Thanks for your response. Here you go,
global
# Docker image doesnât run rsyslogd
# so send logs to docker host
# log-send-hostname @LOG_HOSTNAME@
log-tag haproxy-tst
chroot /var/lib/haproxy
maxconn 500000
user haproxy
group haproxy
log /dev/log len 8192 local1
log /dev/log len 8192 local2 err
stats timeout 2m
tune.maxrewrite 1024
# we have seen requests and responses including large cookies/MCP headers that failed
tune.bufsize 18432
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
lua-load /etc/haproxy/bdcast.lua
nbproc 8
stats socket ipv4@127.0.0.1:9035 level admin process 1
stats socket ipv4@172.17.0.2:9035 level admin process 1
stats socket ipv4@10.251.1.1:9035 level admin process 1
stats socket ipv4@172.19.0.4:9035 level admin process 1
stats socket ipv4@127.0.0.1:9036 level admin process 2
stats socket ipv4@172.17.0.2:9036 level admin process 2
stats socket ipv4@10.251.1.1:9036 level admin process 2
stats socket ipv4@172.19.0.4:9036 level admin process 2
stats socket ipv4@127.0.0.1:9037 level admin process 3
stats socket ipv4@172.17.0.2:9037 level admin process 3
stats socket ipv4@10.251.1.1:9037 level admin process 3
stats socket ipv4@172.19.0.4:9037 level admin process 3
stats socket ipv4@127.0.0.1:9038 level admin process 4
stats socket ipv4@172.17.0.2:9038 level admin process 4
stats socket ipv4@10.251.1.1:9038 level admin process 4
stats socket ipv4@172.19.0.4:9038 level admin process 4
stats socket ipv4@127.0.0.1:9039 level admin process 5
stats socket ipv4@172.17.0.2:9039 level admin process 5
stats socket ipv4@10.251.1.1:9039 level admin process 5
stats socket ipv4@172.19.0.4:9039 level admin process 5
stats socket ipv4@127.0.0.1:9040 level admin process 6
stats socket ipv4@172.17.0.2:9040 level admin process 6
stats socket ipv4@10.251.1.1:9040 level admin process 6
stats socket ipv4@172.19.0.4:9040 level admin process 6
stats socket ipv4@127.0.0.1:9041 level admin process 7
stats socket ipv4@172.17.0.2:9041 level admin process 7
stats socket ipv4@10.251.1.1:9041 level admin process 7
stats socket ipv4@172.19.0.4:9041 level admin process 7
stats socket ipv4@127.0.0.1:9042 level admin process 8
stats socket ipv4@172.17.0.2:9042 level admin process 8
stats socket ipv4@10.251.1.1:9042 level admin process 8
stats socket ipv4@172.19.0.4:9042 level admin process 8
stats socket /var/run/haproxy-1.sock mode 600 level admin process 1
stats socket /var/run/haproxy-2.sock mode 600 level admin process 2
stats socket /var/run/haproxy-3.sock mode 600 level admin process 3
stats socket /var/run/haproxy-4.sock mode 600 level admin process 4
stats socket /var/run/haproxy-5.sock mode 600 level admin process 5
stats socket /var/run/haproxy-6.sock mode 600 level admin process 6
stats socket /var/run/haproxy-7.sock mode 600 level admin process 7
stats socket /var/run/haproxy-8.sock mode 600 level admin process 8
listen stats
bind 127.0.0.1:1936 process 1
bind 172.17.0.2:1936 process 1
bind 10.10.1.1:1936 process 1
bind 172.19.0.4:1936 process 1
bind 127.0.0.1:1937 process 2
bind 172.17.0.2:1937 process 2
bind 10.10.1.1:1937 process 2
bind 172.19.0.4:1937 process 2
bind 127.0.0.1:1938 process 3
bind 172.17.0.2:1938 process 3
bind 10.10.1.1:1938 process 3
bind 172.19.0.4:1938 process 3
bind 127.0.0.1:1939 process 4
bind 172.17.0.2:1939 process 4
bind 10.10.1.1:1939 process 4
bind 172.19.0.4:1939 process 4
bind 127.0.0.1:1940 process 5
bind 172.17.0.2:1940 process 5
bind 10.10.1.1:1940 process 5
bind 172.19.0.4:1940 process 5
bind 127.0.0.1:1941 process 6
bind 172.17.0.2:1941 process 6
bind 10.10.1.1:1941 process 6
bind 172.19.0.4:1941 process 6
bind 127.0.0.1:1942 process 7
bind 172.17.0.2:1942 process 7
bind 10.10.1.1:1942 process 7
