5

We're trying to set up HAProxy (v1.5.1) to use SSL.

While we managed to do that, we're having some issues with the round robin settings:

We do want to have stick sessions, but haproxy seems to send all sessions (from different browsers) to the same node (my.vm.2), even though the other node (my.vm.1) is also available. So it looks like the round robin setting isn't working properly.

This is our current configuration, we would appreciate some help/ideas. :):

global
   debug
   stats socket /etc/haproxy/haproxysock level admin
   tune.ssl.default-dh-param 2048

defaults
   mode http
   balance roundrobin
   timeout connect 5s
   timeout queue   300s
   timeout client  300s
   timeout server  300s

frontend https_frontend
   bind *:8443
   mode tcp
   reqadd X-Forwarded-Proto:\ https
   default_backend my_backend


backend my_backend
   mode tcp
   stick-table type ip size 200k expire 30m
   stick on src
   default-server inter 1s
   server my.vm.1 my.vm.1:8443 check id 1 maxconn 500
   server my.vm.2 my.vm.2:8443 check id 2 maxconn 500
   option httpclose
   option redispatch
   retries 15

listen admin
   bind *:8081
   stats enable
   stats refresh 1s
Ayelet
  • 151

2 Answers2

8

I would suggest doing all your SSL processing in HAProxy and using the proxy protocol (send-proxy and accept-sslproxy) so client information gets passed from the ssl processor to the frontend+backend. That looks something like:

listen ssl-proxy
    bind 1.2.3.4:443 ssl crt /etc/ssl/mycert.pem npn http/1.1
    mode tcp
    bind-process 2 3 4
    server http 127.0.0.1:80 send-proxy

frontend dev
    #Do whatever you want here since it is http
    mode http
    bind 1.2.3.4:80 name dev
    bind 127.0.0.1:80 accept-proxy name accept-sslproxy
    bind-process 1

    acl is_ssl dst_port 443
    reqadd X-Forwarded-Proto:\ https if is_ssl
    default_backend my_backend

backend my_backend
    mode http
    #Do whatever you want here since it is http
Kyle Brandt
  • 85,693
2

Sticky sessions are IP-based, so different browsers will still go to the same backend because the source IP address remains the same.

Nathan C
  • 15,223