FUTEX +ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS 

Distance Learning Package: Bid Writing

[NFP Workshops]

NFP WORKSHOPS
18 Blake Street, York YO1 8QG
Affordable Training Courses for Charities, Schools & Public Sector 
Organisations 




This email has been sent to haproxy@formilux.org
CLICK TO UNSUBSCRIBE FROM LIST
Alternatively send a blank e-mail to unsubscr...@nfpmail1902.co.uk quoting 
haproxy@formilux.org in the subject line.
Unsubscribe requests will take effect within seven days. 



Bid Writing: Distance Learning Package

 Learn at your home or office. No need to travel anywhere. The package includes 
all the topics from our popular Bid Writing: The Basics and Bid Writing: 
Advanced live workshops plus sample funding bids. Once you have covered all the 
materials you can submit up to five questions by email.

TOPICS COVERED

Do you know the most common reasons for rejection? Are you gathering the right 
evidence? Are you making the right arguments? Are you using the right 
terminology? Are your numbers right? Are you learning from rejections? Are you 
assembling the right documents? Do you know how to create a clear and concise 
standard funding bid?

Are you communicating with people or just excluding them? Do you know your own 
organisation well enough? Are you thinking through your projects carefully 
enough? Do you know enough about your competitors? Are you answering the 
questions funders will ask themselves about your application? Are you 
submitting applications correctly?

Are you applying to the right trusts? Are you applying to enough trusts? Are 
you asking for the right amount of money? Are you applying in the right ways? 
Are your projects the most fundable projects? Are you carrying out trust 
fundraising in a professional way? Are you delegating enough work?

Are you highly productive or just very busy? Are you looking for trusts in all 
the right places? How do you compare with your competitors for funding? Is the 
rest of your fundraising hampering your bids to trusts? Do you understand what 
trusts are ideally looking for?

TRAINEES

Staff members, volunteers, trustees or board members of charities, schools or 
public sector organisations who intend to submit grant funding applications to 
charitable grant making trusts and foundations. People who provide advice to 
these organisations may also order.

ORDER YOUR PACKAGE NOW

The cost of the Bid Writing: Distance Learning Package is £190 per trainee. 

To order please email ord...@nfpmail1902.co.uk with 
1) The name of the trainee.
2) The email address to send the materials to.
3) The name of your organisation.
4) The postal address of your organisation.
5) A purchase order number if required.

We will send you an invoice within 24 hours containing BACS electronic payment 
details. Once we receive payment the materials will be emailed to the specifed 
email address within 24 hours. Please check your spam folder to ensure you 
receive everything.

 TERMS

Training materials are for use only by the trainee named on the invoice. 
Training materials may not be copied, circulated or published.
 
   QUESTIONS

If you have a question please e-mail questi...@nfpmail1902.co.uk You will 
usually receive a response within 24 hours. We are unable to accept questions 
by phone. 


FEEDBACK FROM PAST ATTENDEES AT OUR LIVE WORKSHOPS
I must say I was really impressed with the course and the content. My knowledge 
and confidence has increased hugely. I got a lot from your course and a lot of 
pointers! 
I can say after years of fundraising I learnt so much from your bid writing 
course. It was a very informative day and for someone who has not written bids 
before I am definitely more confident to get involved with them. 
I found the workshops very helpful. It is a whole new area for me but the 
information you imparted has given me a lot of confidence with the direction I 
need to take and for that I am very grateful.  
I found the day very informative and it gave me confidence to take on this 
aspect of work that I had been apprehensive of.  I enjoyed the session and 
found it valuable. 
So much relevant, practical information all passed on in a way which I was able 
to follow. All greatly enhanced by your sense of humour. 
It was a useful course and your examples real or otherwise helped to make it 
practical. Many thanks. The morning just flew by - always a good sign! I 
enjoyed the course and learnt a lot. I will begin putting this into practice.  


 

Re: [*EXT*] Re: 503 SC with fcgi

[Aleksandar Lazic]

On 08.04.20 09:46, Ionel GARDAIS wrote:

Oh my !
This is a chroot issue.

haproxy is running in chroot but the fpm socket is outside.
When placing the socket inside the jail, it works with the socket.

