Preventing proliferation of sticky session cookies with multiple backends


We have an HAProxy setup with many (10s if not 100s) backends for one frontend, with at least 2 servers per backend. We are using cookies for sticky sessions to tie clients to a particular server for a given backend. The different backends are selected based on the path of the request, so any given client may visit a number of different backends - and therefore collect a number of different cookies. We are trying to find a way to minimise the number of cookies sent between haproxy and the backend servers, and also if possible between the client and haproxy.

Here is a very cut down configuration snippet showing the kind of thing we are trying to do (in reality there are many more backends, each backend has at least 2 serves, and each backend would have different servers):

frontend front
        bind localhost:8000
        mode http
        default_backend back1
        use_backend back2 if { path_beg -i /path }

backend back1
        mode http
        balance roundrobin
        cookie back1 insert indirect nocache
        server server1 localhost:80 cookie server1

backend back2
        mode http
        balance roundrobin
        cookie back2 insert indirect nocache
        server server2 localhost:80 cookie server2

In this example, assuming the client already has both back1 and back2 cookies, a request for /path/ will include both cookies in the request from the client to HAProxy, and HAProxy will only strip out the back2 cookie, meaning the back1 cookie is still sent to the backend.

A couple of things I have thought of so far:

  • Get HAProxy to set the path attribute on the cookies when it sets them, so they are only sent on requests which will end up being routed to the backend in question. It doesn’t seem like there is a way to tell HAProxy to do this and while you can set arbitrary attributes, setting the path attribute results in it being sent twice in the Set-Cookie header, once with the default path of / and once with what you specify. I don’t think client behaviour in that case is specified in any standard, so I definitely would not want to rely on it.
  • Get HAProxy to strip out all it’s cookies from all backend requests. There is an arguably slightly surprising behaviour of HAProxy, in that it strips the cookie pertaining to the particular backend that is handling a request (when insert indirect is specified), but cookies for any other backends are left in. Unfortunately, as far as I can tell, there is no way to automatically do this and none of the available methods for editing request headers (http-request replace-header or http-request replace-value) would enable us to remove an arbitrary number of cookies from the cookie header based on their names sharing a common prefix.

All my testing thus far has been with version 2.4.22.

Any suggestions or pointers to things I’ve missed would be greatly appreciated!