Hi,
I have something like this:
frontend app1
acl app1 hdr(host) -i app1.domain.com
default_backend app1
use_backend app1 if app1
frontend app2
acl app2 hdr(host) -i app2.domain.com
default_backend app2
use_backend app2 if app2
backend app1
mode http
...
option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app1.domain.com:8080\r\n
...
server talaiaclu01-app1 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
server talaiaclu02-app1 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000
backend app2
mode http
...
option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app2.domain.com:8080\r\n
...
server talaiaclu01-app2 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
server talaiaclu02-app2 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000
This should be sending requests for app1.domain.com only to backend app1. But as per statistics I can see that backend app2 is being hitted. In fact I can see that the frontend is also being hitted by the same request.
In fact the requests are well redirected to the right backend based on the url but statistics are perturbing me. I could understand that all frontends must be hitted to determine which is the right one, but backends should not, right? And the backends nevere receive the requests that are not destinated for them. So it seems to be only a statistics problem.
Kind regards,
Please share the complete configuration. It is unclear where you bind your ports in those 2 frontends.
Hi,
there it goes:
global
log 127.0.0.1 local0 notice
maxconn 4000
tune.ssl.default-dh-param 2048
user haproxy
group haproxy
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
stats socket /var/run/haproxy.stat
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
timeout connect 5000
timeout client 20000
timeout server 20000
frontend http-redirect
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend app1
frontend openppm-app1
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options DENY
http-response set-header X-Content-Type-Options nosniff
compression algo gzip
bind :443 ssl crt /etc/ssl/certs/mycert.com.pem
reqadd X-Forwarded-Proto:\ https
acl app1 hdr(host) -i app1.domain.com
default_backend app1
use_backend app1 if app1
frontend openppm-app2
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options DENY
http-response set-header X-Content-Type-Options nosniff
compression algo gzip
bind :443 ssl crt /etc/ssl/certsmycert.com.pem
reqadd X-Forwarded-Proto:\ https
acl app2 hdr(host) -i app2.domain.com
default_backend app2
use_backend app2 if app2
backend app1
mode http
redirect scheme https if !{ ssl_fc }
option httpclose
option redispatch
option forwardfor
option http-server-close
option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app1.domain.com:8080\r\n
http-check expect rstatus ^200
cookie JSESSIONID prefix
balance roundrobin
server tomcat01-app1 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
server tomcat01-app1 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000
backend app2
mode http
redirect scheme https if !{ ssl_fc }
option httpclose
option redispatch
option forwardfor
option http-server-close
compression algo gzip
option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app2.domain.com:8080\r\n
http-check expect rstatus ^200
cookie JSESSIONID prefix
balance roundrobin
server tomcat01-app2 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
server tomcat01-app2 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000
listen stats
bind 192.168.211.13:9001
mode http
stats enable
stats uri /stats
stats realm Zabbix
Thank you!
You cannot create to different frontends listening to the same port. It doesn’t work like that.
- use a single traffic handling frontend
- if you redirect all your http traffic to https, then do it directly in the port 80 frontend instead of duplicating this in both backends
for example:
frontend http-redirect
bind *:80
redirect scheme https
frontend https-in
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options DENY
http-response set-header X-Content-Type-Options nosniff
compression algo gzip
bind :443 ssl crt /etc/ssl/certs/mycert.com.pem crt /etc/ssl/certsmycert.com.pem
acl app1 hdr(host) -i app1.domain.com
use_backend app1 if app1
acl app2 hdr(host) -i app2.domain.com
use_backend app2 if app2
backend app1
mode http
option httpclose
option redispatch
option forwardfor
option http-server-close
option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app1.domain.com:8080\r\n
http-check expect rstatus ^200
cookie JSESSIONID prefix
balance roundrobin
server tomcat01-app1 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
server tomcat01-app1 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000
backend app2
mode http
option httpclose
option redispatch
option forwardfor
option http-server-close
compression algo gzip
option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app2.domain.com:8080\r\n
http-check expect rstatus ^200
cookie JSESSIONID prefix
balance roundrobin
server tomcat01-app2 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
server tomcat01-app2 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000
Hi lukastribus,
your help is much appreciated. Didn’t try it ye but this makes sense…
Thank you very much!
Edition: confirmed! traffic is only accounting for the right backend.