Haproxy repetitively sending reset packets


#1

Hi

I set up HAproxy to do SSL Termination for the webserver in the backend, because the webserver doesn’t support SSL.
But just launching the HAproxy has the haproxy keep sending reset packets to the backend web server.
What could be the cause of this?

1 0 172.17.0.7 172.17.0.5 TCP 74 45886 > 8052 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294779355 TSecr=0 WS=128
2 0.000071 172.17.0.5 172.17.0.7 TCP 74 8052 > 45886 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=4294779355 TSecr=4294779355 WS=128
3 0.000118 172.17.0.7 172.17.0.5 TCP 66 45886 > 8052 [RST, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=0 TSecr=4294779355
4 2.004199 172.17.0.7 172.17.0.5 TCP 74 45888 > 8052 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294781359 TSecr=0 WS=128
5 2.004264 172.17.0.5 172.17.0.7 TCP 74 8052 > 45888 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=4294781359 TSecr=4294781359 WS=128
6 2.004297 172.17.0.7 172.17.0.5 TCP 66 45888 > 8052 [RST, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=0 TSecr=4294781359
7 4.007935 172.17.0.7 172.17.0.5 TCP 74 45890 > 8052 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294783363 TSecr=0 WS=128
8 4.008002 172.17.0.5 172.17.0.7 TCP 74 8052 > 45890 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=4294783363 TSecr=4294783363 WS=128
9 4.008035 172.17.0.7 172.17.0.5 TCP 66 45890 > 8052 [RST, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=0 TSecr=4294783363
10 6.017341 172.17.0.7 172.17.0.5 TCP 74 45906 > 8052 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294785372 TSecr=0 WS=128
11 6.017404 172.17.0.5 172.17.0.7 TCP 74 8052 > 45906 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=4294785372 TSecr=4294785372 WS=128
12 6.017448 172.17.0.7 172.17.0.5 TCP 66 45906 > 8052 [RST, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=0 TSecr=4294785372
13 8.019894 172.17.0.7 172.17.0.5 TCP 74 45914 > 8052 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4294787375 TSecr=0 WS=128

172.17.0.7 is the haproxy
172.17.0.5 is awx_web

Here the haproxy.cfg I used.

global
maxconn 2048
tune.ssl.default-dh-param 2048
defaults
mode http
option forwardfor
option http-server-close
timeout connect 5000ms
timeout client 5000ms
timeout server 5000ms

frontend www-https
bind *:443 ssl crt /root/key/mykey.pem
reqadd X-Forwarded-Proto:\ https
default_backend backend_app1_ssl

backend backend_app1_ssl
http-reuse safe
redirect scheme http if { ssl_fc }
server www-1 172.17.0.5:8052 check


And the yaml file to launch the AWX and haproxy

========================================================

  • hosts: localhost

    tasks:

    • name: 1. Activate postgres container
      docker_container:
      name: postgres
      image: postgres:9.6
      state: started
      ports:
      - "5432:5432"
      env:
      POSTGRES_DB: awx
      POSTGRES_PASSWORD: awxpass
      POSTGRES_USER: awx
      volumes:
      - “/tmp/pgdocker:/var/lib/postgresql/data”

    • name: 2. Activate rabbitmq container
      docker_container:
      name: rabbitmq
      state: started
      image: rabbitmq:3
      env:
      RABBITMQ_DEFAULT_VHOST: “awx”

    • name: 3. Activate memcached container
      docker_container:
      name: memcached
      state: started
      image: memcached:alpine

    • name: Wait for postgres and rabbitmq to activate
      pause:
      seconds: 10

    • name: Set properties with postgres for awx_web
      set_fact:
      pg_hostname_actual: postgres
      awx_web_container_links:
      - rabbitmq
      - memcached
      - postgres

    • name: 4. Activate AWX Web Container
      docker_container:
      name: awx_web
      state: started
      image: awx_web:1.0.0.337
      user: root

ports:

- “80:8052”

    links: "{{ awx_web_container_links|list }}"
    hostname: awxweb
    env:
      SECRET_KEY: aabbcc
      DATABASE_NAME: awx
      DATABASE_USER: awx
      DATABASE_PASSWORD: awxpass
      DATABASE_PORT: 5432
      DATABASE_HOST: "{{ pg_hostname_actual }}"
      RABBITMQ_USER: guest
      RABBITMQ_PASSWORD: guest
      RABBITMQ_HOST: rabbitmq
      RABBITMQ_PORT: 5672
      RABBITMQ_VHOST: awx
      MEMCACHED_HOST: memcached
      MEMCACHED_PORT: 11211

- name: Set properties with postgres for awx_task
  set_fact:
    pg_hostname_actual: postgres
    awx_task_container_links:
      - rabbitmq
      - memcached
      - awx_web
      - postgres

- name: 5. Activate AWX Task Container
  docker_container:
    name: awx_task
    state: started
    image: awx_task:1.0.0.337
    links: "{{ awx_task_container_links|list }}"
    user: root
    hostname: awx
    env:
      SECRET_KEY: aabbcc
      DATABASE_NAME: awx
      DATABASE_USER: awx
      DATABASE_PASSWORD: awxpass
      DATABASE_HOST: "{{ pg_hostname_actual }}"
      DATABASE_PORT: 5432
      RABBITMQ_USER: guest
      RABBITMQ_PASSWORD: guest
      RABBITMQ_HOST: rabbitmq
      RABBITMQ_PORT: 5672
      RABBITMQ_VHOST: awx
      MEMCACHED_HOST: memcached
      MEMCACHED_PORT: 11211

- name: 6. Activate HAProxy Container
  docker_container:
    name: myhaproxy
    state: started
    image: haproxy:latest
    #links: awx_web
    ports:
      - "443:443"
    volumes:
      - "/usr/local/etc/haproxy/:/usr/local/etc/haproxy/"        
      - "/root/key/:/root/key/"

#2

Its the health check, that you configured with the check keyword on the server line.

Sending the reset is the most efficient, which is why that is done in this case. Upgrade to a http health check if that is causing any problems (or you want to health check the application as well).


#3

Thanks. I removed the word “check” from haproxy.cfg and the browser then connected to the webserver. But the connection is not https, just http . It might be a problem where the browser is not accepting self-signed certificate.