HAPRoxy 1.7.9 hangs at getsockopt() system call


We recently upgraded to haproxy 1.7.9 , we are facing one issue.

A TLS tunnel is created from frontend system to haproxy and then haproxy creates a TCP connection with another interface after TLS handshake with frontend.

Here after TLS handshake haproxy hangs at getsockopt() system call.

0.000058 getsockopt(2, SOL_IP, 0x50 /* IP_??? */,

earlier we were using 1.5.19 and it was working fine.

Please share haproxy -vv and uname -a.

This may be known linux kernel bug:



/usr/haproxy/sbin/haproxy -vv
HA-Proxy version 1.7.9 2017/08/18
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux26
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw -deflate(“deflate”), gzip(“gzip”)
Built with OpenSSL version : OpenSSL 1.0.2n 7 Dec 2017
Running on OpenSSL version : OpenSSL 1.0.2n 7 Dec 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.41 2017-07-05
Running on PCRE version : 8.41 2017-07-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_F REEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe

uname -a
Linux LB-0 4.4.118-pc64-distro.git-18.2.2-rcp2 #1 SMP Tue Feb 27 07:57:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Yes, like I suspected you are hitting the kernel bug I mentioned earlier.

In the 4.4 stable tree, this kernel bug was introduced in 4.4.118 and fixed in 4.4.119.

Please upgrade your 4.4 kernel to the latest 4.4.127.