Does the performance difference between IP and socket is worth the trouble ?

I'm sure there are some but I use it not because of performance.


Regards
Aleks

Re: [*EXT*] Re: 503 SC with fcgi

[Ionel GARDAIS]

Oh my !
This is a chroot issue.

haproxy is running in chroot but the fpm socket is outside.
When placing the socket inside the jail, it works with the socket.

Does the performance difference between IP and socket is worth the trouble ?

-- 
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

- Mail original -
De: "Aleksandar Lazic" 
À: "Ionel GARDAIS" 
Cc: "haproxy" 
Envoyé: Mercredi 8 Avril 2020 09:08:59
Objet: Re: [*EXT*] Re: 503 SC with fcgi

On 08.04.20 08:52, Ionel GARDAIS wrote:
> It works with 127.0.0.1:29001 (the listener I configured for this pool)

That's an important successful test.
I personally prefer the tcp way to afoid such problems.

> About the socket :
> - it lives in /run/php with
> $ ls -alF /run/php/speedtest-fpm.sock
> srw-rw 1 www-data www-data 0 Apr  7 21:11 /run/php/speedtest.sock=
> 
> - /run/php is owned by www-data:www-data with 755 perms
> $ ls -alF /run/ | grep php
> drwxr-xr-x  2 www-datawww-data 180 Apr  7 21:11 php/
> 
> - haproxy user is member of www-data group
> $ groups haproxy
> haproxy : haproxy www-data

Please can you share the config of your haproxy.


> Debug logs are silent about any permission problem :
> 
> $ egrep -i "(cgi|fpm|sock|perm)" /var/log/haproxy.log
> Apr  8 08:42:36 ns3089939 haproxy[1151]: #011[FCGI] fcgi-app
> Apr  8 08:42:36 ns3089939 haproxy[1151]: [WARNING] 098/084236 (1151) : Failed 
> to connect to the old process socket '/run/haproxy/admin.sock'
> Apr  8 08:42:36 ns3089939 haproxy[1151]: [ALERT] 098/084236 (1151) : Failed 
> to get the sockets from the old process!

Are you running haproxy with  chroot setuped?
Can you try to run the following.

Stop haproxy.
strace -tTfveall -a1024 -s1024 -o haproxy-trace.txt haproxy -f 
 -d
Make a request and stop then haproxy.
Compress haproxy-trace.txt and share here.

