Haproxy sometimes chooses a wrong ACL

By Load Balance

I am using HAProxy 1.4.22. I have the following haproxy.conf file: 

global
 maxconn 100000
 daemon

defaults
 mode http
 retries 1
 contimeout 8000
 clitimeout 120000
 srvtimeout 120000
 stats enable
 stats uri /haproxy-stats
 stats auth admin:****************
 option httpchk

frontend http-in
 bind 16.9.13.39:80
 maxconn 100000
 acl is_l1 hdr_end(host) -i l1.mydomain.com
 acl is_l2 hdr_end(host) -i l2. mydomain.com
 acl is_l3 hdr_end(host) -i l3.mydomain.com
 acl is_l0 hdr_end(host) -i mydomain.com
 use_backend lora1 if is_l1
 use_backend lora2 if is_l2
 use_backend lora3 if is_l3
 use_backend lora0 if is_l0
 default_backend lora0

backend lora0
 balance roundrobin
 option forwardfor except 127.0.0.1 # stunnel already adds the header
 server s0 127.0.0.1:5000 check inter 60000

backend lora1
 balance source
 option forwardfor except 127.0.0.1 # stunnel already adds the header
 server s1 127.0. 0.1:5001 check inter 60000

backend lora2
 balance source
 option forwardfor except 127.0.0.1 # stunnel already adds the header
 server s2 127.0.0.1:5002 check inter 60000

backend lora3
 balance source
 option forwardfor except 127.0.0.1 # stunnel already adds the header
 server s3 127.0.0.1:5003 check inter 60000 
Everything is normal. Except for about 0.2% of customers. Sometimes when the request comes from l1, l2 or l3. For example:
 
 
http://l3.mydomain. com/something


For some reason, HAProxy does not match the domain name and instead uses the default backend. I have set up logging in my application and it reports that the hostname of the receiving end is actually "L3.mydomain.com". The following are the headers my application received:




host:'l3.mydomain.com',
'user -agent':'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4',
accept:'text/html,application/xhtml+ xml,application/xml;q=0.9,*/*;q=0.8',
referer:'http://mydomain.com/menu/2034414/e2e1abb5500ed51391d6351b1cf03695',
'accept-encoding' :'gzip,deflate,sdch',
'accept-language':'en-US,en;q=0.8',
'accept-charset':'ISO-8859-1,utf- 8;q=0.7,*;q=0.3',
'x-proxy-id': '1407537728',
'x-forwarded-for': '10.201.4.168',
via: '1.1 10.201.255.254 (Mikrotik HttpProxy)'


Question:


Do I use hdr_end() correctly, and will there be some special cases when the matching may fail? 


Is there a way to record the actual HTTP reader received by HAProxy, but only when there is no match and the default_backend rule is used?
The problem is that the remote user’s proxy sees that mydomain.com and l3.mydomain.com are the same I am using HAProxy 1.4.22. I have the following haproxy.conf file: 

global
 maxconn 100000
 daemon

defaults
 mode http
 retries 1
 contimeout 8000
 clitimeout 120000
 srvtimeout 120000
 stats enable
 stats uri /haproxy-stats
 stats auth admin:*********** *****
 option httpchk

frontend http-in
 bind 16.9.13.39:80
 maxconn 100000
 acl is_l1 hdr_end(host)- i l1.mydomain.com
 acl is_l2 hdr_end(host) -i l2.mydomain.com
 acl is_l3 hdr_end(host) -i l3.mydomain.com
 acl is_l0 hdr_end(host) -i mydomain.com
 use_backend lora1 if is_l1
 use_backend lora2 if is_l2
 use_backend lora3 if is_l3
 use_backend lora0 if is_l0
 default_backend lora0< br />
backend lora0
 balance roundrobin
 option forwardfor except 127.0.0.1 # stunnel already adds the header
 server s0 127.0.0.1:5000 check inter 60000
< br />backend lora1
 balance source
 option forwardfor except 127.0.0.1 # stunnel already adds the header
 server s1 127.0.0.1:5001 check inter 60000

backend lora2
 balance source
 option forwardfor except 127.0.0.1 # stunnel already adds the header
 server s2 127.0.0.1:5002 check inter 60000

backend lora3
 balance source
 option forwardfor except 127.0.0.1 # stunnel already adds the header
 server s3 127.0.0.1:5003 check inter 60000

Everything is normal. Except for about 0.2% of customers. Sometimes when the request comes from l1, l2 or l3. For example:

http://l3.mydomain.com/something

For some reason, HAProxy does not match the domain name, but uses the default backend. I have set up logging in my application and it reports that the hostname of the receiving end is actually "l3.mydomain.com". The following is my application receipt Header to:

host:'l3.mydomain.com',
'user-agent':'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4',
accept:'text/html,application/xhtml+xml,application/xml;q=0.9,* /*;q=0.8',
referer:'http://mydomain.com/menu/2034414/e2e1abb5500ed51391d6351b1cf03695',
'accept-encoding':'gzip,deflate,sdch',
'accept-language':'en-US,en;q=0.8',
'accept-charset':'ISO-8859-1,utf-8;q=0.7,*;q=0.3 ',
'x-proxy-id': '1407537728',
'x-forwarded-for': '10.201.4.168',
via: '1.1 10.201.255.254 (Mikrotik HttpProxy )'

Question:

Do I use hdr_end() correctly, and will there be some special cases when the matching may fail?

Is there a way to record the actual HTTP reader received by HAProxy, but only when there is no match and the default_backend rule is used?

The problem is that the remote user's proxy sees that mydomain.com and l3.mydomain.com are both the same IP address and tries to reuse the connection. Add http-server The -close option solves this problem.

, , , ,

Leave a Comment

Your email address will not be published.