Re: Haproxy SSL offloading to nginx backend web servers - need persistent connections
Hi Chris, How can you point HAProxy in such problem? I mean, you have a single server in your farm, so if the browser can't download objects, it may come from an other point. And since you have a single server, you don't need persistence ;) Can you confirm whether: - the application works well in HTTP (clear) - the application works well without HAProxy Note that SSL offloading may have some impacts on web application: http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Can you enable logs as described in the link above and check the result? Baptiste On Mon, Nov 11, 2013 at 8:49 PM, Chris bludge...@gmail.com wrote: Hello everyone, I have a question concerning session persistence with offloading SSL via haproxy to backend nginx web servers running a PHP website. Basically, I have a configuration that is performing the SSL offloading successfully, however, it seems that session persistence is not working properly as some of the images from the nginx web server are not showing up, however the log in fields for this web server are showing up. What needs to happen is that an http request comes into haproxy, http calls get redirected to https, SSL is offloaded and the connection is handed over to the relevant back-end - with session persistence in-tact via ACLs within haproxy. I have read that http-server-close will preserve the connection and keep it persistent but I have not been able to get this to work. I have also read that the type of balance used (such as round robin) can affect the persistence of connections. I have also tried to use cookie PHPSESSID insert nocache indirect but I just am having no luck as there are a slew of configurations that can be used to do this task and I have gone over the haproxy documentation again and again and I just am not sure of the correct way of doing this. The haproxy documentation is very thorough, but it is also very complex. In an effort to try to get this working, below is the configuration for my haproxy setup, I have stripped out all of the testing configurations that I've been using to try to get it to work. I am hoping that someone might be able to assist me with properly getting this configured to make sessions persistent. Your expertise and advice are greatly welcomed and very appreciated - I thank you for your time. --- global log 127.0.0.1 local0 log 127.0.0.1 local1 user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull option redispatch stats enable maxconn 512 retries 3 contimeout 6 clitimeout 6 srvtimeout 6 ## http frontend to redirect to https frontend frontend https_frontend bind 0.0.0.0:80 redirect scheme https if !{ ssl_fc } ## https frontend to offload SSL to the backends frontend haproxy_https mode http option http-server-close bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem ca-file /etc/haproxy/psl-wildcard/wildcard.ca-bundle acl is_psl_https hdr_end(host) -i www.test-site.com acl is_broker_psl_https hdr_end(host) -i broker.test-site.com acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com use_backend is_psl_https_backendif is_psl_https use_backend is_broker_https_backend if is_broker_psl_https use_backend is_eclose_https_backend if is_eclose_psl_https default_backend is_psl_https_backend ## backends backend is_psl_https_backend mode http balance source option http-server-close server server1 10.10.221.171:80 backend is_broker_https_backend mode http balance source option http-server-close server server1 10.10.221.172:80 backend is_eclose_https_backend mode http balance source option http-server-close server server1 10.10.221.173:80 listen admin 0.0.0.0:22002 mode http stats uri / Again, thank you very much. Sincerely, Chris
Re: Haproxy SSL offloading to nginx backend web servers - need persistent connections
Baptiste, Thanks again for taking the time to read through and respond. I had done a lot of troubleshooting and tried many different configuration options, to the point that I am now confused. You are correct, with only one web server, persistence is not necessary, I should have realized this. I tried testing the web server by bypassing haproxy and I was getting the same result, no image showing up so it is a web server problem that needs to be resolved first. With that said, the end plan is to indeed put 2 or 3 web servers behind haproxy to be load balanced too - when that time comes, may I ask you what the best way to implement session persistence would be, ensuring that when a client connects to the web servers that they continue to stay on that web server during their entire session? Would this be the - option http-server-close ? Or, would implementing some sort of PHPSESSID cookie be needed? I think for true testing then, they need to get their web servers working first, and then I need to get another one set up so that I can actually test out session persistence. Last question, when I get this into place, and to verify that sessions are staying persistent, what is the best way to verify this? Will haproxy logs show this, or do I need to perform some sort of strace on the haproxy PID to watch it? Thanks a million Baptiste, you are a life saver - not only to me, to but many people on this amazing list Sincerely, Chris -Chris On Tue, Nov 12, 2013 at 12:12 AM, Baptiste bed...