Re: Haproxy SSL offloading to nginx backend web servers - need persistent connections
Hi Chris,
How can you point HAProxy in such problem?
I mean, you have a single server in your farm, so if the browser can't
download objects, it may come from an other point.
And since you have a single server, you don't need persistence ;)
Can you confirm whether:
- the application works well in HTTP (clear)
- the application works well without HAProxy
Note that SSL offloading may have some impacts on web application:
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
Can you enable logs as described in the link above and check the result?
Baptiste
On Mon, Nov 11, 2013 at 8:49 PM, Chris bludge...@gmail.com wrote:
Hello everyone,
I have a question concerning session persistence with offloading SSL via
haproxy to backend nginx web servers running a PHP website.
Basically, I have a configuration that is performing the SSL offloading
successfully, however, it seems that session persistence is not working
properly as some of the images from the nginx web server are not showing up,
however the log in fields for this web server are showing up.
What needs to happen is that an http request comes into haproxy, http calls
get redirected to https, SSL is offloaded and the connection is handed over
to the relevant back-end - with session persistence in-tact via ACLs within
haproxy.
I have read that http-server-close will preserve the connection and keep
it persistent but I have not been able to get this to work. I have also
read that the type of balance used (such as round robin) can affect the
persistence of connections. I have also tried to use
cookie PHPSESSID insert nocache indirect but I just am having no luck as
there are a slew of configurations that can be used to do this task and I
have gone over the haproxy documentation again and again and I just am not
sure of the correct way of doing this. The haproxy documentation is very
thorough, but it is also very complex.
In an effort to try to get this working, below is the configuration for my
haproxy setup, I have stripped out all of the testing configurations that
I've been using to try to get it to work. I am hoping that someone might be
able to assist me with properly getting this configured to make sessions
persistent.
Your expertise and advice are greatly welcomed and very appreciated - I
thank you for your time.
---
global
log 127.0.0.1 local0
log 127.0.0.1 local1
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
stats enable
maxconn 512
retries 3
contimeout 6
clitimeout 6
srvtimeout 6
## http frontend to redirect to https frontend
frontend https_frontend
bind 0.0.0.0:80
redirect scheme https if !{ ssl_fc }
## https frontend to offload SSL to the backends
frontend haproxy_https
mode http
option http-server-close
bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem ca-file
/etc/haproxy/psl-wildcard/wildcard.ca-bundle
acl is_psl_https hdr_end(host) -i www.test-site.com
acl is_broker_psl_https hdr_end(host) -i broker.test-site.com
acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com
use_backend is_psl_https_backendif is_psl_https
use_backend is_broker_https_backend if is_broker_psl_https
use_backend is_eclose_https_backend if is_eclose_psl_https
default_backend is_psl_https_backend
## backends
backend is_psl_https_backend
mode http
balance source
option http-server-close
server server1 10.10.221.171:80
backend is_broker_https_backend
mode http
balance source
option http-server-close
server server1 10.10.221.172:80
backend is_eclose_https_backend
mode http
balance source
option http-server-close
server server1 10.10.221.173:80
listen admin 0.0.0.0:22002
mode http
stats uri /
Again, thank you very much.
Sincerely,
Chris
Re: Haproxy SSL offloading to nginx backend web servers - need persistent connections
Baptiste,
Thanks again for taking the time to read through and respond. I had done a
lot of troubleshooting and tried many different configuration options, to
the point that I am now confused. You are correct, with only one web
server, persistence is not necessary, I should have realized this. I tried
testing the web server by bypassing haproxy and I was getting the same
result, no image showing up so it is a web server problem that needs to be
resolved first.
With that said, the end plan is to indeed put 2 or 3 web servers behind
haproxy to be load balanced too - when that time comes, may I ask you what
the best way to implement session persistence would be, ensuring that when
a client connects to the web servers that they continue to stay on that web
server during their entire session?
Would this be the - option http-server-close ? Or, would implementing
some sort of PHPSESSID cookie be needed?
I think for true testing then, they need to get their web servers working
first, and then I need to get another one set up so that I can actually
test out session persistence.
Last question, when I get this into place, and to verify that sessions are
staying persistent, what is the best way to verify this? Will haproxy logs
show this, or do I need to perform some sort of strace on the haproxy PID
to watch it?
Thanks a million Baptiste, you are a life saver - not only to me, to but
many people on this amazing list
Sincerely,
Chris
-Chris
On Tue, Nov 12, 2013 at 12:12 AM, Baptiste bed...@gmail.com wrote:
Hi Chris,
How can you point HAProxy in such problem?
