I’ve configured HA Proxy as the load balancer for a couple of Symantec proxies on the back end. Generally everything is working correctly, but I’m intermittently seeing issues with some websites. One being Twitter and the other one What’s App.
Looking at Twitter, when not working, the following URL does not load, https://twitter.com/push_service_worker.js, but displays a 503 error. Whether the site loads or not, I’m seeing exactly the same request headers, see attached.
If I point the browser to any of the proxy servers on the back-end directly, this error does not occur. I’ve verified this with multiple browsers.
Just wondering what else I can do to trace what is happening here? A basic tcpdump on the haproxy server, shows the request does reach the load balancer.
Thanks. I did a full tcpdump capture and found the request dropped as the user was not authenticated. So it looks like NTLM stops working.
My config is as below. Should I be using ‘option http-keep-alive’, rather than ‘option http-tunnel’ with NTLM? Do these options need to be set on the front-end and back-end?
Both should work. But actually if you are just load-balancing between to outgoing proxy-servers you may as well TCP-load-balance (mode tcp). You can’t really use any HTTP features anyway so you may as well just load-balance actual TCP connections.
It’s either http-tunnel or http-keep-alive. By configuring both one will overwrite the other.
Actually, all 3 modes (tcp mode, http mode with http-tunnel and http mode with http-keep-alive) should work with NTLM. However, because NTLM is such an fragile, non-standard and crappy protocol, the actual behavior may depend on additional factors like client and backend server behavior.
Can you post the output of haproxy -vv just to check if you are running into any known bugs on the haproxy side?
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
