[ Closed ] Connection Dropping Issue in SSL Backend with TCP Mode


#1

Hello,
I’m running HAproxy with this version

HA-Proxy version 1.7.3 2017/02/28
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

I have this config of haproxy

global
    stats timeout 30s
    maxconn 5001
    
defaults
    option httplog
    option dontlognull
    retries 3
    mode http
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    
frontend https-in
    bind *:443
    log 127.0.0.1 local2
    mode tcp
    option tcplog
    timeout client  3h
    timeout server  3h
    option          clitcpka
    use_backend back_webapp_apache2_php56-443
    
backend back_webapp_apache2_php56-443
    mode tcp
    balance roundrobin
    server host0 10.0.4.59:443 check fall 3 rise 2

So I have one apache backend running at ip 10.0.4.59.

The problem is sometimes I’m getting this error.

https-in https-in/ -1/-1/0 0 SC 0/0/0/0/0 0/0

Sometimes it is working. But connection is not consistent. What can be the issue HAproxy or Apache ? I don’t know where to start debug this issue.

Thanks & Regards,
Chintan Patel


#2

Hi. Looks like your Apache server couldn’t recieve a connection:

S : the TCP session was unexpectedly aborted by the server, or the server explicitly refused it.
C : the proxy was waiting for the CONNECTION to establish on the server. The server might at most have noticed a connection attempt.


#3

Hello @AllertGen,

Thanks for the reply.
I checked this gist file https://gist.github.com/ayosec/8112308#file-8-5-session-state-at-disconnection
It mentioned the same thing as you said about termination_state also as the combination.

SC The server or an equipment between it and haproxy explicitly refused
the TCP connection (the proxy received a TCP RST or an ICMP message
in return). Under some circumstances, it can also be the network
stack telling the proxy that the server is unreachable (eg: no route,
or no ARP response on local network). When this happens in HTTP mode,
the status code is likely a 502 or 503 here.

I’m still not sure where to go from here, I’m giving more information:

  • Running HAProxy on docker with official image haproxy:1.7
  • Running Apache2 also in a docker container
  • Both are running on different systems.

Also test with JMeter and I’m getting 2% of errors

Thanks again


#4

Means the backend is rejecting the connection attempt.

Check your backend logs, from a application, kernel and firewall point of view, and every device that is between the backend and the haproxy server.


#5

It could be anything (from network to limits of your Apache server). It’s better to use some bandwith tests for creating a lot of connections to Apache server (like tcpkali or apache tools). It easly could be limits of OS of Apache server or apache itself.
Also I see that you are using tcp mode for web servrice. It would be better to swith to http mode and use:

option http-keep-alive
no option http-server-close

At this case your haproxy server will not be creating additional connection for each client (without it at not tuned OS you can keep only ~35k connections). It will use existing connections for transfering data of all clients.


#6

Hello,

At the end we implemented http mode with ssl. Thank you again @lukastribus @AllertGen

Regards,
Chintan Patel