I mean, you have a single server in your farm, so if the browser can't
download objects, it may come from an other point.
And since you have a single server, you don't need persistence ;)
Can you confirm whether:
- the application works well in HTTP (clear)
- the application works well without HAProxy
Note that SSL offloading may have some impacts on web application:
http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/
Can you enable logs as described in the link above and check the result?
Baptiste
On Mon, Nov 11, 2013 at 8:49 PM, Chris bludge...@gmail.com wrote:
Hello everyone,
I have a question concerning session persistence with offloading SSL via
haproxy to backend nginx web servers running a PHP website.
Basically, I have a configuration that is performing the SSL offloading
successfully, however, it seems that session persistence is not working
properly as some of the images from the nginx web server are not showing
up,
however the log in fields for this web server are showing up.
What needs to happen is that an http request comes into haproxy, http
calls
get redirected to https, SSL is offloaded and the connection is handed
over
to the relevant back-end - with session persistence in-tact via ACLs
within
haproxy.
I have read that http-server-close will preserve the connection and
keep
it persistent but I have not been able to get this to work. I have also
read that the type of balance used (such as round robin) can affect the
persistence of connections. I have also tried to use
cookie PHPSESSID insert nocache indirect but I just am having no luck
as
there are a slew of configurations that can be used to do this task and I
have gone over the haproxy documentation again and again and I just am
not
sure of the correct way of doing this. The haproxy documentation is very
thorough, but it is also very complex.
In an effort to try to get this working, below is the configuration for
my
haproxy setup, I have stripped out all of the testing configurations that
I've been using to try to get it to work. I am hoping that someone
might be
able to assist me with properly getting this configured to make sessions
persistent.
Your expertise and advice are greatly welcomed and very appreciated - I
thank you for your time.
---
global
log 127.0.0.1 local0
log 127.0.0.1 local1
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
stats enable
maxconn 512
retries 3
contimeout 6
clitimeout 6
srvtimeout 6
## http frontend to redirect to https frontend
frontend https_frontend
bind 0.0.0.0:80
redirect scheme https if !{ ssl_fc }
## https frontend to offload SSL to the backends
frontend haproxy_https
mode http
option http-server-close
bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem
ca-file
/etc/haproxy/psl-wildcard/wildcard.ca-bundle
acl is_psl_https hdr_end(host) -i www.test-site.com
acl is_broker_psl_https hdr_end(host) -i broker.test-site.com
acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com
use_backend is_psl_https_backendif
Re: Haproxy SSL offloading to nginx backend web servers - need persistent connections
Hi Chris, It is recommended to use option http-server-close, unless for specific use (like NTLM). So please turn it on. You have basically 3 main choices: - cookie SERVERID insert = HAProxy will setup a cookie called SERVERID - cookie PHPSESSID prefix = HAProxy will use the application cookie setup by your web servers - stick table + stick store + stick match = HAProxy will learn cookies, store them in a table and use it for persistence. For option #1 and #2 don't forget the cookie parameter on the server directive. Baptiste On Tue, Nov 12, 2013 at 5:14 PM, Chris bludge...@gmail.com wrote: Baptiste, Thanks again for taking the time to read through and respond. I had done a lot of troubleshooting and tried many different configuration options, to the point that I am now confused. You are correct, with only one web server, persistence is not necessary, I should have realized this. I tried testing the web server by bypassing haproxy and I was getting the same result, no image showing up so it is a web server problem that needs to be resolved first. With that said, the end plan is to indeed put 2 or 3 web servers behind haproxy to be load balanced too - when that time comes, may I ask you what the best way to implement session persistence would be, ensuring that when a client connects to the web servers that they continue to stay on that web server during their entire session? Would this be the - option http-server-close ? Or, would implementing some sort of PHPSESSID cookie be needed? I think for true testing then, they need to get their web servers working first, and then I need to get another one set up so that I can actually test out session persistence. Last question, when I get this into place, and to verify that sessions are staying persistent, what is the best way to verify this? Will haproxy logs show this, or do I need to perform some sort of strace on the haproxy PID to watch it? Thanks a million Baptiste, you are a life saver - not only to me, to but many people on this amazing list Sincerely, Chris -Chris On Tue, Nov 12, 2013 at 12:12 AM, Baptiste bed...