5

We're trying to set up HAProxy (v1.5.1) to use SSL.

While we managed to do that, we're having some issues with the round robin settings:

We do want to have stick sessions, but haproxy seems to send all sessions (from different browsers) to the same node (my.vm.2), even though the other node (my.vm.1) is also available. So it looks like the round robin setting isn't working properly.

This is our current configuration, we would appreciate some help/ideas. :):

global
   debug
   stats socket /etc/haproxy/haproxysock level admin
   tune.ssl.default-dh-param 2048

defaults
   mode http
   balance roundrobin
   timeout connect 5s
   timeout queue   300s
   timeout client  300s
   timeout server  300s

frontend https_frontend
   bind *:8443
   mode tcp
   reqadd X-Forwarded-Proto:\ https
   default_backend my_backend


backend my_backend
   mode tcp
   stick-table type ip size 200k expire 30m
   stick on src
   default-server inter 1s
   server my.vm.1 my.vm.1:8443 check id 1 maxconn 500
   server my.vm.2 my.vm.2:8443 check id 2 maxconn 500
   option httpclose
   option redispatch
   retries 15

listen admin
   bind *:8081
   stats enable
   stats refresh 1s
Ayelet
  • 151
  • 1
  • 1
  • 2
  • http://virtuallyhyper.com/2013/05/configure-haproxy-to-load-balance-sites-with-ssl/ this might be of some use to you, but note my answer below. – Nathan C Jul 10 '14 at 13:21
  • @NathanC We tried this configuration, but it uses mode http instead of tcp so it didn't work. To my understanding, cookies won't work with tcp. – Ayelet Jul 10 '14 at 13:32
  • aha, you're right... – Nathan C Jul 10 '14 at 13:53

2 Answers2

8

I would suggest doing all your SSL processing in HAProxy and using the proxy protocol (send-proxy and accept-sslproxy) so client information gets passed from the ssl processor to the frontend+backend. That looks something like:

listen ssl-proxy
    bind 1.2.3.4:443 ssl crt /etc/ssl/mycert.pem npn http/1.1
    mode tcp
    bind-process 2 3 4
    server http 127.0.0.1:80 send-proxy

frontend dev
    #Do whatever you want here since it is http
    mode http
    bind 1.2.3.4:80 name dev
    bind 127.0.0.1:80 accept-proxy name accept-sslproxy
    bind-process 1

    acl is_ssl dst_port 443
    reqadd X-Forwarded-Proto:\ https if is_ssl
    default_backend my_backend

backend my_backend
    mode http
    #Do whatever you want here since it is http
Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • OK, so I tried this, but I now get a `502 Bad Gateway` error. Any ideas why this happens? Thanks – Ayelet Jul 10 '14 at 14:52
  • +1 mode TCP is an ill fit for session stickiness. - As for 502 errors, make sure to connect to a non-encrypted HTTP port on the backend server. – Felix Frank Jul 12 '14 at 13:17
  • @FelixFrank Thanks for your comment, I tried connecting to non-encrypted tomcat servers, but now when I try to access secured pages (through haproxy) I get redirected to non-secured ones. – Ayelet Jul 13 '14 at 11:16
  • 1
    @Ayelet Tomcat should accept a certain Header to tell it about SSL being in use, even behind a proxy such as HAproxy. Make HAproxy add that header. If your application is generating the redirects, make sure that it honors the header as well. – Felix Frank Jul 14 '14 at 06:36
  • @FelixFrank Do you maybe have an example/tutorial on how to add the header in haproxy? Maybe I'm searching for the wrong thing, but I couldn't find something like that. Thanks again. :) – Ayelet Jul 14 '14 at 13:52
  • 1
    @Ayelet: Updated my answer to include adding the X-Forwarded-Proto header – Kyle Brandt Jul 14 '14 at 14:07
  • Nice :) If that doesn't help, you should open a new Question. – Felix Frank Jul 14 '14 at 14:10
  • 1
    @KyleBrandt and Felix, thank you both for your comments. I actually found a very good tutorial that refers to Haproxy's new ssl capabilities. https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04 – Ayelet Jul 31 '14 at 11:46
2

Sticky sessions are IP-based, so different browsers will still go to the same backend because the source IP address remains the same.

Nathan C
  • 14,901
  • 4
  • 42
  • 62
  • Are the sticky sessions only based on IP, when SSL is being used? Or does that apply to both http and https? – kasperd Jul 10 '14 at 13:16
  • @kasperd Both. You can however use session cookies instead with haproxy. – Nathan C Jul 10 '14 at 13:21
  • @NathanC But doesn't round robin means that every time we should go to a different node each time we refresh the page? – Ayelet Jul 10 '14 at 13:59
  • @Ayelet Yes and no. You're using sticky sessions so you'll always get sent to the same backend until the configured timeout. Round-robin attempts to do this (different server on refresh), but from what I understand it can be random depending on node load. – Nathan C Jul 10 '14 at 14:24