Keepalive not working on backend


#1

With the following config, we are seeing keepalives working on the frontend, but not on the backend. Is there something about the proxy protocol that prevents keepalives from being maintained? If so, is there a way to do so? I have confirmed keepalives are working on the backend servers via several methods, but we are seeing in the haproxy stats the same number of connections/sec has http responses for the backend bk_foo.

defaults
  maxconn 100
  http-reuse safe
  option http-keep-alive
  timeout connect 3s
  timeout client 30s
  timeout server 1h

frontend ft_ssl
  mode http
  bind-process 2-10
  bind *:80
  bind *:443 ssl crt /usr/local/haproxy-1.6.6-openssl-1.0.1t-static/etc/foo.pem ciphers AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK no-sslv3 no-tls-tickets
  maxconn 100000
  option httplog
  option forwardfor

  redirect scheme https code 301 if !{ ssl_fc }

  default_backend bk_ssl

backend bk_ssl
  mode http
  bind-process 2-10
  server ft_sock unix@ft.sock send-proxy-v2

frontend ft_plain
  mode http
  bind-process 1
  bind unix@/usr/local/haproxy-1.6.6-openssl-1.0.1t-static/jail/ft.sock accept-proxy
  no log

  maxconn 100000

  use_backend %[req.hdr(host),lower,map_dom(/usr/local/haproxy-1.6.6-openssl-1.0.1t-static/etc/map)]

backend bk_foo
  mode http
  bind-process 1
  server foo 10.10.1.1:443 check ssl verify none maxconn 2000

Thanks very much.


#2

The config you posted doesn’t actually use the bk_foo backend. Can you post the correct configuration please?


#3

Sorry about that. It was an edited version of our real config.

defaults
  maxconn 100
  http-reuse safe
  option http-keep-alive
  timeout connect 3s
  timeout client 30s
  timeout server 1h

frontend ft_ssl
  mode http
  bind-process 2-10
  bind *:80
  bind *:443 ssl crt /usr/local/haproxy-1.6.6-openssl-1.0.1t-static/etc/foo.pem ciphers AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK no-sslv3 no-tls-tickets
  maxconn 100000
  option httplog
  option forwardfor

  redirect scheme https code 301 if !{ ssl_fc }

  default_backend bk_ssl

backend bk_ssl
  mode http
  bind-process 2-10
  server ft_sock unix@ft.sock send-proxy-v2

frontend ft_plain
  mode http
  bind-process 1
  bind unix@/usr/local/haproxy-1.6.6-openssl-1.0.1t-static/jail/ft.sock accept-proxy
  no log

  maxconn 100000

  use_backend bk_foo

backend bk_foo
  mode http
  bind-process 1
  server foo 10.10.1.1:443 check ssl verify none maxconn 2000

#4

You are not using the proxy protocol on backend bk_foo, so I would say it has not impact here. And surely the abstract namespace sockets above are irrelevant keep-alive wise, right?

Are you positive your use-case satisfies the requirements for the “safe” http-reuse mode? Because if those are single clients are doing a single requests each, the conditions are certainly not met.

Maybe try aggressive or always mode.

http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4-http-reuse