Keepalive_requests equivalent

fguer · January 16, 2024, 5:00pm

I’m starting a new thread to not necrobump an old thread.

I agree that there is a very legitimate use case for limiting the number of keepalive_requests in hapoxy.

In my use case, I use a dynamic number of haproxy servers, when they reach a certain CPU usage, I spin up new ones, and add the new friends to a DNS round-robin record.

The issue is that the existing clients stick to the old haproxy servers and the load does not get re-distributed. This issue can only be solved by a reload of the server, but that actually drops in-flight requests so that’s really not good.

There is also this solution but it seems like it’s also dropping connections (by acting closing the connection at the time of the client request).

Is there already a solution for this problem that I have missed?

lukastribus · January 17, 2024, 7:53pm

Closing the connection after a successful HTTP transaction is exactly what you are requesting here, but the Connection: close solution works for H1 only.

There are requests on the issue tracker for implementing this in H2, etc:

github.com/haproxy/haproxy

Dynamically disable keep-alive / tear down a H2 connection using an ACL

opened 09:43AM - 19 Nov 20 UTC

TimWolla

type: feature

## What should haproxy do differently? Which functionality do you think we shoul…d add? I'd like to be able to dynamically and cleanly tear down a client's TCP connection as part of a HTTP response, e.g. ``` http-response disconnect-afterwards if { res.hdr(x-client) disconnect } ``` ## What are you trying to do? I'd like to force abusive clients to re-establish a new TCP connection and perform a new TLS handshake to slow them down. Sending a `connection: close` or `GOAWAY` after sending the response to the current request should not affect legitimate traffic, apart from possibly introducing additional latency due to the reconnections. Specifically a legitimate user must not see requests failing like they would when I start sending a `429 too many requests`. Injecting additional redirects as suggested in the mailing list thread does not play super nicely with POST requests, would require me to track additional state and is cheaply handled on the client side. see: https://www.mail-archive.com/haproxy@formilux.org/msg38828.html ## Output of `haproxy -vv` and `uname -a` ``` HA-Proxy version 2.3.1-1~bpo10+1 2020/11/15 - https://haproxy.org/ Status: stable branch - will stop receiving fixes around Q1 2022. Known bugs: http://www.haproxy.org/bugs/bugs-2.3.1.html Running on: Linux 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 Build options : TARGET = linux-glibc CPU = generic CC = cc CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-2.3.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=8). Built with OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019 Running on OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.3 Built with network namespace support. Built with the Prometheus exporter as a service Built with zlib version : 1.2.11 Running on zlib version : 1.2.11 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : 10.32 2018-09-10 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with gcc compiler version 8.3.0 Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTTP side=FE|BE mux=H2 fcgi : mode=HTTP side=BE mux=FCGI <default> : mode=HTTP side=FE|BE mux=H1 <default> : mode=TCP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [CACHE] cache [FCGI] fcgi-app [COMP] compression [TRACE] trace ```

github.com/haproxy/haproxy

Add "http-request switch-mode clo" directive

opened 10:47PM - 05 May 23 UTC

shadyabhi

type: feature

### Your Feature Request HAProxy currently doesn't support enabling `drain fe…ature per HTTP transaction`. There is a concept of `soft-stop`, but it's a global feature for all connections. Hence, as an HAproxy user, I'm unable to selectively drain HTTP transactions coming from a specific `client ip`. Ultimately, the goal for me would be to do a selective ACL based directive. `http-request switch-mode clo if is_close_needed` There are workaround for H1 as we can simply send `Connection: close` as it is just a header, however, same is not possible for H2 goaway frames. Some hacky solution were indeed discussed on the [mailing list](https://www.mail-archive.com/haproxy@formilux.org/msg43496.html) I looked at code surrounding setting CLO mode in `soft-stop`, we do have all the logic, but we need to find a way to make it configurable? H1: https://sourcegraph.com/github.com/haproxy/haproxy/-/blob/src/mux_h1.c?L1185 H2: https://sourcegraph.com/github.com/haproxy/haproxy/-/blob/src/mux_h2.c?L4041 QUIC: https://sourcegraph.com/github.com/haproxy/haproxy/-/blob/src/mux_quic.c?L2181 `PS`: We should implement what makes most sense, the directives I used are just to communicate the intent. ### What are you trying to do? There's a ML discussion [posted here](https://www.mail-archive.com/haproxy@formilux.org/msg43496.html). Let's discuss this for a design as follows:- IPVS (dsr) -> L4 HAproxy (tcp termination) -> L7 HAProxy (via pp, L7 done here) Problem statement is, how do you drain a node in L4 tier gracefully as it has no concept of L7 constructs like "Connection: close" or "GOAWAY h2 frames" and can't send those on L7 proxy's behalf. I am unable to find a way to initiate "soft-stop" behavior only for requests coming from a specific upstream L4 node. Note, we already have measures in place to stop sending new requests to L4 as soon as we initiate the maintenance mode, this is about gracefully draining existing connections on L4 which are spread across the whole L7 cluster. ### Output of `haproxy -vv` ```plain NA, this feature is unavailable in git HEAD. As documentation, at the time of writing HAproxy version is: `v2.8-dev9` ```

[quote=“fguer, post:1, topic:9403”]
The issue is that the existing clients stick to the old haproxy servers and the load does not get re-distributed.[/quote]

If we are talking about browsers/HTTP, you should be able to handle this by properly configuring timeouts.

If we are talking TCP with some like reverse proxying MSRDP terminal clients, than spinning proxies instances up and down is somewhat of a wrong design.

No, a reload of haproxy certainly does NOT drop in-flight request, unless the configuration is wrong or you are hitting a bug.

That is the job of a reload as opposed to a restart: not dropping transaction despite starting up a new instance.

fguer · January 17, 2024, 9:43pm

Thank you for your reply.

I can guarantee that haproxy 2.8 drops keepalive connections to the backend and clients upon reload.

The use case is not from browsers, but from servers, and they happily keep connections open forever if you let them. They are from third parties though, so we have no control over their implementation details.

lukastribus · January 17, 2024, 10:11pm

That’s expected behavior of course, after all, we want a soft stopping process to start closing connections.

However this may take seconds, minutes or even hours when connections are continiously making traffic.

They amount of time in this soft close state can be limited by configuring hard-stop-after.

No connections are “killed” unless hard-stop triggers or a haproxy is actually stopped/restarted as opposed to be reloaded.

Again that is the expected behavior. You can hit a bug or a misconfiguration, but the fact of the matter is that a reload doesn’t blindly kill connections.

But this is not really your use case anyway, in your use-case you’d want to the shutdown session feature for example:

http://docs.haproxy.org/2.8/management.html#9.3-shutdown%20session

fguer · January 23, 2024, 2:00pm

Thank you very much for your help @lukastribus .

The solution for me was disabling h2 and randomly closing connections.

I look forward to issue 969 to be fixed.

I also maintain that a “proper” implementation of “keepalive_requests” would be useful.

Kind regards,F

Topic		Replies	Views
Keepalive connection reuse with url balancing Help!	4	6301	March 22, 2016
Is there any equivalent of NGINX's `keepalive_requests` in HAProxy Help!	5	955	May 11, 2020
Frontend and Backend Keepalives Help!	7	3818	October 16, 2020
KeepAlive issue Help!	5	1080	September 30, 2020
Tcp keepalive connection not failover Help!	2	2249	November 10, 2019

Keepalive_requests equivalent

Related Topics