Re: SOLVEDRe: haproxy + RDP

[Aleksandar Lazic]

Hi Antonio Trujillo Carmona.

cool thanks for sharing.

Regards
Aleks

Antonio Trujillo Carmona have written on Wed, 24 May 2017 09:01:16
+0200:

> El 16/05/17 a las 23:17, Aleksandar Lazic escribió:
> Hi Antonio Trujillo Carmona.
> > 
> > Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16
> > +0200:
> > 
> > El 12/05/17 a las 11:55, Aleksandar Lazic escribió:
> >> Hi Antonio Trujillo Carmona.
> >>> 
> >>> Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59
> >>> +0200:
> >>>  
> >>> El 11/05/17 a las 15:06, Aleksandar Lazic escribió:  
>  .../
> > How about to activate the 'option tcp-check' as mentioned in the
> > Warning?
> > In the config below is it's commented, any reason why?
> > 
> > It's also active in the doc which you maybe know.
> > 
> > https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html
> > 
> > Does this changes anything?
> > ok cleaing up a liter I try:
>  frontend RDP
>  mode tcp
>  bind *:3389
>  timeout client 1h
>  tcp-request inspect-delay 5s
>  tcp-request content accept if RDP_COOKIE
>  default_backend bk_rdp
>  #
>  backend bk_rdp
>  mode tcp
>  balance leastconn
>  #balance rdp_coockie
>  timeout server 1h
>  timeout connect 4s
>  log global
>  option tcplog
>  stick-table type string len 32 size 10k expire 1h peers
>  pares stick on rdp_cookie(msthash)
>  #   persist rdp-cookie
>  option tcp-check
>  #   option ssl-hello-chk
>  #   option tcpka
>  tcp-check connect port 3389 ssl
>  
>  #   server gr43sterminal01  10.104.22.142:3389 weight 1 check
>  verify none inter 2000 rise 2 fall 3
>  #   server gr43sterminal02  10.104.23.141:3389 weight 1 check
>  verify none inter 2000 rise 2 fall 3
>  #
>  default-server inter 3s rise 2 fall 3
>  server gr43sterminal01  10.104.22.142:3389 weight 1 check
>  server gr43sterminal02  10.104.23.141:3389 weight 1 check
>  
>  And I got:
>  [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server
>  'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is
>  enabled by default but no CA file specified. If you're running
>  on a LAN where you're certain to trust the server's certificate,
>  please set an explicit 'verify none' statement on the 'server'
>  line, or use 'ssl-server-verify none' in the global section to
>  disable server-side verifications by default. [ALERT] 131/100222
>  (8564) : Proxy 'bk_rdp', server
>  'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is
>  enabled by default but no CA file specified. If you're running
>  on a LAN where you're certain to trust the server's certificate,
>  please set an explicit 'verify none' statement on the 'server'
>  line, or use 'ssl-server-verify none' in the global section to
>  disable server-side verifications by default. [ALERT] 131/100222
>  (8564) : Fatal errors found in configuration.
>  
>  So I try adding verify none in server line
>  
>  and haproxy see both server up (but one is down).
>  I try  withou ssl:
>  
>  tcp-check connect port 3389
>  server gr43sterminal01  10.104.22.142:3389 weight 1 check
>  server gr43sterminal02  10.104.23.141:3389 weight 1 check
>  
>  but the result is the same haproxy see both server up (but one is
>  down)
>  
>  only if I leve only option tcp-check (or none) it seem work
>  
>  
>  #
>  #   persist rdp-cookie
>  option tcp-check
>  #   option ssl-hello-chk
>  #   option tcpka
>  #   tcp-check connect port 3389 ssl
>  #   tcp-check connect port 3389
>  
>  #   server gr43sterminal01  10.104.22.142:3389 weight 1 check
>  verify none inter 2000 rise 2 fall 3
>  #   server gr43sterminal02  10.104.23.141:3389 weight 1 check
>  verify none inter 2000 rise 2 fall 3
>  #
>  default-server inter 3s rise 2 fall 3
>  server gr43sterminal01  10.104.22.142:3389 weight 1 check
>  server gr43sterminal02  10.104.23.141:3389 weight 1 check
>  ##
>  
>  
>  output:
>  
>  [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is
>  DOWN, reason: Layer4 timeout, info: " at initial connection step
>  of tcp-check", check duration: 3001ms. 1 active and 0 backup
>  servers left. 0 sessions active, 0 requeued, 0 remaining in
>  queue. So finally it works.
> >>> 
> >>> Regards
> >>> Aleks  
> >>> But in that mode it check server available, 

SOLVEDRe: haproxy + RDP

[Antonio Trujillo Carmona]

  
  
El 16/05/17 a las 23:17, Aleksandar
  Lazic escribió:


  Hi Antonio Trujillo Carmona.

Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16
+0200:


  
El 12/05/17 a las 11:55, Aleksandar Lazic escribió:


  Hi Antonio Trujillo Carmona.

Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59
+0200:
 

  
El 11/05/17 a las 15:06, Aleksandar Lazic escribió:  


  .../
How about to activate the 'option tcp-check' as mentioned in the
Warning?
In the config below is it's commented, any reason why?

It's also active in the doc which you maybe know.

https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html

Does this changes anything?


ok cleaing up a liter I try:
frontend RDP
mode tcp
bind *:3389
timeout client 1h
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp
#
backend bk_rdp
mode tcp
balance leastconn
#balance rdp_coockie
timeout server 1h
timeout connect 4s
log global
option tcplog
stick-table type string len 32 size 10k expire 1h peers
pares stick on rdp_cookie(msthash)
#   persist rdp-cookie
option tcp-check
#   option ssl-hello-chk
#   option tcpka
tcp-check connect port 3389 ssl

#   server gr43sterminal01  10.104.22.142:3389 weight 1 check
verify none inter 2000 rise 2 fall 3
#   server gr43sterminal02  10.104.23.141:3389 weight 1 check
verify none inter 2000 rise 2 fall 3
#
default-server inter 3s rise 2 fall 3
server gr43sterminal01  10.104.22.142:3389 weight 1 check
server gr43sterminal02  10.104.23.141:3389 weight 1 check

And I got:
[ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server
'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is enabled
by default but no CA file specified. If you're running on a LAN
where you're certain to trust the server's certificate, please set
an explicit 'verify none' statement on the 'server' line, or use
'ssl-server-verify none' in the global section to disable
server-side verifications by default. [ALERT] 131/100222 (8564) :
Proxy 'bk_rdp', server
'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is enabled
by default but no CA file specified. If you're running on a LAN
where you're certain to trust the server's certificate, please set
an explicit 'verify none' statement on the 'server' line, or use
'ssl-server-verify none' in the global section to disable
server-side verifications by default. [ALERT] 131/100222 (8564) :
Fatal errors found in configuration.

So I try adding verify none in server line

and haproxy see both server up (but one is down).
I try  withou ssl:

tcp-check connect port 3389
server gr43sterminal01  10.104.22.142:3389 weight 1 check
server gr43sterminal02  10.104.23.141:3389 weight 1 check

but the result is the same haproxy see both server up (but one is
down)

only if I leve only option tcp-check (or none) it seem work


#
#   persist rdp-cookie
option tcp-check
#   option ssl-hello-chk
#   option tcpka
#   tcp-check connect port 3389 ssl
#   tcp-check connect port 3389

#   server gr43sterminal01  10.104.22.142:3389 weight 1 check
verify none inter 2000 rise 2 fall 3
#   server gr43sterminal02  10.104.23.141:3389 weight 1 check
verify none inter 2000 rise 2 fall 3
#
default-server inter 3s rise 2 fall 3
server gr43sterminal01  10.104.22.142:3389 weight 1 check
server gr43sterminal02  10.104.23.141:3389 weight 1 check
##


output:

[WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is
DOWN, reason: Layer4 timeout, info: " at initial connection step of
tcp-check", check duration: 3001ms. 1 active and 0 backup servers
left. 0 sessions active, 0 requeued, 0 remaining in queue.  

  
  So finally it works.

Regards
Aleks  


But in that mode it check server available, not service, if RDP
service is down haproxy don't detect it.

  
  
Maybe you will need some tcp-check squence to check the service.

http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send
http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send-binary

I have found a perl script which checks the rdp maybe this will help
you to find the right sequence.

https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl

Regards
Aleks


Finally it work.
The configuration last in:
#
frontend RDP
    mode tcp
    bind *:3389
    timeout client 1h
    tcp-request inspect-delay 25s
    

Re: haproxy + RDP

[Aleksandar Lazic]

Hi Antonio Trujillo Carmona.

Antonio Trujillo Carmona have written on Mon, 15 May 2017 08:40:16
+0200:

