HI everyone. Perhaps my expectations are incorrect, but I figured haproxy would unbind from the listening port when a “tcp-request connection reject” is in place and the condition is currently true.
My use case is that I have five backend servers and one haproxy listening on port X. When all five backends are down (such as for maintenance), I had hoped this rule:
tcp-request connection reject if { nbsrv(xyz) lt 1 }
would cause haproxy to stop listening. Unfortunately I have to deal with some exceptionally stupid software on the other end that uses a “dump and go” policy whereby it connects and just blindly dumps its data. If it connects successfully it assumes the data was delivered. I know, it is tremendously bad behaviour but unfortunately not under my control.
Is my expectation correct? netstat shows haproxy still listening and I can connect with telnet, though it disconnects as soon as I send data.
Thanks,
Sean
I should have said, I was using version 1.6.3.
I have upgraded to 1.6.13 and now haproxy is still listening, but connections to it behave differently. I got different results on consecutive telnet attempts:
[sean@dev ~]$ telnet localhost 54054
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
[sean@dev ~]$ telnet localhost 54054
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection reset by peer
which I find a little odd. It smells like timing to me. Is there any way to guarantee the latter behaviour?
Thanks again
Haproxy will always keep listening on the frontend. It can only close the socket on exit.
tcp-request connection reject will close the socket asap, however it will still accept the connection in the first place (the 3 way handshake succeeds).
No and I think the latter behavior is a consequence of something else. Maybe haproxy shutdown or reloaded or crashed while you where testing it; I don’t have an explanation for the “Connection reset by peer” behavior.
1 Like