Hello
I am trying to do stickiness on X-SSL-Client-CN but requests still go roundrobin on both backend servers.
The CN is set properly in SSL connection from client to HAProxy.
Please suggest missing config?
X-SSL-Client-CN = client
backend cdp1
mode tcp
balance roundrobin
stick-table type string size 204800
stick store-request req.hdr(X-SSL-Client-CN)
stick match req.hdr(X-SSL-Client-CN)
server app1 1.0.0.1:22 check
server app2 1.0.0.2:22 check
timeout server 2hWho is setting the X-SSL-Client-CN header? The browser/client? That seems strange. You probably want to use the pattern %{+Q}[ssl_c_s_dn(cn)]
This pattern throws the error. Is there anything wrong in this config?
backend cdp1
mode tcp
balance roundrobin
stick-table type string size 204800
stick store-request %{+Q}[ssl_c_s_dn(cn)]
stick match %{+Q}[ssl_c_s_dn(cn)]
server app1 1.0.0.1:22 check
server app2 1.0.0.2:22 check
timeout server 2h
[ALERT] 158/123804 (25481) : parsing [/etc/haproxy/haproxy.cfg:154] : ‘stick’: unknown fetch method ‘%{+Q}[ssl_c_s_dn’
[ALERT] 158/123804 (25481) : parsing [/etc/haproxy/haproxy.cfg:155] : ‘stick’: unknown fetch method ‘%{+Q}[ssl_c_s_dn’
[ALERT] 158/123804 (25481) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Try just ssl_c_s_dn(cn)
I got it working. stick match should come before stick store.
Thanks,
$ echo “show table cdp1” | sudo socat /var/run/haproxy.sock stdio
table: cdp1, type: string, size:204800, used:0
$ echo “show table cdp1” | sudo socat /var/run/haproxy.sock stdio
table: cdp1, type: string, size:204800, used:1
0xab4f24: key=client1 use=0 exp=0 server_id=1
$ echo “show table cdp1” | sudo socat /var/run/haproxy.sock stdio
table: cdp1, type: string, size:204800, used:1
0xab4f24: key=client1 use=0 exp=0 server_id=1
backend cdp1
mode tcp
balance roundrobin
stick-table type string size 204800
stick match ssl_c_s_dn(cn)
stick store-request ssl_c_s_dn(cn)
server app1 1.0.0.1:22 check
server app2 1.0.0.2:22 check
timeout server 2h