> El 12/05/17 a las 11:55, Aleksandar Lazic escribió:
> > Hi Antonio Trujillo Carmona.
> >
> > Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59
> > +0200:
> >  
> >> El 11/05/17 a las 15:06, Aleksandar Lazic escribió:  
> >>> .../
> >>> How about to activate the 'option tcp-check' as mentioned in the
> >>> Warning?
> >>> In the config below is it's commented, any reason why?
> >>>
> >>> It's also active in the doc which you maybe know.
> >>>
> >>> https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html
> >>>
> >>> Does this changes anything?
> >> ok cleaing up a liter I try:
> >> frontend RDP
> >> mode tcp
> >> bind *:3389
> >> timeout client 1h
> >> tcp-request inspect-delay 5s
> >> tcp-request content accept if RDP_COOKIE
> >> default_backend bk_rdp
> >> #
> >> backend bk_rdp
> >> mode tcp
> >> balance leastconn
> >> #balance rdp_coockie
> >> timeout server 1h
> >> timeout connect 4s
> >> log global
> >> option tcplog
> >> stick-table type string len 32 size 10k expire 1h peers
> >> pares stick on rdp_cookie(msthash)
> >> #   persist rdp-cookie
> >> option tcp-check
> >> #   option ssl-hello-chk
> >> #   option tcpka
> >> tcp-check connect port 3389 ssl
> >>
> >> #   server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >> verify none inter 2000 rise 2 fall 3
> >> #   server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >> verify none inter 2000 rise 2 fall 3
> >> #
> >> default-server inter 3s rise 2 fall 3
> >> server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >> server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >>
> >> And I got:
> >> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server
> >> 'gr43sterminal01' [/etc/haproxy/haproxy.cfg:189] verify is enabled
> >> by default but no CA file specified. If you're running on a LAN
> >> where you're certain to trust the server's certificate, please set
> >> an explicit 'verify none' statement on the 'server' line, or use
> >> 'ssl-server-verify none' in the global section to disable
> >> server-side verifications by default. [ALERT] 131/100222 (8564) :
> >> Proxy 'bk_rdp', server
> >> 'gr43sterminal02' [/etc/haproxy/haproxy.cfg:190] verify is enabled
> >> by default but no CA file specified. If you're running on a LAN
> >> where you're certain to trust the server's certificate, please set
> >> an explicit 'verify none' statement on the 'server' line, or use
> >> 'ssl-server-verify none' in the global section to disable
> >> server-side verifications by default. [ALERT] 131/100222 (8564) :
> >> Fatal errors found in configuration.
> >>
> >> So I try adding verify none in server line
> >>
> >> and haproxy see both server up (but one is down).
> >> I try  withou ssl:
> >>
> >> tcp-check connect port 3389
> >> server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >> server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >>
> >> but the result is the same haproxy see both server up (but one is
> >> down)
> >>
> >> only if I leve only option tcp-check (or none) it seem work
> >>
> >>
> >> #
> >> #   persist rdp-cookie
> >> option tcp-check
> >> #   option ssl-hello-chk
> >> #   option tcpka
> >> #   tcp-check connect port 3389 ssl
> >> #   tcp-check connect port 3389
> >>
> >> #   server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >> verify none inter 2000 rise 2 fall 3
> >> #   server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >> verify none inter 2000 rise 2 fall 3
> >> #
> >> default-server inter 3s rise 2 fall 3
> >> server gr43sterminal01  10.104.22.142:3389 weight 1 check
> >> server gr43sterminal02  10.104.23.141:3389 weight 1 check
> >> ##
> >>
> >>
> >> output:
> >>
> >> [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is
> >> DOWN, reason: Layer4 timeout, info: " at initial connection step of
> >> tcp-check", check duration: 3001ms. 1 active and 0 backup servers
> >> left. 0 sessions active, 0 requeued, 0 remaining in queue.  
> > So finally it works.
> >
> > Regards
> > Aleks  
> But in that mode it check server available, not service, if RDP
> service is down haproxy don't detect it.

Maybe you will need some tcp-check squence to check the service.

http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send
http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-tcp-check%20send-binary

I have found a perl script which checks the rdp maybe this will help
you to find the right sequence.

Re: haproxy + RDP

[Antonio Trujillo Carmona]