> Apr  8 08:42:36 ns3089939 haproxy[1151]: Proxy bck-speed-fpm started.
> Apr  8 08:43:00 ns3089939 haproxy[1152]: 
> 2a01:cb00:663:fd00:20b5:6759:d972:be50:63090 [08/Apr/2020:08:43:00.648] 
> ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
> /backend/getIP.php?isp=true=km=0.7819314534908071 HTTP/1.1"
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0014:bck-speed-fpm.clicls[0026:0025]
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0014:bck-speed-fpm.closed[0026:0025]
> Apr  8 08:43:00 ns3089939 haproxy[1152]: 
> 2a01:cb00:663:fd00:20b5:6759:d972:be50:63091 [08/Apr/2020:08:43:00.896] 
> ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
> /backend/empty.php?r=0.7112678877934051 HTTP/1.1"
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0015:bck-speed-fpm.clicls[0025:0026]
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0015:bck-speed-fpm.closed[0025:0026]
> Apr  8 08:43:01 ns3089939 haproxy[1152]: 
> 2a01:cb00:663:fd00:20b5:6759:d972:be50:63092 [08/Apr/2020:08:43:01.724] 
> ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
> /backend/empty.php?r=0.9895406737322412 HTTP/1.1"
> Apr  8 08:43:01 ns3089939 haproxy[1151]: 
> 0016:bck-speed-fpm.clicls[0025:0026]
> Apr  8 08:43:01 ns3089939 haproxy[1151]: 
> 0016:bck-speed-fpm.closed[0025:0026]
> Apr  8 08:43:02 ns3089939 haproxy[1152]: 
> 2a01:cb00:663:fd00:20b5:6759:d972:be50:63093 [08/Apr/2020:08:43:02.041] 
> ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
> /backend/empty.php?r=0.7692377905794734 HTTP/1.1"
> Apr  8 08:43:02 ns3089939 haproxy[1151]: 
> 0017:bck-speed-fpm.clicls[0025:0027]
> Apr  8 08:43:02 ns3089939 haproxy[1151]: 
> 0017:bck-speed-fpm.closed[0025:0027]
> 
> 
> One calling sequence is :
> 
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 0014:ft-secure.accept(000b)=0026 
> from [2a01:cb00:663:fd00:20b5:6759:d972:be50:63090] ALPN=
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0014:ft-secure.clireq[0026:]: GET 
> /backend/getIP.php?isp=true=km=0.7819314534908071 HTTP/1.1
> Apr  8 08:43:00 ns3089939 haproxy[1152]: 
> 2a01:cb00:663:fd00:20b5:6759:d972:be50:63090 [08/Apr/2020:08:43:00.648] 
> ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
> /backend/getIP.php?isp=true=km=0.7819314534908071 HTTP/1.1"
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0014:ft-secure.clihdr[0026:]: host: server
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0014:ft-secure.clihdr[0026:]: accept-encoding: gzip, deflate
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0014:ft-secure.clihdr[0026:]: cookie: 
> NG_TRANSLATE_LANG_KEY=%22fr%22
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0014:ft-secure.clihdr[0026:]: accept: */*
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0014:ft-secure.clihdr[0026:]: user-agent: Mozilla/5.0 (Macintosh; 
> Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) 
> Version/11.1.2 Safari/605.1.15
> Apr  8 08:43:00 ns3089939 haproxy[1151]: 
> 0014:ft-secure.clihdr[0026:]: accept-language: fr-fr
> Apr  

Re: [*EXT*] Re: 503 SC with fcgi

[Aleksandar Lazic]

On 08.04.20 08:52, Ionel GARDAIS wrote:

It works with 127.0.0.1:29001 (the listener I configured for this pool)


That's an important successful test.
I personally prefer the tcp way to afoid such problems.


About the socket :
- it lives in /run/php with
$ ls -alF /run/php/speedtest-fpm.sock
srw-rw 1 www-data www-data 0 Apr  7 21:11 /run/php/speedtest.sock=

- /run/php is owned by www-data:www-data with 755 perms
$ ls -alF /run/ | grep php
drwxr-xr-x  2 www-datawww-data 180 Apr  7 21:11 php/

- haproxy user is member of www-data group
$ groups haproxy
haproxy : haproxy www-data


Please can you share the config of your haproxy.



Debug logs are silent about any permission problem :

$ egrep -i "(cgi|fpm|sock|perm)" /var/log/haproxy.log
Apr  8 08:42:36 ns3089939 haproxy[1151]: #011[FCGI] fcgi-app
Apr  8 08:42:36 ns3089939 haproxy[1151]: [WARNING] 098/084236 (1151) : Failed 
to connect to the old process socket '/run/haproxy/admin.sock'
Apr  8 08:42:36 ns3089939 haproxy[1151]: [ALERT] 098/084236 (1151) : Failed to 
get the sockets from the old process!


Are you running haproxy with  chroot setuped?
Can you try to run the following.

Stop haproxy.
strace -tTfveall -a1024 -s1024 -o haproxy-trace.txt haproxy -f 
 -d
Make a request and stop then haproxy.
Compress haproxy-trace.txt and share here.


