Re: Haproxy 1. 5.14 + Tomcat 8 giving random 502 errors

2016-03-04 Thread Aleksandar Lazic 

Hi.

Am 02-03-2016 07:48, schrieb Zoltan Lorincz:

Jeff,

thanks again for the detailed answer.
I've already tested a configuration without various ACL's.


Please can you try to run the connector with debug on.

http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Using_java.util.logging_%28default%29

I would try to use this.

org.apache.catalina.session.level=ALL
org.apache.coyote.http11.Http11Protocol.level=ALL

Pay attention this will produce a lot entries in the logs and could have 
some impact to the performance.


The standard setup have also some low limits maybe you must increase 
this limits.


http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#Standard_Implementation

Is it possible to run also HAProxy in debug mode?
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.3

BTW: Thanks Cyril for the html doc ;-))


When i check the errors logs. I got this:

[02/Mar/2016:07:38:34.834] backend servers (#4): invalid response
  frontend https-in (#3), server www1a (#1), event #9270
  src 46.140.96.254:61409 [4], session #20091598, session flags
0x00cf
  HTTP msg state 26, msg flags 0x, tx flags 0xa8200060
  HTTP chunk len 0 bytes, HTTP body len 0 bytes
  buffer flags 0x00048002, out 0 bytes, total 5 bytes
  pending 5 bytes, wrapping at 16384, error at position 2:

  0  20c\r\n

Do you have any idea what could cause this?


What's the error line(s) on the tomcat site?

Please can you also post the current 'conf/server.xml' with all 
'Connector*', thanks.


BR Aleks


Thank you,
Zoltan.

On Tue, Mar 1, 2016 at 6:11 PM, Jeff Palmer  wrote:


Zoltan,

the "HP--" in the log means:

P : the session was prematurely aborted by the proxy, because of a
connection limit enforcement, because a DENY filter was
matched,
because of a security check which detected and blocked a
dangerous
error in server response which might have caused
information leak
(eg: cacheable cookie).

H : the proxy was waiting for complete, valid response HEADERS from
the
server (HTTP only).

Since you are saying that hitting the tomcat backend directly works,
I would suggest trying to remove all the extra acls and matches.
Try getting the basic frontend/backend part working,  then add your
ACL's and matches one at a time.

The "P" in the log unfortunately leaves a lot of potential reasons,
whcih you are likely going to have to track down via trial and error.
If removing the additional ACL's doesn't cause it to start working,
I'd look at cookies and the "dangerous error" aspects.

On Tue, Mar 1, 2016 at 7:36 AM, Zoltan Lorincz 
wrote:

Dear Jeff,

thank you very much for your answer!
The Tomcat connector doesn't have HTTPS enabled.
I  forgot to remove the old "redirectPort" from tomcat's connector

setting,

i did remove it now and restarted servers but the error still

persist.


Thank you,
Zoltan.


On Tue, Mar 1, 2016 at 2:19 PM, Jeff Palmer 

wrote:


You have tomcat on 8443 which is usually an SSL enabled port, but

none of

your backend server definitions enable SSL.

In the 3 'server' lines towards the end of your config, add 'ssl'

at the

end.

Let us know!

On Mar 1, 2016 5:57 AM, "Zoltan Lorincz"  wrote:


Hi all,

i am very new to haproxy. Read trough all the docs but i think

something

is wrong with my configuration, because if we connect directly to

tomcat we

don't get any 502 errors.

The errors from haproxy look like this.

Mar  1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
[01/Mar/2016:11:41:35.480] https-in~ servers/www1a

1987/0/0/-1/2029 502 8878

- - PH-- 1764/1758/46/26/0 0/0 "POST
/abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"



Tomcat connector config:





---








---



Haproxy config:





---

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 777 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Per process limit: The default is 2000, too small for us
maxconn 18000
# Increase the cache from 2 (default), higher values reduce

CPU usage

tune.ssl.cachesize 6

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers


kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

ssl-default-bind-options no-sslv3 no-tls-tickets

defaults
log global
mode http
option httplog
option  http-server-close
option  forwardfor
option dontlognull
# Set the listen limit: The default is 2000, too small for us
maxconn 9000