El 12/05/17 a las 11:55, Aleksandar Lazic escribió:
> Hi Antonio Trujillo Carmona.
>
> Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59
> +0200:
>
>> El 11/05/17 a las 15:06, Aleksandar Lazic escribió:
>>> .../
>>> How about to activate the 'option tcp-check' as mentioned in the
>>> Warning?
>>> In the config below is it's commented, any reason why?
>>>
>>> It's also active in the doc which you maybe know.
>>>
>>> https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html
>>>
>>> Does this changes anything?  
>> ok cleaing up a liter I try:
>> frontend RDP
>> mode tcp
>> bind *:3389
>> timeout client 1h
>> tcp-request inspect-delay 5s
>> tcp-request content accept if RDP_COOKIE
>> default_backend bk_rdp
>> #
>> backend bk_rdp
>> mode tcp
>> balance leastconn
>> #balance rdp_coockie
>> timeout server 1h
>> timeout connect 4s
>> log global
>> option tcplog
>> stick-table type string len 32 size 10k expire 1h peers pares
>> stick on rdp_cookie(msthash)
>> #   persist rdp-cookie
>> option tcp-check
>> #   option ssl-hello-chk
>> #   option tcpka
>> tcp-check connect port 3389 ssl
>>
>> #   server gr43sterminal01  10.104.22.142:3389 weight 1 check
>> verify none inter 2000 rise 2 fall 3
>> #   server gr43sterminal02  10.104.23.141:3389 weight 1 check
>> verify none inter 2000 rise 2 fall 3
>> #
>> default-server inter 3s rise 2 fall 3
>> server gr43sterminal01  10.104.22.142:3389 weight 1 check
>> server gr43sterminal02  10.104.23.141:3389 weight 1 check
>>
>> And I got:
>> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal01'
>> [/etc/haproxy/haproxy.cfg:189] verify is enabled by default but no CA
>> file specified. If you're running on a LAN where you're certain to
>> trust the server's certificate, please set an explicit 'verify none'
>> statement on the 'server' line, or use 'ssl-server-verify none' in
>> the global section to disable server-side verifications by default.
>> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal02'
>> [/etc/haproxy/haproxy.cfg:190] verify is enabled by default but no CA
>> file specified. If you're running on a LAN where you're certain to
>> trust the server's certificate, please set an explicit 'verify none'
>> statement on the 'server' line, or use 'ssl-server-verify none' in
>> the global section to disable server-side verifications by default.
>> [ALERT] 131/100222 (8564) : Fatal errors found in configuration.
>>
>> So I try adding verify none in server line
>>
>> and haproxy see both server up (but one is down).
>> I try  withou ssl:
>>
>> tcp-check connect port 3389
>> server gr43sterminal01  10.104.22.142:3389 weight 1 check
>> server gr43sterminal02  10.104.23.141:3389 weight 1 check
>>
>> but the result is the same haproxy see both server up (but one is
>> down)
>>
>> only if I leve only option tcp-check (or none) it seem work
>>
>>
>> #
>> #   persist rdp-cookie
>> option tcp-check
>> #   option ssl-hello-chk
>> #   option tcpka
>> #   tcp-check connect port 3389 ssl
>> #   tcp-check connect port 3389
>>
>> #   server gr43sterminal01  10.104.22.142:3389 weight 1 check
>> verify none inter 2000 rise 2 fall 3
>> #   server gr43sterminal02  10.104.23.141:3389 weight 1 check
>> verify none inter 2000 rise 2 fall 3
>> #
>> default-server inter 3s rise 2 fall 3
>> server gr43sterminal01  10.104.22.142:3389 weight 1 check
>> server gr43sterminal02  10.104.23.141:3389 weight 1 check
>> ##
>>
>>
>> output:
>>
>> [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is DOWN,
>> reason: Layer4 timeout, info: " at initial connection step of
>> tcp-check", check duration: 3001ms. 1 active and 0 backup servers
>> left. 0 sessions active, 0 requeued, 0 remaining in queue.
> So finally it works.
>
> Regards
> Aleks
But in that mode it check server available, not service, if RDP service
is down haproxy don't detect it.


-- 

*Antonio Trujillo Carmona*

*Técnico de redes y sistemas.*

*Subdirección de Tecnologías de la Información y Comunicaciones*

Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía

_antonio.trujillo.sspa@juntadeandalucia.es_

Tel. +34 670947670 747670)

Re: haproxy + RDP

[Aleksandar Lazic]

Hi Antonio Trujillo Carmona.

Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59
+0200:

