SSL Offloading and Load Balancing


#1

I have never used HAProxy before and need to configure the existing deployment to do like the title mentions. I have read some “how to’s” and looks to have the certificate loaded correctly but cannot get past this error in the logs.

Server app_backend is DOWN, reason: Layer4 timeout, check duration: 0. 0 active and 0 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
0.
backend app_backend has no server available!

The two servers behind the load balancer can talk ping back and forth without any issues.

Any help would be greatly appreciated…

Thanks,
Blake


#2

Please share your configuration.

Haproxy is telling you that there is a layer4 timeout, check that the actual service responds from the haproxy box, not only ping.


#3

This is the base config i used then subb’d in the appropriate IPs. I pieced it together from what i found online in articles.

global
log 127.0.0.1 local0
maxconn 4000
daemon
uid 99
gid 99

defaults
log global
mode http
option httplog
option dontlognull
timeout server 5s
timeout connect 5s
timeout client 5s
stats enable
stats refresh 10s
stats uri /stats

frontend https_frontend
bind *:443 ssl crt /etc/ssl/certs/mycertificate.pem
mode http
default_backend web_server

backend web_server
mode http
balance roundrobin
server s1 1.2.3.4:9000 check
server s2 2.3.4.5:9000 check

I can browse to the DNS name and certificate looks good. However i cannot get traffic past the LB and i only get that snippet of error. My two devices never see any traffic either.

The shortversion is a system connect on 443 the LB offloads SSL. Then traverse the traffic back to the two servers on port 9000.


#4

Ok, from the haproxy load-balancer, try accessing your servers:

curl -v http://1.2.3.4:9000/
curl -v http://2.3.4.5:9000/

#5

We get the accept for http:1.1 to the IP and port.

I pulled the latest running config after some more tweaking we have been doing for your review . Thank you for the help.

common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

#---------------------------------------------------------------------

main frontend which proxys to the backends

frontend main *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js

use_backend static if url_static

default_backend             app

frontend www-https
bind *:443 ssl crt /etc/haproxy/certificate.cer
reqadd X-Forwarded-Proto:\ https
default_backend app

#---------------------------------------------------------------------

static backend for serving up images, stylesheets and such

#---------------------------------------------------------------------
backend static
balance roundrobin
server static 127.0.0.1:4331 check

#---------------------------------------------------------------------

round robin balancing between the various backends

#---------------------------------------------------------------------
default_backend app
balance roundrobin
mode http
option httpchk
server server1 1.2.3.4:9000 check
server server2 1.2.3.4:9000 check


#6

Too much chaos here, sorry.

First the backend was app_backend (from the log), now it’s app? Also I don’t believe the configuration is even syntactically correct, “default_backend app” does not start a backend section, this should be “backend app” instead.

Please provide the actual configuration which haproxy is able to run and the corresponding logs (not longs from 2 days ago and know your configuration is totally different).


#7

This is the latest code i just pulled after testing the curl command you sent. My colleague has been messing around all day with it and added alot of stuff compared to when i left it since we have become desperate and are googling everything we can…


#8

Then provide the uptodate logs. You also did not provide the actual curl output. I don’t need your interpretation of the logs or outputs, I need the actual output.

You are making it extremely difficult to help you.


#9

curl%20output%20cleaned


#10


#11

Ok, in fact everything is different than initially reported.

The health-checks in the the app backend are fine, but the server never responds to the GET query (timeout server strikes). Since you completely omitted the HTTP response in the curl output, I assume there is none and curl timesout as well. Check your backend server and fix it.

The static backend doesn’t work at all because there isn’t even a service listening on 127.0.0.1:4331 or the service refuses the connection, as can be seen from the logs.

Any other question please provide the curl output INCLUDING all responses from the servers and error messages, instead of just the query part.