# we should fix this
option accept-invalid-http-response
option

Re: Haproxy 1. 5.14 + Tomcat 8 giving random 502 errors

2016-03-03 Thread Igor Cicimov 
On 01/03/2016 9:57 PM, "Zoltan Lorincz"  wrote:
>
> Hi all,
>
> i am very new to haproxy. Read trough all the docs but i think something
is wrong with my configuration, because if we connect directly to tomcat we
don't get any 502 errors.
>
> The errors from haproxy look like this.
>
> Mar  1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
[01/Mar/2016:11:41:35.480] https-in~ servers/www1a 1987/0/0/-1/2029 502
8878 - - PH-- 1764/1758/46/26/0 0/0 "POST
/abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"
>
>
>
> Tomcat connector config:
>
---
>  URIEncoding = "UTF-8"
> port = "8080"
> protocol = "HTTP/1.1"
> maxThreads = "1850"
> connectionTimeout = "90"
> keepAliveTimeout = "90"
> maxKeepAliveRequests = "-1"
> redirectPort = "8443" />
>
>
---
>
I have tomcat8 running behind ssl terminating haproxy but my connector is
configured like this:



which is common way to tell tomcat that although receiving plain traffic
the response urls need to be https.

>
> Haproxy config:
>
---
> global
> log /dev/log local0
> log /dev/log local1 notice
> chroot /var/lib/haproxy
> stats socket /run/haproxy/admin.sock mode 777 level admin
> stats timeout 30s
> user haproxy
> group haproxy
> daemon
>
> # Per process limit: The default is 2000, too small for us
> maxconn 18000
> # Increase the cache from 2 (default), higher values reduce CPU usage
> tune.ssl.cachesize 6
>
> # Default SSL material locations
> ca-base /etc/ssl/certs
> crt-base /etc/ssl/private
>
> # Default ciphers to use on SSL-enabled listening sockets.
> # For more information, see ciphers(1SSL).
> ssl-default-bind-ciphers
kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
> ssl-default-bind-options no-sslv3 no-tls-tickets
>
> defaults
> log global
> mode http
> option httplog
> option  http-server-close
> option  forwardfor
> option dontlognull
> # Set the listen limit: The default is 2000, too small for us
> maxconn 9000
>
> # we should fix this
> option accept-invalid-http-response
> option accept-invalid-http-request
> no option checkcache
>
> timeout connect 8
> timeout client  90
> timeout server  50
>
> errorfile 400 /etc/haproxy/errors/400.http
> errorfile 403 /etc/haproxy/errors/403.http
> errorfile 408 /etc/haproxy/errors/408.http
> errorfile 500 /etc/haproxy/errors/500.http
> errorfile 502 /etc/haproxy/errors/502.http
> errorfile 503 /etc/haproxy/errors/503.http
> errorfile 504 /etc/haproxy/errors/504.http
>
> frontend http-in
> bind *:80
>
>
> # Skip the message broker from redirection
> acl skip_pages   path_reg ^/([\w]{2}/)?(message|yrf-laps)/(.*)
>
> # Redirect all subdomains to www.
> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
www. }
>
> # Redirect all trafic to https
> redirect scheme https if !skip_pages !{ ssl_fc }
> default_backend servers
>
> frontend https-in
> # add no-tlsv10 for disabling tls 1.0
> bind *:443 ssl  crt /etc/ssl/private/www_example_com.pem
>
> default_backend servers
> # Redirect all subdomains to www.
> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
www. }
> backend servers
>
> # Skip the cre redirect
> acl stage_cre_redirect shdr_beg(Location)   http://stage.cre.com
> acl cre_redirect shdr_beg(Location)   http://www.cre.com
>
> # Skip the blog.example.com redirect
> acl blog_redirect shdr_beg(Location) http://blog.example.com
>
> # Rewrite the response location (for redirect cases)
> rspirep ^Location:\ http://(.*)  Location:\ https://\1  if  !cre_redirect
!stage_cre_redirect !blog_redirect { ssl_fc }
> # Every connection is closed and opened to the server
> option http-server-close
>
> # Recommended to enable
> option http-pretend-keepalive
> # The url to check the backend servers health
> option httpchk GET /srvstatus.htm
>
> # Balancing
> balance roundrobin
> appsession JSESSIONID len 52 timeout 3h request-learn prefix
> stick-table type string len 32 size 1M expire 3h
> # We have 3 backend servers, one is for backup
> server www1a 127.0.0.1:8080 check
> server www2a xx.xx.xx.xx:8080 check
> server www1b 127.0.0.1:8081 check  backup
>
--
>
> Sorry about the long haproxy config file. I was not sure which part is
relevant to this error.
> I would appreciate any pointers you could give me.
>
> Thank you,
> Zoltan.
>

Re: Haproxy 1. 5.14 + Tomcat 8 giving random 502 errors

2016-03-01 Thread Zoltan Lorincz 
Jeff,

thanks again for the detailed answer.
I've already tested a configuration without various ACL's.

