HAProxy 1.8.7.0 - Resolving non FQDN fails


#1

Hi,
After “moving” from HAProxy 1.6.3.1 to 1.8.7.0 I encountered a resolving issue.

I would like to resolve the hostname “VMAS” using HAProxy 1.8.7.0
The server line is:
server VMAS VMAS:8090 check ssl verify required ca-file /usr/cti/conf/common/ssl/truststore/viatruststore.pem crt /usr/cti/conf/common/ssl/keystore/viakeystore.pem inter 30000 resolvers mydns resolve-prefer ipv6

reslove.conf
domain domain1.com
search domain1.com domain2.com domain3.com
nameserver 127.0.0.1
options timeout:3
options retrans:1
options retry:1

HAPROXY 1.6.3.1
When using HAProxy 1.6.3.1 I noticed that HAproxy succeed to resolve “VMAS” .It using the search domains and try one domain after another as configured in /resolve.conf and resolving succeed in the 3rd search domain
Example:
VMAS.domain1.com #failed to reslove NX
VMAS.domain2.com #failed to reslove NX
VMAS.domain3.com # success to resolve

HAPROXY 1.8.7.0
When using HAProxy 1.8.7.0 I noticed that HAproxy failed to reslove “VMAS” .
It doesn’t use the “search domains” in resolve .conf.
for example:
it try only VMAS.domain1.com

Seems that HAproxy 1.8.7.0 require FQDN in server line of haproxy.cfg for resolving.
In my example it works only if I insert to server line VMAS.domain3.com
server VMAS vmas.domain3.com:8090 check ssl verify required ca-file /usr/cti/conf/common/ssl/truststore/viatruststore.pem crt /usr/cti/conf/common/ssl/keystore/viakeystore.pem inter 30000 resolvers mydns resolve-prefer ipv6

Is there a way to configure hostname in haproxy.cfg and get resolving in 1.8.7.0 and not FQDN as work for 1.6.3.0 ?

Thanks
Amir

additional information:
HAProxy compile parameters:
make TARGET=linux26 USE_GETADDRINFO=1 USE_OPENSSL=1 CPU=x86_64 ARCH=x86_64 USE_PCRE=1 USE_LIBCRYPT=1 USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 ADDLIB=-lz

error in haproxy log when running 1.8.7.0 and query hostname only (VMAS):
Server HAProxy_MO_from_IS4/VMAS is going DOWN for maintenance (DNS NX status). 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

Relevant part of haproxy.cfg

global
log 127.0.0.1 local0 info #emerg alert crit err warning notice info debug
maxconn 90096
tune.ssl.default-dh-param 2048
uid 55301
gid 55301
nbproc 2
ssl-default-bind-ciphers HIGH:MEDIUM:!aNULL:+SHA1:!MD5:!RC4:!SSLv2:!ADH:!EDH
ssl-default-bind-options no-sslv3 #force-tlsv10
stats socket /var/run/haproxy.sock mode 600 level admin

resolvers mydns
nameserver dns1 127.0.0.1:53
resolve_retries 3
timeout retry 1s
hold valid 60s

defaults
log global
#option tcplog
#option dontlognull
retries 3
maxconn 90096
timeout client 600000
timeout server 60000
timeout connect 5000

listen HAProxy_MO_from_IS4
log global
option tcplog
mode http
acl valid_method method GET POST PUT DELETE HEAD OPTIONS
http-request deny if ! valid_method
bind :58910 v4v6 name MO_Http
balance roundrobin
#http-check disable-on-404
#option httpchk
maxconn 90096
timeout client 480000
timeout server 5000
timeout connect 5000
server VMAS VMAS:8090 check ssl verify required ca-file /usr/cti/conf/common/ssl/truststore/viatruststore.pem crt /usr/cti/conf/common/ssl/keystore/viakeystore.pem inter 30000 resolvers mydns resolve-prefer ipv6


#2

Haproxy does not support search domains, you need the full FQDN.

Not sure how this worked before, probably it didn’t and it only resolved via libc.