Dear Friends, i use Debian 12 Bookworm and Haproxy for loadbalance traffic between gateways. if all backend servers working without problem, but if simulate failover when put down on of backend servers active RDP session deadly freeze and unable to close, only if kill rdp client process.
if stop haproxy process and start again active session reconnects without problem, if not window still stucked until killing process. i trying to change option httpclose, set on-marked-down for backend servers and a lot of config changes without success. Please help solving this issue!
config example:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.ssl.default-dh-param 4096
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:@SECLEVEL=0
ssl-default-server-options ssl-min-ver TLSv1.0 no-tls-tickets
# ssl-dh-param-file etc/haproxy/dhparam.pem
log stdout format raw local0
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
#option h1-case-adjust-bogus-client
option httpclose
#no option http-use-htx
retries 3
timeout connect 10s
timeout client 30s
timeout client-fin 30s
timeout server 35s
timeout tunnel 3600s
timeout http-keep-alive 15s
timeout http-request 30s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend rds_gateway_front
bind *:80
bind *:443 ssl crt /etc/haproxy/pki/contoso.com.pem no-tls-tickets alpn http/1.1 allow-0rtt
mode http
log global
option forwardfor
option http-no-delay
option http-keep-alive
# option http-server-close # Connection to gw Not work with this option
# Internet Explorer and NTLM with HTTPS sites
option http-use-proxy-header
#option accept-invalid-http-request
#no option http-buffer-request
#http-reuse always
#Dump all headers
http-request capture req.hdrs len 1024
redirect scheme https code 301 if !{ ssl_fc }
default_backend rds_gateway
backend rds_gateway
#HTTPS
#default-server ssl tfo verify none alpn http/1.1 check stick allow-0rtt
#HTTP
default-server alpn http/1.1 check on-marked-down shutdown-sessions
mode http
balance leastconn
log global
dynamic-cookie-key RDGW
cookie RDGW insert indirect nocache
stick-table type ip size 5000
stick on src
# no option redispatch
# no option persist
# option http-server-close
option http-keep-alive
option prefer-last-server
option httpchk GET /
http-check expect status 200
http-request add-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Host %[req.hdr(host)]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Client-IP %[src]
http-request set-header X-Client-IP req.hdr_ip([X-Forwarded-For])
server RDGW1 10.20.10.71:80
server RDGW2 10.20.10.72:80
#server RDGW2 10.20.10.72:443 ssl verify none alpn h2,http/1.1 check
#server RDGW1 10.20.10.72:443 ssl verify none check cookie RDGW1 weight 50
listen statistics
bind *:9001
mode http
log global
stats enable
stats refresh 30s
stats show-node
stats show-legends
stats show-desc desc
stats auth letme:in
stats uri /stats
stats hide-version