> El 11/05/17 a las 15:06, Aleksandar Lazic escribió:
> > .../
> > How about to activate the 'option tcp-check' as mentioned in the
> > Warning?
> > In the config below is it's commented, any reason why?
> >
> > It's also active in the doc which you maybe know.
> >
> > https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html
> >
> > Does this changes anything?  
> ok cleaing up a liter I try:
> frontend RDP
> mode tcp
> bind *:3389
> timeout client 1h
> tcp-request inspect-delay 5s
> tcp-request content accept if RDP_COOKIE
> default_backend bk_rdp
> #
> backend bk_rdp
> mode tcp
> balance leastconn
> #balance rdp_coockie
> timeout server 1h
> timeout connect 4s
> log global
> option tcplog
> stick-table type string len 32 size 10k expire 1h peers pares
> stick on rdp_cookie(msthash)
> #   persist rdp-cookie
> option tcp-check
> #   option ssl-hello-chk
> #   option tcpka
> tcp-check connect port 3389 ssl
> 
> #   server gr43sterminal01  10.104.22.142:3389 weight 1 check
> verify none inter 2000 rise 2 fall 3
> #   server gr43sterminal02  10.104.23.141:3389 weight 1 check
> verify none inter 2000 rise 2 fall 3
> #
> default-server inter 3s rise 2 fall 3
> server gr43sterminal01  10.104.22.142:3389 weight 1 check
> server gr43sterminal02  10.104.23.141:3389 weight 1 check
> 
> And I got:
> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal01'
> [/etc/haproxy/haproxy.cfg:189] verify is enabled by default but no CA
> file specified. If you're running on a LAN where you're certain to
> trust the server's certificate, please set an explicit 'verify none'
> statement on the 'server' line, or use 'ssl-server-verify none' in
> the global section to disable server-side verifications by default.
> [ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal02'
> [/etc/haproxy/haproxy.cfg:190] verify is enabled by default but no CA
> file specified. If you're running on a LAN where you're certain to
> trust the server's certificate, please set an explicit 'verify none'
> statement on the 'server' line, or use 'ssl-server-verify none' in
> the global section to disable server-side verifications by default.
> [ALERT] 131/100222 (8564) : Fatal errors found in configuration.
> 
> So I try adding verify none in server line
> 
> and haproxy see both server up (but one is down).
> I try  withou ssl:
> 
> tcp-check connect port 3389
> server gr43sterminal01  10.104.22.142:3389 weight 1 check
> server gr43sterminal02  10.104.23.141:3389 weight 1 check
> 
> but the result is the same haproxy see both server up (but one is
> down)
> 
> only if I leve only option tcp-check (or none) it seem work
> 
> 
> #
> #   persist rdp-cookie
> option tcp-check
> #   option ssl-hello-chk
> #   option tcpka
> #   tcp-check connect port 3389 ssl
> #   tcp-check connect port 3389
> 
> #   server gr43sterminal01  10.104.22.142:3389 weight 1 check
> verify none inter 2000 rise 2 fall 3
> #   server gr43sterminal02  10.104.23.141:3389 weight 1 check
> verify none inter 2000 rise 2 fall 3
> #
> default-server inter 3s rise 2 fall 3
> server gr43sterminal01  10.104.22.142:3389 weight 1 check
> server gr43sterminal02  10.104.23.141:3389 weight 1 check
> ##
> 
> 
> output:
> 
> [WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is DOWN,
> reason: Layer4 timeout, info: " at initial connection step of
> tcp-check", check duration: 3001ms. 1 active and 0 backup servers
> left. 0 sessions active, 0 requeued, 0 remaining in queue.

So finally it works.

Regards
Aleks

Re: haproxy + RDP

[Antonio Trujillo Carmona]

El 11/05/17 a las 15:06, Aleksandar Lazic escribió:
> .../
> How about to activate the 'option tcp-check' as mentioned in the
> Warning?
> In the config below is it's commented, any reason why?
>
> It's also active in the doc which you maybe know.
>
> https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html
>
> Does this changes anything?
ok cleaing up a liter I try:
frontend RDP
mode tcp
bind *:3389
timeout client 1h
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp
#
backend bk_rdp
mode tcp
balance leastconn
#balance rdp_coockie
timeout server 1h
timeout connect 4s
log global
option tcplog
stick-table type string len 32 size 10k expire 1h peers pares
stick on rdp_cookie(msthash)
#   persist rdp-cookie
option tcp-check
#   option ssl-hello-chk
#   option tcpka
tcp-check connect port 3389 ssl

#   server gr43sterminal01  10.104.22.142:3389 weight 1 check verify
none inter 2000 rise 2 fall 3
#   server gr43sterminal02  10.104.23.141:3389 weight 1 check verify
none inter 2000 rise 2 fall 3
#
default-server inter 3s rise 2 fall 3
server gr43sterminal01  10.104.22.142:3389 weight 1 check
server gr43sterminal02  10.104.23.141:3389 weight 1 check

And I got:
[ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal01'
[/etc/haproxy/haproxy.cfg:189] verify is enabled by default but no CA
file specified. If you're running on a LAN where you're certain to trust
the server's certificate, please set an explicit 'verify none' statement
on the 'server' line, or use 'ssl-server-verify none' in the global
section to disable server-side verifications by default.
[ALERT] 131/100222 (8564) : Proxy 'bk_rdp', server 'gr43sterminal02'
[/etc/haproxy/haproxy.cfg:190] verify is enabled by default but no CA
file specified. If you're running on a LAN where you're certain to trust
the server's certificate, please set an explicit 'verify none' statement
on the 'server' line, or use 'ssl-server-verify none' in the global
section to disable server-side verifications by default.
[ALERT] 131/100222 (8564) : Fatal errors found in configuration.