@gmail.com wrote: Hi Chris, How can you point HAProxy in such problem? I mean, you have a single server in your farm, so if the browser can't download objects, it may come from an other point. And since you have a single server, you don't need persistence ;) Can you confirm whether: - the application works well in HTTP (clear) - the application works well without HAProxy Note that SSL offloading may have some impacts on web application: http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Can you enable logs as described in the link above and check the result? Baptiste On Mon, Nov 11, 2013 at 8:49 PM, Chris bludge...@gmail.com wrote: Hello everyone, I have a question concerning session persistence with offloading SSL via haproxy to backend nginx web servers running a PHP website. Basically, I have a configuration that is performing the SSL offloading successfully, however, it seems that session persistence is not working properly as some of the images from the nginx web server are not showing up, however the log in fields for this web server are showing up. What needs to happen is that an http request comes into haproxy, http calls get redirected to https, SSL is offloaded and the connection is handed over to the relevant back-end - with session persistence in-tact via ACLs within haproxy. I have read that http-server-close will preserve the connection and keep it persistent but I have not been able to get this to work. I have also read that the type of balance used (such as round robin) can affect the persistence of connections. I have also tried to use cookie PHPSESSID insert nocache indirect but I just am having no luck as there are a slew of configurations that can be used to do this task and I have gone over the haproxy documentation again and again and I just am not sure of the correct way of doing this. The haproxy documentation is very thorough, but it is also very complex. In an effort to try to get this working, below is the configuration for my haproxy setup, I have stripped out all of the testing configurations that I've been using to try to get it to work. I am hoping that someone might be able to assist me with properly getting this configured to make sessions persistent. Your expertise and advice are greatly welcomed and very appreciated - I thank you for your time. --- global log 127.0.0.1 local0 log 127.0.0.1 local1 user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull option redispatch stats enable maxconn 512 retries 3 contimeout 6 clitimeout 6 srvtimeout 6 ## http frontend to redirect to https frontend frontend https_frontend bind 0.0.0.0:80 redirect scheme https if !{ ssl_fc } ## https frontend to offload SSL to the backends frontend haproxy_https mode http option http-server-close bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem ca-file /etc/haproxy/psl-wildcard/wildcard.ca-bundle acl is_psl_https hdr_end(host) -i www.test-site.com acl is_broker_psl_https hdr_end(host) -i broker.test-site.com acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com use_backend is_psl_https_backendif
Re: Haproxy SSL offloading to nginx backend web servers - need persistent connections
Hi Chris, It is recommended to use option http-server-close, unless for specific use (like NTLM). So please turn it on. You have basically 3 main choices: - cookie SERVERID insert = HAProxy will setup a cookie called SERVERID - cookie PHPSESSID prefix = HAProxy will use the application cookie setup by your web servers - stick table + stick store + stick match = HAProxy will learn cookies, store them in a table and use it for persistence. For option #1 and #2 don't forget the cookie parameter on the server directive. Baptiste On Tue, Nov 12, 2013 at 5:14 PM, Chris bludge...@gmail.com wrote: Baptiste, Thanks again for taking the time to read through and respond. I had done a lot of troubleshooting and tried many different configuration options, to the point that I am now confused. You are correct, with only one web server, persistence is not necessary, I should have realized this. I tried testing the web server by bypassing haproxy and I was getting the same result, no image showing up so it is a web server problem that needs to be resolved first. With that said, the end plan is to indeed put 2 or 3 web servers behind haproxy to be load balanced too - when that time comes, may I ask you what the best way to implement session persistence would be, ensuring that when a client connects to the web servers that they continue to stay on that web server during their entire session? Would this be the - option http-server-close ? Or, would implementing some sort of PHPSESSID cookie be needed? I think for true testing then, they need to get their web servers working first, and then I need to get another one set up so that I can actually test out session persistence. Last question, when I get this into place, and to verify that sessions are staying persistent, what is the best way to verify this? Will haproxy logs show this, or do I need to perform some sort of strace on the haproxy PID to watch it? Thanks a million Baptiste, you are a life saver - not only to me, to but many people on this amazing list Sincerely, Chris -Chris On Tue, Nov 12, 2013 at 12:12 AM, Baptiste bed...