When i check the errors logs. I got this:

[02/Mar/2016:07:38:34.834] backend servers (#4): invalid response
  frontend https-in (#3), server www1a (#1), event #9270
  src 46.140.96.254:61409, session #20091598, session flags 0x00cf
  HTTP msg state 26, msg flags 0x, tx flags 0xa8200060
  HTTP chunk len 0 bytes, HTTP body len 0 bytes
  buffer flags 0x00048002, out 0 bytes, total 5 bytes
  pending 5 bytes, wrapping at 16384, error at position 2:

  0  20c\r\n

Do you have any idea what could cause this?

Thank you,
Zoltan.




On Tue, Mar 1, 2016 at 6:11 PM, Jeff Palmer  wrote:

> Zoltan,
>
>
> the "HP--" in the log means:
>
> P : the session was prematurely aborted by the proxy, because of a
> connection limit enforcement, because a DENY filter was
> matched,
> because of a security check which detected and blocked a
> dangerous
> error in server response which might have caused information
> leak
> (eg: cacheable cookie).
>
> H : the proxy was waiting for complete, valid response HEADERS from the
> server (HTTP only).
>
>
> Since you are saying that hitting the tomcat backend directly works,
> I would suggest trying to remove all the extra acls and matches.
> Try getting the basic frontend/backend part working,  then add your
> ACL's and matches one at a time.
>
> The "P" in the log unfortunately leaves a lot of potential reasons,
> whcih you are likely going to have to track down via trial and error.
> If removing the additional ACL's doesn't cause it to start working,
> I'd look at cookies and the "dangerous error" aspects.
>
>
>
>
> On Tue, Mar 1, 2016 at 7:36 AM, Zoltan Lorincz  wrote:
> > Dear Jeff,
> >
> > thank you very much for your answer!
> > The Tomcat connector doesn't have HTTPS enabled.
> > I  forgot to remove the old "redirectPort" from tomcat's connector
> setting,
> > i did remove it now and restarted servers but the error still persist.
> >
> > Thank you,
> > Zoltan.
> >
> >
> > On Tue, Mar 1, 2016 at 2:19 PM, Jeff Palmer  wrote:
> >>
> >> You have tomcat on 8443 which is usually an SSL enabled port, but none
> of
> >> your backend server definitions enable SSL.
> >>
> >> In the 3 'server' lines towards the end of your config, add 'ssl' at the
> >> end.
> >>
> >> Let us know!
> >>
> >> On Mar 1, 2016 5:57 AM, "Zoltan Lorincz"  wrote:
> >>>
> >>> Hi all,
> >>>
> >>> i am very new to haproxy. Read trough all the docs but i think
> something
> >>> is wrong with my configuration, because if we connect directly to
> tomcat we
> >>> don't get any 502 errors.
> >>>
> >>> The errors from haproxy look like this.
> >>>
> >>> Mar  1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
> >>> [01/Mar/2016:11:41:35.480] https-in~ servers/www1a 1987/0/0/-1/2029
> 502 8878
> >>> - - PH-- 1764/1758/46/26/0 0/0 "POST
> >>> /abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"
> >>>
> >>>
> >>>
> >>> Tomcat connector config:
> >>>
> >>>
> ---
> >>>  >>> URIEncoding = "UTF-8"
> >>> port = "8080"
> >>> protocol = "HTTP/1.1"
> >>> maxThreads = "1850"
> >>> connectionTimeout = "90"
> >>> keepAliveTimeout = "90"
> >>> maxKeepAliveRequests = "-1"
> >>> redirectPort = "8443" />
> >>>
> >>>
> >>>
> ---
> >>>
> >>>
> >>> Haproxy config:
> >>>
> >>>
> ---
> >>> global
> >>> log /dev/log local0
> >>> log /dev/log local1 notice
> >>> chroot /var/lib/haproxy
> >>> stats socket /run/haproxy/admin.sock mode 777 level admin
> >>> stats timeout 30s
> >>> user haproxy
> >>> group haproxy
> >>> daemon
> >>>
> >>> # Per process limit: The default is 2000, too small for us
> >>> maxconn 18000
> >>> # Increase the cache from 2 (default), higher values reduce CPU
> usage
> >>> tune.ssl.cachesize 6
> >>>
> >>> # Default SSL material locations
> >>> ca-base /etc/ssl/certs
> >>> crt-base /etc/ssl/private
> >>>
> >>> # Default ciphers to use on SSL-enabled listening sockets.
> >>> # For more information, see ciphers(1SSL).
> >>> ssl-default-bind-ciphers
> >>> kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
> >>> ssl-default-bind-options no-sslv3 no-tls-tickets
> >>>
> >>> defaults
> >>> log global
> >>> mode http
> >>> option httplog
> >>> option  http-server-close
> >>> option  forwardfor
> >>> option dontlognull
> >>> # Set the listen limit: The default is 2000, too small for us
> >>> maxconn 9000
> >>>
> >>> # we should fix this
> >>> option accept-invalid-http-response
> >>> option accept-invalid-http-request
> >>> no option checkcache
> >>>
> >>>

