Service Unavailable Intermittently (HTTP Proxy)

Help!
1

Hi,

I’ve configured HA Proxy as the load balancer for a couple of Symantec proxies on the back end. Generally everything is working correctly, but I’m intermittently seeing issues with some websites. One being Twitter and the other one What’s App.

Looking at Twitter, when not working, the following URL does not load, https://twitter.com/push_service_worker.js, but displays a 503 error. Whether the site loads or not, I’m seeing exactly the same request headers, see attached.

error

If I point the browser to any of the proxy servers on the back-end directly, this error does not occur. I’ve verified this with multiple browsers.

Just wondering what else I can do to trace what is happening here? A basic tcpdump on the haproxy server, shows the request does reach the load balancer.

Thanks for any help.

2

Check haproxy logs and get take a look at the request that fails.

3

Thanks. I did a full tcpdump capture and found the request dropped as the user was not authenticated. So it looks like NTLM stops working.

My config is as below. Should I be using ‘option http-keep-alive’, rather than ‘option http-tunnel’ with NTLM? Do these options need to be set on the front-end and back-end?

frontend Proxy_Front
mode http
bind 192.168.1.10:3128 transparent
option httplog
option http-tunnel
default_backend Proxy_Back

backend Proxy_Back
balance source
hash-type consistent
server proxy1 proxy1:3128 check maxconn 3000
server proxy2 proxy2:3128 check maxconn 3000

Thanks again.

4

Both should work. But actually if you are just load-balancing between to outgoing proxy-servers you may as well TCP-load-balance (mode tcp). You can’t really use any HTTP features anyway so you may as well just load-balance actual TCP connections.

5

With TCP mode, I would get random login prompts, whereas with HTTP mode this doesn’t happen.

Do ‘http-tunnel’ and ‘http-keep-alive’ need to be set on both the frontend and backend?

Documentation is a bit confusing, as some places suggest ‘tunnel’ mode is required for NTLM, while others say to use ‘keep alive’.

6

It’s either http-tunnel or http-keep-alive. By configuring both one will overwrite the other.

Actually, all 3 modes (tcp mode, http mode with http-tunnel and http mode with http-keep-alive) should work with NTLM. However, because NTLM is such an fragile, non-standard and crappy protocol, the actual behavior may depend on additional factors like client and backend server behavior.

Can you post the output of haproxy -vv just to check if you are running into any known bugs on the haproxy side?

7

Sorry for the delay, output of the command below.

I’m wondering if this issue could be related to the proxy servers on the back end, not seeing the client IPs, it’s only seeing the proxy server’s IP.

HA-Proxy version 1.8.8 2018/04/19
Copyright 2000-2018 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-unused-label
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace