1

I have two backends (b1, b2) sitting behind the same frontend (f1) in HAProxy, routing based on host name. I can establish websocket to both b1 and b2 from my laptop, however if I try to establish websocket to b2 from b1 (through f1) I get 1006 error (closed abnormaly - unexpected EOF). Pinging b2 from b1 succeeds. Here's my config:

frontend f1
    bind            192.168.1.1:443 name 192.168.1.1:443   ssl crt-list /var/etc/haproxy/ReverseProxyHTTP.crt_list  
    mode            http
    log         global
    option          httplog
    option          http-keep-alive
    option          forwardfor

    http-request set-header     X-Forwarded-Proto http if !https
    http-request set-header     X-Forwarded-Proto https if https
    timeout client      30000
    acl         b1  var(txn.txnhost) -m beg -i b1
    acl         b2  var(txn.txnhost) -m beg -i b2
    acl         hdr_connection_upgrade  hdr(Connection) -i upgrade
    acl         hdr_upgrade_websocket   hdr(Upgrade) -i websocket

    use_backend b1ws  if  b1 hdr_connection_upgrade hdr_upgrade_websocket 
    use_backend b1  if  b1 
    use_backend b2  if  b2
backend b1ws
    mode            http
    id          119
    log         global
    stick-table type ip size 50k expire 30m
    stick on src
    balance         source
    timeout connect     30000
    timeout server      30000
    retries         3
    server          s1 192.168.1.2:443 id 101 ssl  verify none resolvers globalresolvers 

backend b1
    mode            http
    id          117
    log         global
    stick-table type ip size 50k expire 30m
    stick on src
    balance         source
    timeout connect     30000
    timeout server      30000
    retries         3
    server          s1 192.168.1.2:443 id 101 ssl  verify none resolvers globalresolvers alpn h2,http/1.1 

backend b2
    mode            http
    id          120
    log         global
    stick-table type ip size 50k expire 30m
    stick on src
    balance         source
    timeout connect     30000
    timeout server      30000
    retries         3
    timeout tunnel 3600s
    server          s2 192.168.1.3:443 id 101 ssl  verify none resolvers globalresolvers

Note: b1 and b1ws point to the same server & port tho b1 prefers http2 for grpc. If websocket header is present, b1ws will be used.

Ryan
  • 177
  • 1
  • 7
  • Are you trying to connect from B2 -> F1 -> B1? Are you certain HAProxy isn't going to route the connection back to B2? Why not just connect directly from B2 -> B1 without going through the LB? – shearn89 Dec 17 '21 at 09:44
  • @shearn89 B1 -> F1 -> B2; haproxy didn't route the connection back to B1 because if I do a simple http get to B2 (through F1) it succeeds. The LB actually does some url rewrite for compatibility reasons, besides all other typical reasons to use a load balancer. – Ryan Dec 17 '21 at 16:35

0 Answers0