So I try adding verify none in server line

and haproxy see both server up (but one is down).
I try  withou ssl:

tcp-check connect port 3389
server gr43sterminal01  10.104.22.142:3389 weight 1 check
server gr43sterminal02  10.104.23.141:3389 weight 1 check

but the result is the same haproxy see both server up (but one is down)

only if I leve only option tcp-check (or none) it seem work


#
#   persist rdp-cookie
option tcp-check
#   option ssl-hello-chk
#   option tcpka
#   tcp-check connect port 3389 ssl
#   tcp-check connect port 3389

#   server gr43sterminal01  10.104.22.142:3389 weight 1 check verify
none inter 2000 rise 2 fall 3
#   server gr43sterminal02  10.104.23.141:3389 weight 1 check verify
none inter 2000 rise 2 fall 3
#
default-server inter 3s rise 2 fall 3
server gr43sterminal01  10.104.22.142:3389 weight 1 check
server gr43sterminal02  10.104.23.141:3389 weight 1 check
##


output:

[WARNING] 131/102105 (8773) : Server bk_rdp/gr43sterminal01 is DOWN,
reason: Layer4 timeout, info: " at initial connection step of
tcp-check", check duration: 3001ms. 1 active and 0 backup servers left.
0 sessions active, 0 requeued, 0 remaining in queue.






-- 

*Antonio Trujillo Carmona*

*Técnico de redes y sistemas.*

*Subdirección de Tecnologías de la Información y Comunicaciones*

Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía

_antonio.trujillo.sspa@juntadeandalucia.es_

Tel. +34 670947670 747670)

Re: haproxy + RDP

[Aleksandar Lazic]

Hi Antonio Trujillo Carmona.

thanks

Antonio Trujillo Carmona have written on Thu, 11 May 2017 12:24:00
+0200:

> El 11/05/17 a las 11:23, Aleksandar Lazic escribió:
> > Hi Antonio Trujillo Carmona.
> >
> > Antonio Trujillo Carmona have written on Thu, 11 May 2017 10:22:59
> > +0200:
> >  
> >> Why this configuration don't detect a server down?  
> > Please can you post the output of haproxy -vv  
> $ haproxy -vv
> HA-Proxy version 1.5.18 2016/05/10
> Copyright 2000-2016 Willy Tarreau 
> 
> Build options :
>   TARGET  = linux2628
>   CPU = generic
>   CC  = gcc
>   CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
>   OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
> USE_PCRE=1
> 
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents =
> 200
> 
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.7
> Compression algorithms supported : identity, deflate, gzip
> Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
> Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 8.32 2012-11-30
> PCRE library supports JIT : no (USE_PCRE_JIT not set)
> Built with transparent proxy support using: IP_TRANSPARENT
> IPV6_TRANSPARENT IP_FREEBIND
> 
> Available polling systems :
>   epoll : pref=300,  test result OK
>poll : pref=200,  test result OK
>  select : pref=150,  test result OK
> Total: 3 (3 usable), will use epoll.
> 
> 
> > Please can you post some logs as you have debug activated.  
> # haproxy -d -f /etc/haproxy/haproxy.cfg
> [WARNING] 130/120716 (27612) : parsing
> [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored
> because frontend 'RDP' has no backend capability
> [WARNING] 130/120716 (27612) : config : backend 'bk_rdp' uses
> tcp-check rules without 'option tcp-check', so the rules are ignored.

How about to activate the 'option tcp-check' as mentioned in the
Warning?
In the config below is it's commented, any reason why?

It's also active in the doc which you maybe know.

https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html

Does this changes anything?

Regards
aleks

> Available polling systems :
>   epoll : pref=300,  test result OK
>poll : pref=200,  test result OK
>  select : pref=150,  test result FAILED
> Total: 3 (2 usable), will use epoll.
> Using epoll() as the polling mechanism.
> [WARNING] 130/120717 (27612) : Server CitrixSF-SSL/CitrixSF03 is DOWN,
> reason: Layer4 connection problem, info: "Connection refused", check
> duration: 3ms. 1 active and 0 backup servers left. 0 sessions active,
> 0 requeued, 0 remaining in queue.
> [WARNING] 130/120718 (27612) : Server bk_rdp/gr43sterminal02 is DOWN,
> reason: Socket error, check duration: 12ms. 1 active and 0 backup
> servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
> [WARNING] 130/120719 (27612) : Server bk_rdp/gr43sterminal01 is DOWN,
> reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup
> servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
> [ALERT] 130/120719 (27612) : backend 'bk_rdp' has no server available!
> 
> Message from syslogd@localhost at May 11 12:07:19 ...
>  haproxy[27612]: backend bk_rdp has no server available!
> 
> Message from syslogd@localhost at May 11 12:07:19 ...
>  haproxy[27612]: backend bk_rdp has no server available!
> 
> 
> 
> but :
> # nmap gr43sterminal02 -p3389
> 
> Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-11 12:12 CEST
> Nmap scan report for gr43sterminal02 (10.104.23.141)
> Host is up (0.00072s latency).
> rDNS record for 10.104.23.141:
> gr43sterminal02.hvn.sas.junta-andalucia.es PORT STATE SERVICE
> 3389/tcp open  ms-wbt-server
> 
> This one is up and the other down
> 
> if I comment
> #   option ssl-hello-chk
> 
> both appear up
> # haproxy -d -f /etc/haproxy/haproxy.cfg
> [WARNING] 130/121803 (27722) : parsing
> [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored
> because frontend 'RDP' has no backend capability
> Available polling systems :
>   epoll : pref=300,  test result OK
>poll : pref=200,  test result OK
>  select : pref=150,  test result FAILED
> Total: 3 (2 usable), will use epoll.
> Using epoll() as the polling mechanism.
> [WARNING] 130/121804 (27722) : Server CitrixSF-SSL/CitrixSF03 is DOWN,
> reason: Layer4 connection problem, info: "Connection refused", check
> duration: 3ms. 1 active and 0 backup servers left. 0 sessions active,
> 0 requeued, 0 remaining in queue.
> :gr43stemis01.clicls[:0009]
> :gr43stemis01.closed[:0009]
> :gr43stemis01.clicls[:000a]
> :gr43stemis01.closed[:000a]
> :gr43stemis01.clicls[:000b]
> 