bind 172.19.0.4:1942 process 7
bind 127.0.0.1:1943 process 8
bind 172.17.0.2:1943 process 8
bind 10.10.1.1:1943 process 8
bind 172.19.0.4:1943 process 8
mode http
stats enable
stats uri /
timeout connect 10s
timeout client 1m
timeout server 1m
acl service_down nbsrv(lb-backend-tst) lt 1
monitor-uri /alive
monitor fail if service_down
defaults
log global
# log as JSON, we have an ELK stack
log-format â{âtypeâ:âhaproxy-tstâ,âclient_ipâ:"%ci",âclient_portâ:%cp,âtimestampâ:%Ts,âaccept_dateâ:"%tr",âfrontend_nameâ:"%ft",âbackend_nameâ:"%b",âserver_nameâ:"%s",âTRâ:%TR,âTwâ:%Tw,âTcâ:%Tc,âTrâ:%Tr,âTaâ:%Ta,âhttp_status_codeâ:%ST,âbytes_readâ:%B,âbytes_uploadedâ:%U,âtermination_stateâ:"%tsc",âactconnâ:%ac,âfeconnâ:%fc,âbeconnâ:%bc,âsrvconnâ:%sc,âretriesâ:%rc,âsrv_queueâ:%sq,âbackend_queueâ:%bq,âhttp_methodâ:"%HM",âhttp_uriâ:"%{+E}HU",âhttp_versionâ:"%HV"}â
#option httplog
option log-separate-errors
maxconn 100000
http-check disable-on-404
monitor-uri /alive
# HTTP mode is enabled per default for backends; also accept invalid reponses
mode http
option accept-invalid-http-response
option accept-invalid-http-request
timeout connect 25s
timeout client 3h
timeout server 10m
timeout http-request 25s
# Use all backup servers in case all operational servers are down
option allbackups
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
backend lb-backend-tst
# restrict overall connections to the sum of maxconns of all active backend servers
fullconn 250000
acl blocked_host src -f /etc/haproxy/lists/ip_blocklist.lst
http-request deny if blocked_host
# block unresolvable known hosts
acl unresolvable_host req.hdr(host) -f /etc/haproxy/lists/unresolvable_hosts.lst
http-request deny if unresolvable_host
# delete untrusted incoming XFF header
reqidel ^X-Forwarded-For:.*
#Call lua script to broadcast
acl is_tst_rt_url hdr(Host) -i xx.yy.com
acl is_tst_rt_url urlp(rtparams) -m found
http-request lua.broadcast_txn if is_tst_rt_url is_secure_rt_url
# stickyness configuration for load balancing and session validity (Host header, source IP)
http-request set-header X-LB %[req.hdr(Host),lower]%[src]%[src_port]
balance hdr(X-LB)
# do compression on outgoing traffic
compression algo gzip
compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json
hash-type consistent
# configure thresholds for filter nodes
default-server inter 3s fastinter 1s downinter 500ms fall 3 rise 2 slowstart 10s
server node00 10.10.2.3:8080 check maxconn 25000 send-proxy
server node01 10.10.2.4:8080 check maxconn 25000 send-proxy
server node02 10.10.2.5:8080 check maxconn 25000 send-proxy
server node03 10.10.2.6:8080 check maxconn 25000 send-proxy
server node04 10.10.2.7:8080 check maxconn 25000 send-proxy
server node05 10.10.2.8:8080 check maxconn 25000 send-proxy
server node06 10.10.2.9:8080 check maxconn 25000 send-proxy
server node07 10.10.2.10:8080 check maxconn 25000 send-proxy
frontend region1
bind 192.168.123.110:80
monitor fail if { nbsrv(lb-backend-tst) lt 1 }
stick-table type string size 1k expire 1m store http_req_rate(1s)
acl is_tst_it_url hdr(Host) -i xx.yy.com
http-request track-sc0 hdr(Host) if is_tst_it_url
http-request deny if { sc0_http_req_rate gt 1 } is_tst_it_url
tcp-request connection accept if { src -f /etc/haproxy/lists/whitelist.lst }
default_backend lb-backend-tst
Points:
- Issue is not always happening , occassionally we facing this issue from some IPs.
- example: x.x.x.x:30000 client IP reaching y.y.y.y:80, using send-proxy always that is been seen by backend asâPROXY TCP4 x.x.x.x y.y.y.y 30000 80â in the format of âPROXY INET:PROTO4 clientip proxyip client-sourceport proxy-portâ.
But some requests are just showing as âPROXY TCP4 x.x.x.x x.x.x.x 30000 30000â
No Idea why ?
-Roobesh G M