Apr  8 08:42:36 ns3089939 haproxy[1151]: Proxy bck-speed-fpm started.
Apr  8 08:43:00 ns3089939 haproxy[1152]: 2a01:cb00:663:fd00:20b5:6759:d972:be50:63090 
[08/Apr/2020:08:43:00.648] ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 
0/0 "GET /backend/getIP.php?isp=true=km=0.7819314534908071 HTTP/1.1"
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:bck-speed-fpm.clicls[0026:0025]
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:bck-speed-fpm.closed[0026:0025]
Apr  8 08:43:00 ns3089939 haproxy[1152]: 2a01:cb00:663:fd00:20b5:6759:d972:be50:63091 
[08/Apr/2020:08:43:00.896] ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 
2/1/0/0/3 0/0 "GET /backend/empty.php?r=0.7112678877934051 HTTP/1.1"
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0015:bck-speed-fpm.clicls[0025:0026]
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0015:bck-speed-fpm.closed[0025:0026]
Apr  8 08:43:01 ns3089939 haproxy[1152]: 2a01:cb00:663:fd00:20b5:6759:d972:be50:63092 
[08/Apr/2020:08:43:01.724] ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 
2/1/0/0/3 0/0 "GET /backend/empty.php?r=0.9895406737322412 HTTP/1.1"
Apr  8 08:43:01 ns3089939 haproxy[1151]: 
0016:bck-speed-fpm.clicls[0025:0026]
Apr  8 08:43:01 ns3089939 haproxy[1151]: 
0016:bck-speed-fpm.closed[0025:0026]
Apr  8 08:43:02 ns3089939 haproxy[1152]: 2a01:cb00:663:fd00:20b5:6759:d972:be50:63093 
[08/Apr/2020:08:43:02.041] ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 
2/1/0/0/3 0/0 "GET /backend/empty.php?r=0.7692377905794734 HTTP/1.1"
Apr  8 08:43:02 ns3089939 haproxy[1151]: 
0017:bck-speed-fpm.clicls[0025:0027]
Apr  8 08:43:02 ns3089939 haproxy[1151]: 
0017:bck-speed-fpm.closed[0025:0027]


One calling sequence is :

Apr  8 08:43:00 ns3089939 haproxy[1151]: 0014:ft-secure.accept(000b)=0026 from 
[2a01:cb00:663:fd00:20b5:6759:d972:be50:63090] ALPN=
Apr  8 08:43:00 ns3089939 haproxy[1151]: 0014:ft-secure.clireq[0026:]: GET 
/backend/getIP.php?isp=true=km=0.7819314534908071 HTTP/1.1
Apr  8 08:43:00 ns3089939 haproxy[1152]: 2a01:cb00:663:fd00:20b5:6759:d972:be50:63090 
[08/Apr/2020:08:43:00.648] ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 
0/0 "GET /backend/getIP.php?isp=true=km=0.7819314534908071 HTTP/1.1"
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: host: server
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: accept-encoding: gzip, deflate
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: cookie: NG_TRANSLATE_LANG_KEY=%22fr%22
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: accept: */*
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: user-agent: Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 
Safari/605.1.15
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: accept-language: fr-fr
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: referer: 
https://server/speedtest_worker.js?r=0.5199684076229355
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: dnt: 1
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:bck-speed-fpm.clicls[0026:0025]
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:bck-speed-fpm.closed[0026:0025]

Re: [*EXT*] Re: 503 SC with fcgi

[Ionel GARDAIS]

It works with 127.0.0.1:29001 (the listener I configured for this pool)

About the socket :
- it lives in /run/php with
$ ls -alF /run/php/speedtest-fpm.sock  
srw-rw 1 www-data www-data 0 Apr  7 21:11 /run/php/speedtest.sock=

- /run/php is owned by www-data:www-data with 755 perms
$ ls -alF /run/ | grep php
drwxr-xr-x  2 www-datawww-data 180 Apr  7 21:11 php/

- haproxy user is member of www-data group
$ groups haproxy
haproxy : haproxy www-data


Debug logs are silent about any permission problem :