Re: Haproxy 1. 5.14 + Tomcat 8 giving random 502 errors

2016-03-01 Thread Jeff Palmer 
Zoltan,


the "HP--" in the log means:

P : the session was prematurely aborted by the proxy, because of a
connection limit enforcement, because a DENY filter was matched,
because of a security check which detected and blocked a dangerous
error in server response which might have caused information leak
(eg: cacheable cookie).

H : the proxy was waiting for complete, valid response HEADERS from the
server (HTTP only).


Since you are saying that hitting the tomcat backend directly works,
I would suggest trying to remove all the extra acls and matches.
Try getting the basic frontend/backend part working,  then add your
ACL's and matches one at a time.

The "P" in the log unfortunately leaves a lot of potential reasons,
whcih you are likely going to have to track down via trial and error.
If removing the additional ACL's doesn't cause it to start working,
I'd look at cookies and the "dangerous error" aspects.




On Tue, Mar 1, 2016 at 7:36 AM, Zoltan Lorincz  wrote:
> Dear Jeff,
>
> thank you very much for your answer!
> The Tomcat connector doesn't have HTTPS enabled.
> I  forgot to remove the old "redirectPort" from tomcat's connector setting,
> i did remove it now and restarted servers but the error still persist.
>
> Thank you,
> Zoltan.
>
>
> On Tue, Mar 1, 2016 at 2:19 PM, Jeff Palmer  wrote:
>>
>> You have tomcat on 8443 which is usually an SSL enabled port, but none of
>> your backend server definitions enable SSL.
>>
>> In the 3 'server' lines towards the end of your config, add 'ssl' at the
>> end.
>>
>> Let us know!
>>
>> On Mar 1, 2016 5:57 AM, "Zoltan Lorincz"  wrote:
>>>
>>> Hi all,
>>>
>>> i am very new to haproxy. Read trough all the docs but i think something
>>> is wrong with my configuration, because if we connect directly to tomcat we
>>> don't get any 502 errors.
>>>
>>> The errors from haproxy look like this.
>>>
>>> Mar  1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
>>> [01/Mar/2016:11:41:35.480] https-in~ servers/www1a 1987/0/0/-1/2029 502 8878
>>> - - PH-- 1764/1758/46/26/0 0/0 "POST
>>> /abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"
>>>
>>>
>>>
>>> Tomcat connector config:
>>>
>>> ---
>>> >> URIEncoding = "UTF-8"
>>> port = "8080"
>>> protocol = "HTTP/1.1"
>>> maxThreads = "1850"
>>> connectionTimeout = "90"
>>> keepAliveTimeout = "90"
>>> maxKeepAliveRequests = "-1"
>>> redirectPort = "8443" />
>>>
>>>
>>> ---
>>>
>>>
>>> Haproxy config:
>>>
>>> ---
>>> global
>>> log /dev/log local0
>>> log /dev/log local1 notice
>>> chroot /var/lib/haproxy
>>> stats socket /run/haproxy/admin.sock mode 777 level admin
>>> stats timeout 30s
>>> user haproxy
>>> group haproxy
>>> daemon
>>>
>>> # Per process limit: The default is 2000, too small for us
>>> maxconn 18000
>>> # Increase the cache from 2 (default), higher values reduce CPU usage
>>> tune.ssl.cachesize 6
>>>
>>> # Default SSL material locations
>>> ca-base /etc/ssl/certs
>>> crt-base /etc/ssl/private
>>>
>>> # Default ciphers to use on SSL-enabled listening sockets.
>>> # For more information, see ciphers(1SSL).
>>> ssl-default-bind-ciphers
>>> kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
>>> ssl-default-bind-options no-sslv3 no-tls-tickets
>>>
>>> defaults
>>> log global
>>> mode http
>>> option httplog
>>> option  http-server-close
>>> option  forwardfor
>>> option dontlognull
>>> # Set the listen limit: The default is 2000, too small for us
>>> maxconn 9000
>>>
>>> # we should fix this
>>> option accept-invalid-http-response
>>> option accept-invalid-http-request
>>> no option checkcache
>>>
>>> timeout connect 8
>>> timeout client  90
>>> timeout server  50
>>>
>>> errorfile 400 /etc/haproxy/errors/400.http
>>> errorfile 403 /etc/haproxy/errors/403.http
>>> errorfile 408 /etc/haproxy/errors/408.http
>>> errorfile 500 /etc/haproxy/errors/500.http
>>> errorfile 502 /etc/haproxy/errors/502.http
>>> errorfile 503 /etc/haproxy/errors/503.http
>>> errorfile 504 /etc/haproxy/errors/504.http
>>>
>>> frontend http-in
>>> bind *:80
>>>
>>>
>>> # Skip the message broker from redirection
>>> acl skip_pages   path_reg ^/([\w]{2}/)?(message|yrf-laps)/(.*)
>>>
>>> # Redirect all subdomains to www.
>>> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
>>> www. }
>>>
>>> # Redirect all trafic to https
>>> redirect scheme https if !skip_pages !{ ssl_fc }
>>> default_backend servers
>>>
>>> frontend https-in
>>> # add no-tlsv10 for disabling tls 1.0
>>> bind *:443 ssl  crt /etc/ssl/private/www_example_com.pem
>>>
>>> default_backend servers
>>>

Re: Haproxy 1. 5.14 + Tomcat 8 giving random 502 errors

2016-03-01 Thread Zoltan Lorincz 
Dear Jeff,

thank you very much for your answer!
The Tomcat connector doesn't have HTTPS enabled.
I  forgot to remove the old "redirectPort" from tomcat's connector setting,
i did remove it now and restarted servers but the error still persist.

Thank you,
Zoltan.


On Tue, Mar 1, 2016 at 2:19 PM, Jeff Palmer  wrote:

> You have tomcat on 8443 which is usually an SSL enabled port, but none of
> your backend server definitions enable SSL.
>
> In the 3 'server' lines towards the end of your config, add 'ssl' at the
> end.
>
> Let us know!
> On Mar 1, 2016 5:57 AM, "Zoltan Lorincz"  wrote:
>
>> Hi all,
>>
>> i am very new to haproxy. Read trough all the docs but i think something
>> is wrong with my configuration, because if we connect directly to tomcat we
>> don't get any 502 errors.
>>
>> The errors from haproxy look like this.
>>
>> Mar  1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
>> [01/Mar/2016:11:41:35.480] https-in~ servers/www1a 1987/0/0/-1/2029 502
>> 8878 - - PH-- 1764/1758/46/26/0 0/0 "POST
>> /abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"
>>
>>
>>
>> Tomcat connector config:
>>
>> ---
>> > URIEncoding = "UTF-8"
>> port = "8080"
>> protocol = "HTTP/1.1"
>> maxThreads = "1850"
>> connectionTimeout = "90"
>> keepAliveTimeout = "90"
>> maxKeepAliveRequests = "-1"
>> redirectPort = "8443" />
>>
>>
>> ---
>>
>>
>> Haproxy config:
>>
>> ---
>> global
>> log /dev/log local0
>> log /dev/log local1 notice
>> chroot /var/lib/haproxy
>> stats socket /run/haproxy/admin.sock mode 777 level admin
>> stats timeout 30s
>> user haproxy
>> group haproxy
>> daemon
>>
>> # Per process limit: The default is 2000, too small for us
>> maxconn 18000
>> # Increase the cache from 2 (default), higher values reduce CPU usage
>> tune.ssl.cachesize 6
>>
>> # Default SSL material locations
>> ca-base /etc/ssl/certs
>> crt-base /etc/ssl/private
>>
>> # Default ciphers to use on SSL-enabled listening sockets.
>> # For more information, see ciphers(1SSL).
>> ssl-default-bind-ciphers
>> kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
>> ssl-default-bind-options no-sslv3 no-tls-tickets
>>
>> defaults
>> log global
>> mode http
>> option httplog
>> option  http-server-close
>> option  forwardfor
>> option dontlognull
>> # Set the listen limit: The default is 2000, too small for us
>> maxconn 9000
>>
>> # we should fix this
>> option accept-invalid-http-response
>> option accept-invalid-http-request
>> no option checkcache
>>
>> timeout connect 8
>> timeout client  90
>> timeout server  50
>>
>> errorfile 400 /etc/haproxy/errors/400.http
>> errorfile 403 /etc/haproxy/errors/403.http
>> errorfile 408 /etc/haproxy/errors/408.http
>> errorfile 500 /etc/haproxy/errors/500.http
>> errorfile 502 /etc/haproxy/errors/502.http
>> errorfile 503 /etc/haproxy/errors/503.http
>> errorfile 504 /etc/haproxy/errors/504.http
>>
>> frontend http-in
>> bind *:80
>>
>>
>> # Skip the message broker from redirection
>> acl skip_pages   path_reg ^/([\w]{2}/)?(message|yrf-laps)/(.*)
>>
>> # Redirect all subdomains to www.
>> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
>> www. }
>>
>> # Redirect all trafic to https
>> redirect scheme https if !skip_pages !{ ssl_fc }
>> default_backend servers
>>
>> frontend https-in
>> # add no-tlsv10 for disabling tls 1.0
>> bind *:443 ssl  crt /etc/ssl/private/www_example_com.pem
>>
>> default_backend servers
>> # Redirect all subdomains to www.
>> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
>> www. }
>> backend servers
>>
>> # Skip the cre redirect
>> acl stage_cre_redirect shdr_beg(Location)   http://stage.cre.com
>> acl cre_redirect shdr_beg(Location)   http://www.cre.com
>>
>> # Skip the blog.example.com redirect
>> acl blog_redirect shdr_beg(Location) http://blog.example.com
>>
>> # Rewrite the response location (for redirect cases)
>> rspirep ^Location:\ http://(.*)  Location:\ https://\1  if
>>  !cre_redirect !stage_cre_redirect !blog_redirect { ssl_fc }
>> # Every connection is closed and opened to the server
>> option http-server-close
>>
>> # Recommended to enable
>> option http-pretend-keepalive
>> # The url to check the backend servers health
>> option httpchk GET /srvstatus.htm
>>
>> # Balancing
>> balance roundrobin
>> appsession JSESSIONID len 52 timeout 3h request-learn prefix
>> stick-table type string len 32 size 1M expire 3h
>> # We have 3 backend servers, one is for backup
>> server www1a 127.0.0.1:8080 check
>> server www2a xx.xx.xx.xx:8080 check
>> server www1b 127.0.0.1:8081 check  backup
>>
>>

Re: Haproxy 1. 5.14 + Tomcat 8 giving random 502 errors

2016-03-01 Thread Jeff Palmer 
You have tomcat on 8443 which is usually an SSL enabled port, but none of
your backend server definitions enable SSL.

In the 3 'server' lines towards the end of your config, add 'ssl' at the
end.