Re: haproxy + RDP

[Antonio Trujillo Carmona]

El 11/05/17 a las 11:23, Aleksandar Lazic escribió:
> Hi Antonio Trujillo Carmona.
>
> Antonio Trujillo Carmona have written on Thu, 11 May 2017 10:22:59
> +0200:
>
>> Why this configuration don't detect a server down?
> Please can you post the output of haproxy -vv
$ haproxy -vv
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.


> Please can you post some logs as you have debug activated.
# haproxy -d -f /etc/haproxy/haproxy.cfg
[WARNING] 130/120716 (27612) : parsing [/etc/haproxy/haproxy.cfg:165] :
'timeout server' will be ignored because frontend 'RDP' has no backend
capability
[WARNING] 130/120716 (27612) : config : backend 'bk_rdp' uses tcp-check
rules without 'option tcp-check', so the rules are ignored.
Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.
Using epoll() as the polling mechanism.
[WARNING] 130/120717 (27612) : Server CitrixSF-SSL/CitrixSF03 is DOWN,
reason: Layer4 connection problem, info: "Connection refused", check
duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, 0
requeued, 0 remaining in queue.
[WARNING] 130/120718 (27612) : Server bk_rdp/gr43sterminal02 is DOWN,
reason: Socket error, check duration: 12ms. 1 active and 0 backup
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] 130/120719 (27612) : Server bk_rdp/gr43sterminal01 is DOWN,
reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup
servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT] 130/120719 (27612) : backend 'bk_rdp' has no server available!

Message from syslogd@localhost at May 11 12:07:19 ...
 haproxy[27612]: backend bk_rdp has no server available!

Message from syslogd@localhost at May 11 12:07:19 ...
 haproxy[27612]: backend bk_rdp has no server available!



but :
# nmap gr43sterminal02 -p3389

Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-11 12:12 CEST
Nmap scan report for gr43sterminal02 (10.104.23.141)
Host is up (0.00072s latency).
rDNS record for 10.104.23.141: gr43sterminal02.hvn.sas.junta-andalucia.es
PORT STATE SERVICE
3389/tcp open  ms-wbt-server

This one is up and the other down

if I comment
#   option ssl-hello-chk

both appear up
# haproxy -d -f /etc/haproxy/haproxy.cfg
[WARNING] 130/121803 (27722) : parsing [/etc/haproxy/haproxy.cfg:165] :
'timeout server' will be ignored because frontend 'RDP' has no backend
capability
Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.
Using epoll() as the polling mechanism.
[WARNING] 130/121804 (27722) : Server CitrixSF-SSL/CitrixSF03 is DOWN,
reason: Layer4 connection problem, info: "Connection refused", check
duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, 0
requeued, 0 remaining in queue.
:gr43stemis01.clicls[:0009]
:gr43stemis01.closed[:0009]
:gr43stemis01.clicls[:000a]
:gr43stemis01.closed[:000a]
:gr43stemis01.clicls[:000b]
:gr43stemis01.closed[:000b]
:gr43stemis01.clicls[:000c]
:gr43stemis01.closed[:000c]
:gr43stemis01.clicls[:000d]
:gr43stemis01.closed[:000d]
:RDP.accept(0007)=000a from [10.104.24.53:60969]


only if I comment
#option ssl-hello-chk
#tcp-check connect port 3389 ssl
it seem work, but I'm afraid that it check server not service, so if
server is up but service RDP fail haproxy will not detect it.