$ egrep -i "(cgi|fpm|sock|perm)" /var/log/haproxy.log
Apr  8 08:42:36 ns3089939 haproxy[1151]: #011[FCGI] fcgi-app
Apr  8 08:42:36 ns3089939 haproxy[1151]: [WARNING] 098/084236 (1151) : Failed 
to connect to the old process socket '/run/haproxy/admin.sock'
Apr  8 08:42:36 ns3089939 haproxy[1151]: [ALERT] 098/084236 (1151) : Failed to 
get the sockets from the old process!
Apr  8 08:42:36 ns3089939 haproxy[1151]: Proxy bck-speed-fpm started.
Apr  8 08:43:00 ns3089939 haproxy[1152]: 
2a01:cb00:663:fd00:20b5:6759:d972:be50:63090 [08/Apr/2020:08:43:00.648] 
ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
/backend/getIP.php?isp=true=km=0.7819314534908071 HTTP/1.1"
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:bck-speed-fpm.clicls[0026:0025]
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:bck-speed-fpm.closed[0026:0025]
Apr  8 08:43:00 ns3089939 haproxy[1152]: 
2a01:cb00:663:fd00:20b5:6759:d972:be50:63091 [08/Apr/2020:08:43:00.896] 
ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
/backend/empty.php?r=0.7112678877934051 HTTP/1.1"
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0015:bck-speed-fpm.clicls[0025:0026]
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0015:bck-speed-fpm.closed[0025:0026]
Apr  8 08:43:01 ns3089939 haproxy[1152]: 
2a01:cb00:663:fd00:20b5:6759:d972:be50:63092 [08/Apr/2020:08:43:01.724] 
ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
/backend/empty.php?r=0.9895406737322412 HTTP/1.1"
Apr  8 08:43:01 ns3089939 haproxy[1151]: 
0016:bck-speed-fpm.clicls[0025:0026]
Apr  8 08:43:01 ns3089939 haproxy[1151]: 
0016:bck-speed-fpm.closed[0025:0026]
Apr  8 08:43:02 ns3089939 haproxy[1152]: 
2a01:cb00:663:fd00:20b5:6759:d972:be50:63093 [08/Apr/2020:08:43:02.041] 
ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
/backend/empty.php?r=0.7692377905794734 HTTP/1.1"
Apr  8 08:43:02 ns3089939 haproxy[1151]: 
0017:bck-speed-fpm.clicls[0025:0027]
Apr  8 08:43:02 ns3089939 haproxy[1151]: 
0017:bck-speed-fpm.closed[0025:0027]


One calling sequence is :

Apr  8 08:43:00 ns3089939 haproxy[1151]: 0014:ft-secure.accept(000b)=0026 
from [2a01:cb00:663:fd00:20b5:6759:d972:be50:63090] ALPN=
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clireq[0026:]: GET 
/backend/getIP.php?isp=true=km=0.7819314534908071 HTTP/1.1
Apr  8 08:43:00 ns3089939 haproxy[1152]: 
2a01:cb00:663:fd00:20b5:6759:d972:be50:63090 [08/Apr/2020:08:43:00.648] 
ft-secure~ bck-speed-fpm/fpm 0/0/-1/-1/0 503 9965 - - SC-- 2/1/0/0/3 0/0 "GET 
/backend/getIP.php?isp=true=km=0.7819314534908071 HTTP/1.1"
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: host: server
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: accept-encoding: gzip, deflate
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: cookie: NG_TRANSLATE_LANG_KEY=%22fr%22
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: accept: */*
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: user-agent: Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 
Safari/605.1.15
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: accept-language: fr-fr
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: referer: 
https://server/speedtest_worker.js?r=0.5199684076229355
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:ft-secure.clihdr[0026:]: dnt: 1
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:bck-speed-fpm.clicls[0026:0025]
Apr  8 08:43:00 ns3089939 haproxy[1151]: 
0014:bck-speed-fpm.closed[0026:0025]



-- 
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

- Mail original -
De: "Aleksandar Lazic" 
À: "Ionel GARDAIS" 
Cc: "haproxy" 
Envoyé: Mardi 7 Avril 2020 23:23:11
Objet: Re: [*EXT*] Re: 503 SC with fcgi

On 07.04.20 21:17, Ionel GARDAIS wrote:
> Alexander,
> 
> I had it working by using a classic IP:port listener for php-fpm.
> neither /run/php/speedtest-fpm.sock nor unix@/run/php/speedtest-fpm.sock 
>  worked

Can you run HAProxy in debug mode?
What's the permission for the socket?
Can you try to use 127.0.0.1:9000 instead of the unix socket, just to be sure 
that's not a permission