With the following config, we are seeing keepalives working on the frontend, but not on the backend. Is there something about the proxy protocol that prevents keepalives from being maintained? If so, is there a way to do so? I have confirmed keepalives are working on the backend servers via several methods, but we are seeing in the haproxy stats the same number of connections/sec has http responses for the backend bk_foo.
defaults
maxconn 100
http-reuse safe
option http-keep-alive
timeout connect 3s
timeout client 30s
timeout server 1h
frontend ft_ssl
mode http
bind-process 2-10
bind *:80
bind *:443 ssl crt /usr/local/haproxy-1.6.6-openssl-1.0.1t-static/etc/foo.pem ciphers AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK no-sslv3 no-tls-tickets
maxconn 100000
option httplog
option forwardfor
redirect scheme https code 301 if !{ ssl_fc }
default_backend bk_ssl
backend bk_ssl
mode http
bind-process 2-10
server ft_sock unix@ft.sock send-proxy-v2
frontend ft_plain
mode http
bind-process 1
bind unix@/usr/local/haproxy-1.6.6-openssl-1.0.1t-static/jail/ft.sock accept-proxy
no log
maxconn 100000
use_backend %[req.hdr(host),lower,map_dom(/usr/local/haproxy-1.6.6-openssl-1.0.1t-static/etc/map)]
backend bk_foo
mode http
bind-process 1
server foo 10.10.1.1:443 check ssl verify none maxconn 2000
Thanks very much.
The config you posted doesn’t actually use the bk_foo backend. Can you post the correct configuration please?
bwmetcalf:
defaults
frontend ft_ssl
redirect scheme https code 301 if !{ ssl_fc }
default_backend bk_ssl
backend bk_ssl
frontend ft_plain
maxconn 100000
use_backend %[req.hdr(host),lower,map_dom(/usr/local/haproxy-1.6.6-openssl-1.0.1t-static/etc/map)]
backend bk_foo
Sorry about that. It was an edited version of our real config.
defaults
maxconn 100
http-reuse safe
option http-keep-alive
timeout connect 3s
timeout client 30s
timeout server 1h
frontend ft_ssl
mode http
bind-process 2-10
bind *:80
bind *:443 ssl crt /usr/local/haproxy-1.6.6-openssl-1.0.1t-static/etc/foo.pem ciphers AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK no-sslv3 no-tls-tickets
maxconn 100000
option httplog
option forwardfor
redirect scheme https code 301 if !{ ssl_fc }
default_backend bk_ssl
backend bk_ssl
mode http
bind-process 2-10
server ft_sock unix@ft.sock send-proxy-v2
frontend ft_plain
mode http
bind-process 1
bind unix@/usr/local/haproxy-1.6.6-openssl-1.0.1t-static/jail/ft.sock accept-proxy
no log
maxconn 100000
use_backend bk_foo
backend bk_foo
mode http
bind-process 1
server foo 10.10.1.1:443 check ssl verify none maxconn 2000
You are not using the proxy protocol on backend bk_foo, so I would say it has not impact here. And surely the abstract namespace sockets above are irrelevant keep-alive wise, right?
Are you positive your use-case satisfies the requirements for the “safe” http-reuse mode? Because if those are single clients are doing a single requests each, the conditions are certainly not met.
Maybe try aggressive or always mode.
http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4-http-reuse