Let us know!
On Mar 1, 2016 5:57 AM, "Zoltan Lorincz"  wrote:

> Hi all,
>
> i am very new to haproxy. Read trough all the docs but i think something
> is wrong with my configuration, because if we connect directly to tomcat we
> don't get any 502 errors.
>
> The errors from haproxy look like this.
>
> Mar  1 11:41:37 www1 haproxy[15362]: xx.xx.xx.xx:56387
> [01/Mar/2016:11:41:35.480] https-in~ servers/www1a 1987/0/0/-1/2029 502
> 8878 - - PH-- 1764/1758/46/26/0 0/0 "POST
> /abc/test/b25766378a05446496645649e2ddaf7a/poll HTTP/1.1"
>
>
>
> Tomcat connector config:
>
> ---
>  URIEncoding = "UTF-8"
> port = "8080"
> protocol = "HTTP/1.1"
> maxThreads = "1850"
> connectionTimeout = "90"
> keepAliveTimeout = "90"
> maxKeepAliveRequests = "-1"
> redirectPort = "8443" />
>
>
> ---
>
>
> Haproxy config:
>
> ---
> global
> log /dev/log local0
> log /dev/log local1 notice
> chroot /var/lib/haproxy
> stats socket /run/haproxy/admin.sock mode 777 level admin
> stats timeout 30s
> user haproxy
> group haproxy
> daemon
>
> # Per process limit: The default is 2000, too small for us
> maxconn 18000
> # Increase the cache from 2 (default), higher values reduce CPU usage
> tune.ssl.cachesize 6
>
> # Default SSL material locations
> ca-base /etc/ssl/certs
> crt-base /etc/ssl/private
>
> # Default ciphers to use on SSL-enabled listening sockets.
> # For more information, see ciphers(1SSL).
> ssl-default-bind-ciphers
> kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
> ssl-default-bind-options no-sslv3 no-tls-tickets
>
> defaults
> log global
> mode http
> option httplog
> option  http-server-close
> option  forwardfor
> option dontlognull
> # Set the listen limit: The default is 2000, too small for us
> maxconn 9000
>
> # we should fix this
> option accept-invalid-http-response
> option accept-invalid-http-request
> no option checkcache
>
> timeout connect 8
> timeout client  90
> timeout server  50
>
> errorfile 400 /etc/haproxy/errors/400.http
> errorfile 403 /etc/haproxy/errors/403.http
> errorfile 408 /etc/haproxy/errors/408.http
> errorfile 500 /etc/haproxy/errors/500.http
> errorfile 502 /etc/haproxy/errors/502.http
> errorfile 503 /etc/haproxy/errors/503.http
> errorfile 504 /etc/haproxy/errors/504.http
>
> frontend http-in
> bind *:80
>
>
> # Skip the message broker from redirection
> acl skip_pages   path_reg ^/([\w]{2}/)?(message|yrf-laps)/(.*)
>
> # Redirect all subdomains to www.
> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
> www. }
>
> # Redirect all trafic to https
> redirect scheme https if !skip_pages !{ ssl_fc }
> default_backend servers
>
> frontend https-in
> # add no-tlsv10 for disabling tls 1.0
> bind *:443 ssl  crt /etc/ssl/private/www_example_com.pem
>
> default_backend servers
> # Redirect all subdomains to www.
> redirect prefix https://www.example.com code 301 if !{ hdr_beg(host) -i
> www. }
> backend servers
>
> # Skip the cre redirect
> acl stage_cre_redirect shdr_beg(Location)   http://stage.cre.com
> acl cre_redirect shdr_beg(Location)   http://www.cre.com
>
> # Skip the blog.example.com redirect
> acl blog_redirect shdr_beg(Location) http://blog.example.com
>
> # Rewrite the response location (for redirect cases)
> rspirep ^Location:\ http://(.*)  Location:\ https://\1  if  !cre_redirect
> !stage_cre_redirect !blog_redirect { ssl_fc }
> # Every connection is closed and opened to the server
> option http-server-close
>
> # Recommended to enable
> option http-pretend-keepalive
> # The url to check the backend servers health
> option httpchk GET /srvstatus.htm
>
> # Balancing
> balance roundrobin
> appsession JSESSIONID len 52 timeout 3h request-learn prefix
> stick-table type string len 32 size 1M expire 3h
> # We have 3 backend servers, one is for backup
> server www1a 127.0.0.1:8080 check
> server www2a xx.xx.xx.xx:8080 check
> server www1b 127.0.0.1:8081 check  backup
>
> --
>
> Sorry about the long haproxy config file. I was not sure which part is
> relevant to this error.
> I would appreciate any pointers you could give me.
>
> Thank you,
> Zoltan.
>
>