Always using default_backend


#1

Hi guys,

i am lost in what I thought would be an easy use case. I have an application not HA ready and try to bind it to a single node of my cluster using this configuration:

global
log 127.0.0.1 local0
maxconn 2000
user haproxy
group haproxy
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

defaults
log global
mode http

option httplog

option dontlognull

retries 3
option redispatch
timeout connect  5000
timeout client  10000
timeout server  10000

frontend www-http-vip10
bind 194.113.6.10:443 ssl crt /etc/haproxy/ssl/wc_bitmarck_org.pem ca-file /etc/haproxy/ssl/cert.cabundle verify optional
timeout client 1h
mode http

These are the conditions I need to

/Web Client/Share/

/?ShareToken=

Wir versuchen die konstante Bedingung fĂĽr Filesharing zu erfassen

acl want_app1 path_dir ./Web%20Client/Share/. fshare1-http-vip10
acl want_app2 url_reg -i .?Sharetoken=. fshare1-http-vip10

testing if backend available

acl app1_avail nbsrv(fshare1-http-vip10) ge 1
acl app2_avail nbsrv(fshare1-http-vip10) ge 1

try to use one host only

use_backend fshare1-http-vip10 if want_app1 app1_avail
use_backend fshare1-http-vip10 if want_app2 app2_avail
default_backend www-http-vip10

frontend ssh-proxy-vip10
bind 194.113.6.10:22
default_backend ssh-backend-vip10
timeout client 1h
mode tcp

backend fshare1-http-vip10
mode http
timeout connect 30000
timeout server 30000
retries 3
option httpchk GET /
server fshare1 10.41.229.15:40443 ssl check inter 60000 weight 20 verify none

backend www-http-vip10
mode http
balance source
timeout connect 30000
timeout server 1h
retries 3
option httpchk GET /
server GP1-HTTPS 10.41.229.15:20443 ssl check inter 60000 weight 10 verify none
server GP2-HTTPS 10.41.229.15:40443 ssl check inter 60000 weight 20 verify none
server GP3-HTTPS 10.41.229.15:60443 ssl check inter 60000 weight 30 verify none
server GP4-HTTPS 10.41.229.16:20443 ssl check inter 60000 weight 10 verify none
server GP5-HTTPS 10.41.229.16:40443 ssl check inter 60000 weight 20 verify none
server GP6-HTTPS 10.41.229.16:60443 ssl check inter 60000 weight 30 verify none

backend ssh-backend-vip10
mode tcp
balance roundrobin
timeout server 1h
stick-table type ip size 200k expire 30m
stick on src
default-server inter 1s
server GP1-SSH 10.41.229.15:20022 weight 30
server GP2-SSH 10.41.229.15:40022 weight 20
server GP3-SSH 10.41.229.15:60022 weight 10
server GP4-SSH 10.41.229.16:20022 weight 30
server GP5-SSH 10.41.229.16:40022 weight 20
server GP6-SSH 10.41.229.16:60022 weight 10

could anyone help and tell me what I am doing wrong? It is always using default backend


#2

Whats the trailing fshare1-http-vip10 supposed to do? Remove it.

I think you made your configuration unnecessarily complex. Why would you need to content-switch based on backend availability? Does your default backend serve the filesharing app? If not, then this doesn’t make sense.


#3

Thanks, you are so right… “fshare1-http-vip10” was bogus extra value.

in the backend fshare1-http-vip10 there will be different ports from different loadbalancers pointing to same backend server. So I want this test to be done but commented it out for the meantime

I changed to:

Example for Expressions

https://myurl.com/Web%20Client/Share/OutgoingWizard.htm

https://myurl.com/?ShareToken=2A4AD21A59EF0CF9DA150999E4FAD5DA1E82B335

Regex to get above

#acl want_app1 url_reg ./Web\ Client/Share/.
acl want_app1 url_reg -i ./Web%20Client/Share/.
acl want_app2 url_reg -i .?ShareToken=.

Wir prĂĽfen ob das Backend da ist

#acl app1_avail nbsrv(fshare1-http-vip10) ge 1
#acl app2_avail nbsrv(fshare1-http-vip10) ge 1

Wir setzen den Server auf dx804

#use_backend fshare1-http-vip10 if want_app1 app1_avail
#use_backend fshare1-http-vip10 if want_app2 app2_avail
use_backend fshare1-http-vip10 if want_app1
use_backend fshare1-http-vip10 if want_app2
default_backend www-http-vip10

any more ideas? Results still in Backend: www-http-vip10


#4

Could somebody please take a look? I am using CentOS haproxy is Version 1.5.

It is so weired. I tried different ways to catch the URL

#acl want_app1 url_reg .*\/Web\ Client\/Share\/.*
acl want_app1 path_reg .*\/Web%20Client\/Share\/.*
acl want_app2 path_reg .*\?ShareToken=.*
# Wir prĂĽfen ob das Backend da ist
#acl app1_avail nbsrv(fshare1-http-vip10) ge 1
#acl app2_avail nbsrv(fshare1-http-vip10) ge 1
# Wir setzen den Server auf dx804
#use_backend fshare1-http-vip10 if want_app1 app1_avail
#use_backend fshare1-http-vip10 if want_app2 app2_avail
#use_backend fshare1-http-vip10 if want_app1
use_backend fshare1-http-vip10 if { path_reg .*\/Web\ Client\/Share\/.* }
use_backend fshare1-http-vip10 if { path_reg .*\?ShareToken=.* }
#use_backend fshare1-http-vip10 if want_app2
default_backend www-http-vip10

Syntax is always fine but in logfile its always
Jul 10 13:14:29 localhost haproxy[29776]: Connect from 217.89.44.130:35289 to 194.113.6.10:443 (www-http-vip10/HTTP)


#5

Ok, punch me if you see me or in other words… raising debuglevel proofed anything doing as expected since leasson I. Next question am I ready for vacation… Indeed! Sorry wasting your Time!