Inconsistent Behavior at browser


We have been using haproxy for a long time and it has been an excellent addition to our enterprise. Our Application Development is working to migrate their web applications to Server 2019. We started testing in Dev and are seeing inconsistent behavior where the browser will connect sometimes and won’t at other times. Clearing cache doesn’t seem to help and it doesn’t seem to matter if we’re using Firefox, Chrome or Edge.

The target configuration will initially support 2 groups of servers (for the 2012 env) and 2 groups for the 2019 env). Each application will have it’s own path. It’s all port 80 for now but once this is all working, we’ll add port 443 over time. My haproxy configuration represents this by using ACLs for the host name, the port and then the path. From those, a backend is selected.

The Dev/UAT NLB is running HAProxy 2.3.10 on Fedora Linux.

The testing configuration I’m using is below. This represents only one of the initial 12 (out of approximately 65) applications as we’ve chosen to focus on this one for now.

	user     haproxy
	group    haproxy
	maxconn  2048
	log  local2

	log	global
	mode	http
	# option  httplog
	option	tcplog
	option	dontlognull
	option  log-health-checks

	timeout connect 5000ms
	timeout client  50000ms
	timeout server  50000ms

	stats  enable
	stats  refresh 30s
	stats  show-node
	stats  auth   hapstats:***
	stats  uri    /HAProxyStats

	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend https-in-VIP9-AD-APPENV-DEV


	mode       tcp
	option     tcplog
	no option  http-server-close
	timeout    client 1m

	acl Host_AD_AppEnv_DEV      hdr_beg(host) -i treasweb-dev
	acl Host_AD_AppEnvFnet_DEV  hdr_beg(host) -i treaswebfnet-dev

	acl port80   dst_port  80
	acl port443  dst_port  443

	acl DoresPATS_DEV  path  /PATS
	use_backend Cluster_AD_APPENV2019_DEV  if port80 Host_AD_AppEnv_DEV DoresPATS_DEV   # Implied AND between ACLs

backend Cluster_AD_APPENV2019_DEV

	mode    tcp
	mode    http

	balance roundrobin

	server  trevdevweb1 trevdevweb1 maxconn 64

What will happen is that if I go to treasweb-dev/PATS, it will often work initially, then we’ll get 502s or 504s. Am I thinking about this the wrong way or am I missing something in terms of how haproxy is interacting with the browsers and servers? Any help would be greatly appreciated.



I decided to simplify the configuration so I tried disabling the ACLs in the frontend and use a default_backend (configuration below). I made no other changes and it now works. Meaning something is wrong with my ACLs or how I am applying them. Can anyone explain what I am doing wrong here? Thanks again.


frontend https-in-VIP9-AD-APPENV-DEV


	mode       tcp
	option     tcplog
	no option  http-server-close
	timeout    client 1m

	default_backend Cluster_AD_APPENV2019_DEV