I have an haproxy server in front of windows 2019 server. These devices are hosted with a cloud provider and are on the same virtual data center. Within the last several days we have started getting a high number of re transmits between IIS and haproxy until websites stop. At that point the only fix seems to be to restart windows adapter. Are there any settings in haproxy that might help this issue I have little faith right now that the hosting provider is going to be any assistance.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
tune.maxrewrite 16384
tune.bufsize 32768
tune.ssl.default-dh-param 2048
maxconn 4000
#CORS preflight backend
lua-load /etc/haproxy/cors.lua
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
#no-tls10
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
#ssl-default-bind-options ssl-min-ver TLSv1.0
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 20s
timeout client 10m
timeout server 10m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend psites_com
bind 1.2.3.4:80
bind 1.2.3.4:443 ssl crt /etc/haproxy/ssl/
mode http
#tcp-request connection reject if { src -f /etc/haproxy/blacklist_clients }
tcp-request connection reject unless { src -f /etc/haproxy/whitelist.ip }
# Add CORS headers when Origin header is present
capture request header origin len 128
# if a preflight request is made, use CORS preflight backend
http-request use-service lua.cors-response if METH_OPTIONS { capture.req.hdr(0) -m found }
# add Access-Control-Allow-Origin HTTP header to response if origin matches the list of allowed URLs
http-request set-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
acl block-WP path_end -i .php
acl block-ADS path_end -i ads.txt
acl block-JAR path_end -i .jar
#acl badURL path -m reg \+[A-Za-z0-9]+\+[A-Za-z0-9]+\+
acl block-WPincludes path_beg -i /wp-includes/
# Letsencrypt
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
# SSL
acl https_domain hdr(host) -i -f /etc/haproxy/ssl_domains
# Black List
acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
# Clients that were sent to bots
acl blacklisted_clients src -i -f /etc/haproxy/blacklist_clients
################ Default Logic ############################################
# Block black listed IPS
http-request deny if blockedagent
http-request deny if blacklisted_clients
http-request deny if block-WP
#http-request deny if badURL
http-request deny if block-JAR
http-request deny if block-WPincludes
http-request deny if block-ADS
# Redirect http -> https
redirect scheme https if !{ ssl_fc }
# Default
default_backend xsites_cloud
backend xsites_cloud
mode http
balance source
option forwardfor
http-request set-header X-Forwarded-For %[src]
server i-3.cloud 10.100.0.13:80 check
# server i-4.cloud 10.100.0.16:80 check (remarked out for testing)
# retries 4 (had previously tried this to help with 504 errors)
# option redispatch 2 (had previously tried this to help with 504 errors)
@@NOTE this is a large config and I just pulled all the pieces I thought prevent to this discussion
My version of haproxy is 2.4.22```