>
>> global
>> log 127.0.0.1 local0 debug
>> log 127.0.0.1 local1 notice
>> log 10.104.16.5 local7 debug
>> chroot /var/lib/haproxy
>> user haproxy
>> group 

Re: haproxy + RDP

[Aleksandar Lazic]

Hi Antonio Trujillo Carmona.

Antonio Trujillo Carmona have written on Thu, 11 May 2017 10:22:59
+0200:

> Why this configuration don't detect a server down?

Please can you post the output of haproxy -vv
Please can you post some logs as you have debug activated.

> global
>     log 127.0.0.1 local0 debug
>     log 127.0.0.1 local1 notice
>     log 10.104.16.5 local7 debug
>     chroot /var/lib/haproxy
>     user haproxy
>     group haproxy
>     daemon
>     node GR43STEMIS01-BALANCEADOR-HA-SSL
> 
> # Para sincronizar las tablas de sesión
> peers pares
> #    disable
>     peer gr43stemis01 10.107.20.7:1024
>     peer gr43stemis02 10.107.20.8:1024
> 
> defaults
>     log global
>     mode    http
>     option  dontlognull
>     option httpchk
>     retries 3
>     option redispatch
>     maxconn 5000
>     timeout connect 50s
>     timeout client  30min
>     timeout server 50s
> .../...
> frontend RDP
>     mode tcp
>     bind *:3389
>     timeout client 1h
>     timeout server 1h
>     tcp-request inspect-delay 5s
>     tcp-request content accept if RDP_COOKIE
> #    use_backend bk_rdp
>     default_backend bk_rdp
>    
> backend bk_rdp
>     mode tcp
>     balance leastconn
>     #balance rdp_coockie
>     timeout server 1h
>     timeout connect 4s
>     log global
>     stick-table type string len 32 size 10k expire 1h peers pares
>     stick on rdp_cookie(msthash)
>    
>     persist rdp-cookie
> #    option tcp-check
>     option ssl-hello-chk
> #    option tcpka
> 
>     tcp-check connect port 3389 ssl
> 
>     server gr43sterminal01    10.104.22.142:3389 weight 1 check inter
> 2000 rise 2 fall 3
> server gr43sterminal02  10.104.23.141:3389 weight
> 1 check inter 2000 rise 2 fall 3
> 
> 
> 
> Thank.
> --
> 
> Antonio Trujillo Carmona
> 
> Técnico de redes y sistemas.
> 
> Subdirección de Tecnologías de la Información y Comunicaciones
> 
> Servicio Andaluz de Salud. Consejería de Salud de la Junta de
> Andalucía
> 
> antonio.trujillo.s...@juntadeandalucia.es
> 
> Tel. +34 670947670 747670)
> 
> 
> 
> 

haproxy + RDP

[Antonio Trujillo Carmona]

  
  
Why this configuration don't detect a server
down?

global
    log 127.0.0.1 local0 debug
    log 127.0.0.1 local1 notice
    log 10.104.16.5 local7 debug
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon
    node GR43STEMIS01-BALANCEADOR-HA-SSL

# Para sincronizar las tablas de sesión
peers pares
#    disable
    peer gr43stemis01 10.107.20.7:1024
    peer gr43stemis02 10.107.20.8:1024

defaults
    log global
    mode    http
    option  dontlognull
    option httpchk
    retries 3
    option redispatch
    maxconn 5000
    timeout connect 50s
    timeout client  30min
    timeout server 50s
.../...
frontend RDP
    mode tcp
    bind *:3389
    timeout client 1h
    timeout server 1h
    tcp-request inspect-delay 5s
    tcp-request content accept if RDP_COOKIE
#    use_backend bk_rdp
    default_backend bk_rdp
    
backend bk_rdp
    mode tcp
    balance leastconn
    #balance rdp_coockie
    timeout server 1h
    timeout connect 4s
    log global
    stick-table type string len 32 size 10k expire 1h peers
pares
    stick on rdp_cookie(msthash)
    
    persist rdp-cookie
#    option tcp-check
    option ssl-hello-chk
#    option tcpka

    tcp-check connect port 3389 ssl

    server gr43sterminal01    10.104.22.142:3389 weight 1 check
inter 2000 rise 2 fall 3
    server gr43sterminal02  10.104.23.141:3389 weight 1 check
inter 2000 rise 2 fall 3



  Thank.
-- 
  
  
  
  
  
  Antonio
Trujillo Carmona
  Técnico
de redes y sistemas.
  Subdirección
de Tecnologías de la Información y Comunicaciones
  Servicio
  Andaluz de Salud. Consejería de Salud de la Junta de
  Andalucía
  antonio.trujillo.s...@juntadeandalucia.es
  Tel.
  +34 670947670 747670)