@gmail.com wrote: Hi Chris, How can you point HAProxy in such problem? I mean, you have a single server in your farm, so if the browser can't download objects, it may come from an other point. And since you have a single server, you don't need persistence ;) Can you confirm whether: - the application works well in HTTP (clear) - the application works well without HAProxy Note that SSL offloading may have some impacts on web application: http://blog.exceliance.fr/2013/02/26/ssl-offloading-impact-on-web-applications/ Can you enable logs as described in the link above and check the result? Baptiste On Mon, Nov 11, 2013 at 8:49 PM, Chris bludge...@gmail.com wrote: Hello everyone, I have a question concerning session persistence with offloading SSL via haproxy to backend nginx web servers running a PHP website. Basically, I have a configuration that is performing the SSL offloading successfully, however, it seems that session persistence is not working properly as some of the images from the nginx web server are not showing up, however the log in fields for this web server are showing up. What needs to happen is that an http request comes into haproxy, http calls get redirected to https, SSL is offloaded and the connection is handed over to the relevant back-end - with session persistence in-tact via ACLs within haproxy. I have read that http-server-close will preserve the connection and keep it persistent but I have not been able to get this to work. I have also read that the type of balance used (such as round robin) can affect the persistence of connections. I have also tried to use cookie PHPSESSID insert nocache indirect but I just am having no luck as there are a slew of configurations that can be used to do this task and I have gone over the haproxy documentation again and again and I just am not sure of the correct way of doing this. The haproxy documentation is very thorough, but it is also very complex. In an effort to try to get this working, below is the configuration for my haproxy setup, I have stripped out all of the testing configurations that I've been using to try to get it to work. I am hoping that someone might be able to assist me with properly getting this configured to make sessions persistent. Your expertise and advice are greatly welcomed and very appreciated - I thank you for your time. --- global log 127.0.0.1 local0 log 127.0.0.1 local1 user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull option redispatch stats enable maxconn 512 retries 3 contimeout 6 clitimeout 6 srvtimeout 6 ## http frontend to redirect to https
Haproxy SSL offloading to nginx backend web servers - need persistent connections
Hello everyone, I have a question concerning session persistence with offloading SSL via haproxy to backend nginx web servers running a PHP website. Basically, I have a configuration that is performing the SSL offloading successfully, however, it seems that session persistence is not working properly as some of the images from the nginx web server are not showing up, however the log in fields for this web server are showing up. What needs to happen is that an http request comes into haproxy, http calls get redirected to https, SSL is offloaded and the connection is handed over to the relevant back-end - with session persistence in-tact via ACLs within haproxy. I have read that http-server-close will preserve the connection and keep it persistent but I have not been able to get this to work. I have also read that the type of balance used (such as round robin) can affect the persistence of connections. I have also tried to use cookie PHPSESSID insert nocache indirect but I just am having no luck as there are a slew of configurations that can be used to do this task and I have gone over the haproxy documentation again and again and I just am not sure of the correct way of doing this. The haproxy documentation is very thorough, but it is also very complex. In an effort to try to get this working, below is the configuration for my haproxy setup, I have stripped out all of the testing configurations that I've been using to try to get it to work. I am hoping that someone might be able to assist me with properly getting this configured to make sessions persistent. Your expertise and advice are greatly welcomed and very appreciated - I thank you for your time. --- global log 127.0.0.1 local0 log 127.0.0.1 local1 user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull option redispatch stats enable maxconn 512 retries 3 contimeout 6 clitimeout 6 srvtimeout 6 ## http frontend to redirect to https frontend frontend https_frontend bind 0.0.0.0:80 redirect scheme https if !{ ssl_fc } ## https frontend to offload SSL to the backends frontend haproxy_https mode http option http-server-close bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem ca-file /etc/haproxy/psl-wildcard/wildcard.ca-bundle acl is_psl_https hdr_end(host) -i www.test-site.com acl is_broker_psl_https hdr_end(host) -i broker.test-site.com acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com use_backend is_psl_https_backendif is_psl_https use_backend is_broker_https_backend if is_broker_psl_https use_backend is_eclose_https_backend if is_eclose_psl_https default_backend is_psl_https_backend ## backends backend is_psl_https_backend mode http balance source option http-server-close server server1 10.10.221.171:80 backend is_broker_https_backend mode http balance source option http-server-close server server1 10.10.221.172:80 backend is_eclose_https_backend mode http balance source option http-server-close server server1 10.10.221.173:80 listen admin 0.0.0.0:22002 mode http stats uri / Again, thank you very much. Sincerely, Chris