@gmail.com wrote: Hi Chris, How can you point HAProxy in such problem? I mean, you have a single server in your farm, so if the browser can't download objects, it may come from an other point. And since you have a single server, you don't need persistence ;) Can you confirm whether: - the application works well in HTTP (clear) - the application works well without HAProxy Note that SSL offloading may have some impacts on web application: http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Can you enable logs as described in the link above and check the result? Baptiste On Mon, Nov 11, 2013 at 8:49 PM, Chris bludge...@gmail.com wrote: Hello everyone, I have a question concerning session persistence with offloading SSL via haproxy to backend nginx web servers running a PHP website. Basically, I have a configuration that is performing the SSL offloading successfully, however, it seems that session persistence is not working properly as some of the images from the nginx web server are not showing up, however the log in fields for this web server are showing up. What needs to happen is that an http request comes into haproxy, http calls get redirected to https, SSL is offloaded and the connection is handed over to the relevant back-end - with session persistence in-tact via ACLs within haproxy. I have read that http-server-close will preserve the connection and keep it persistent but I have not been able to get this to work. I have also read that the type of balance used (such as round robin) can affect the persistence of connections. I have also tried to use cookie PHPSESSID insert nocache indirect but I just am having no luck as there are a slew of configurations that can be used to do this task and I have gone over the haproxy documentation again and again and I just am not sure of the correct way of doing this. The haproxy documentation is very thorough, but it is also very complex. In an effort to try to get this working, below is the configuration for my haproxy setup, I have stripped out all of the testing configurations that I've been using to try to get it to work. I am hoping that someone might be able to assist me with properly getting this configured to make sessions persistent. Your expertise and advice are greatly welcomed and very appreciated - I thank you for your time. --- global log 127.0.0.1 local0 log 127.0.0.1 local1 user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull option redispatch stats enable maxconn 512 retries 3 contimeout 6 clitimeout 6 srvtimeout 6 ## http frontend to redirect to https
Haproxy SSL offloading to nginx backend web servers - need persistent connections
Hello everyone,
I have a question concerning session persistence with offloading SSL via
haproxy to backend nginx web servers running a PHP website.
Basically, I have a configuration that is performing the SSL offloading
successfully, however, it seems that session persistence is not working
properly as some of the images from the nginx web server are not showing
up, however the log in fields for this web server are showing up.
What needs to happen is that an http request comes into haproxy, http calls
get redirected to https, SSL is offloaded and the connection is handed over
to the relevant back-end - with session persistence in-tact via ACLs within
haproxy.
I have read that http-server-close will preserve the connection and keep
it persistent but I have not been able to get this to work. I have also
read that the type of balance used (such as round robin) can affect the
persistence of connections. I have also tried to use
cookie PHPSESSID insert nocache indirect but I just am having no luck as
there are a slew of configurations that can be used to do this task and I
have gone over the haproxy documentation again and again and I just am not
sure of the correct way of doing this. The haproxy documentation is very
thorough, but it is also very complex.
In an effort to try to get this working, below is the configuration for my
haproxy setup, I have stripped out all of the testing configurations that
I've been using to try to get it to work. I am hoping that someone might
be able to assist me with properly getting this configured to make sessions
persistent.
Your expertise and advice are greatly welcomed and very appreciated - I
thank you for your time.
---
global
log 127.0.0.1 local0
log 127.0.0.1 local1
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
stats enable
maxconn 512
retries 3
contimeout 6
clitimeout 6
srvtimeout 6
## http frontend to redirect to https frontend
frontend https_frontend
bind 0.0.0.0:80
redirect scheme https if !{ ssl_fc }
## https frontend to offload SSL to the backends
frontend haproxy_https
mode http
option http-server-close
bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem ca-file
/etc/haproxy/psl-wildcard/wildcard.ca-bundle
acl is_psl_https hdr_end(host) -i www.test-site.com
acl is_broker_psl_https hdr_end(host) -i broker.test-site.com
acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com
use_backend is_psl_https_backendif is_psl_https
use_backend is_broker_https_backend if is_broker_psl_https
use_backend is_eclose_https_backend if is_eclose_psl_https
default_backend is_psl_https_backend
## backends
backend is_psl_https_backend
mode http
balance source
option http-server-close
server server1 10.10.221.171:80
backend is_broker_https_backend
mode http
balance source
option http-server-close
server server1 10.10.221.172:80
backend is_eclose_https_backend
mode http
balance source
option http-server-close
server server1 10.10.221.173:80
listen admin 0.0.0.0:22002
mode http
stats uri /
Again, thank you very much.
Sincerely,
Chris
