Hi there, and first off, thanks a bunch for your comments. I did dig a bit deeper into what happens, and still am not completely sure why it happens. The “problem” generally occurs whenever a backend goes down and gets sessions with an old session cookie routed there. The app generally has two cookies, a global SSO cookie and a session cookie associated with / tied to the current backend instance.
Trying to reproduce this, I logged into the application (one instance), restarted the proxy and tried to reload the page.
Running the application standalone or with apache2 reverse proxy: Reloading will cause the application to create a new session, a new session cookie for that user (using the SSO information and so assuming the user has been authenticated), and I can mostly work on well.
Running the application with haproxy 1.4.x in front of it: … will show exactly the same behaviour as apache2 or standalone - doing a “reload” after restarting the instance will cause the application to create a new session, a new session cookie and all is fine.
Running the application behind haproxy 1.6 or 1.7: … will cause the application to not create a new session cookie but instead display a “Session Expired” message which, and this is worst, I cannot really get rid of, not even by re-logging in to the application; only way to resolve this is to manually remove the JSESSIONID cookie.
I am not sure this makes sense, but whatever is “the issue” here is something that hasn’t been around in haproxy 1.4 but in haproxy 1.6+.
HA-Proxy version 1.7.1-1ppa1~trusty 2016/12/15
Copyright 2000-2016 Willy Tarreau email@example.com
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
Running on PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
log /dev/log local0
log /dev/log local1 notice
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
cookie JSESSIONID prefix indirect nocache
server srv10080 localhost:10080 cookie srv10080 check backup
server srv10090 localhost:10090 cookie srv10090 check backup