Re: Keep client side open on FIN till backend responds

[Willy Tarreau]

Hi,

On Fri, Jan 11, 2019 at 01:05:15PM +0200, Assen Totin wrote:
> Hi, everybody!
> 
> I'm facing an issue with a somewhat weird/broken client and I'm looking for
> some advise on it.
> 
> The client opens a HTTPS session and sends its request (POST data in my
> case). The HTTPS part is fine. The POST data is small, so it fits into a
> single TCP packet, which arrives with ACK,PSH,FIN flags set. HAProxy
> diligently responds with FIN,ACK and closes the client connection, not
> sending anything to the backend server. It also logs the request as CR--
> which seems proper.
> 
> There is nothing specific in my HAProxy setup in this case, default config
> with a single frontend/backend. I'm on 1.8 series.

It is *not* supposed to happen by default, we're extremely careful about
half-closed requests, and in fact in 1.8, HTTP/2 is translated to HTTP/1
with a close appended just after the request. Are you up to date with your
1.8 version ? Also are you certain your config doesn't contain
"option abortonclose" ? This option exists exactly to cause the behaviour
you're observing.

> I'm aware that sending a FIN on a TLS connection violates the TLS RFC, but
> I suspect that such a client would do the same on a non-TLS connection too.
> It brings me to the question, is there a way to tell HAProxy not to close a
> client connection upon receipt of FIN on the client side if there is an
> unserved HTTP request, but rather keep the client connection half-open
> until the backend responds?

The client connection is half-open in this case because that's how it is
at the transport level. But the request should properly be served regardless
of this.

> The issue I'm facing is likely exacerbated  by
> the fact that client sends FIN together with the HTTP request, so there is
> no backend connection yet when HAProxy decides to close the client
> connection.

As I said, it's exactly what is done for requests coming from HTTP/2, so
if it's neither a configuration issue nor a known bug, you may be on a
corner case that hasn't been identified yet.

> Any ideas will he much appreciated. I'm open to testing config
> changes/patches if needed (or even writing one with some guidance).

Great ;-) Please double-check the points above, and share a reduced
config exhibiting the problem.

Thanks!
Willy

Keep client side open on FIN till backend responds

[Assen Totin]

Hi, everybody!

I'm facing an issue with a somewhat weird/broken client and I'm looking for
some advise on it.

The client opens a HTTPS session and sends its request (POST data in my
case). The HTTPS part is fine. The POST data is small, so it fits into a
single TCP packet, which arrives with ACK,PSH,FIN flags set. HAProxy
diligently responds with FIN,ACK and closes the client connection, not
sending anything to the backend server. It also logs the request as CR--
which seems proper.

There is nothing specific in my HAProxy setup in this case, default config
with a single frontend/backend. I'm on 1.8 series.

I'm aware that sending a FIN on a TLS connection violates the TLS RFC, but
I suspect that such a client would do the same on a non-TLS connection too.
It brings me to the question, is there a way to tell HAProxy not to close a
client connection upon receipt of FIN on the client side if there is an
unserved HTTP request, but rather keep the client connection half-open
until the backend responds? The issue I'm facing is likely exacerbated  by
the fact that client sends FIN together with the HTTP request, so there is
no backend connection yet when HAProxy decides to close the client
connection.

Any ideas will he much appreciated. I'm open to testing config
changes/patches if needed (or even writing one with some guidance).

WWell,

Assen Totin