haproxy 1.5 具体源IP地址显示haproxy 日志中出现 503 SC

haproxy 1.5 具体源IP地址显示haproxy 日志中出现 503 SC

我遇到了一个不寻常的问题(这个网站上的每个人都遇到了)。我让 HAProxy 监听端口 80 和 443。我将 SSL 加密卸载到 HAproxy,并将所有流量通过端口 80 传递到我的 Web 服务器。我的 HAProxy 服务器前面有一个防火墙,其 NAT 规则指向我的 HAProxy 内部监听 IP 地址。我们在端口 443 上通过 SSL 收到随机 IP 源地址的异常 503 消息。其他随机 IP 地址通过 SSL 工作正常。我们的服务是一个 API,大多数流量都会通过,但只有极小一部分会收到 503。

以下是一个可以正常工作的 HAProxy 日志条目和一个不能正常工作的 HAProxy 日志条目:

localhost haproxy[5404]: XXX.XXX.XXX.XXX:54787 [15/Jun/2016:22:46:57.592] https_in_ssl~ http_www2/web1 32/0/0/232/264 200 747 - - ---- 5/4/0/1/0 0/0 "POST /webservices/ourService.asmx HTTP/1.1"

不工作:

localhost haproxy[5404]: XXX.XXX.XXX.XXX:55494 [15/Jun/2016:22:46:39.514] https_in_ssl~ https_in_ssl/<NOSRV> -1/-1/-1/-1/227 503 212 - - SC-- 3/2/0/0/0 0/0 "POST /webservices/ourService.asmx HTTP/1.0"

我注意到的一件事是,在无效的日志条目中,前端和后端是相同的。

这是我的配置文件:

peers prodHAproxypeers
        peer haproxylb1 10.0.0.145:1024
        peer haproxylb2 10.0.0.146:1024

global
        log     127.0.0.1 local0
#       log /dev/log local0
#       log /dev/log local1 notice
        chroot /var/lib/haproxy
        stats socket /var/lib/haproxy/stats
        stats timeout 30s
        tune.ssl.default-dh-param 2048
        user haproxy
        group haproxy
        daemon

defaults
        log global
        mode http
        option httplog
        option dontlognull
        option redispatch
        option forwardfor
        option http-server-close
        maxconn 5000
        timeout connect 5s
        timeout client 5h
        timeout server 5h
        timeout queue 30s
        timeout http-request 5s
        timeout http-keep-alive 15s

listen stats *:1936
        mode http
        stats enable
        stats hide-version
        stats realm Haproxy\ Statistics
        stats uri /haproxy_stats
        stats auth admin:hardPassword
        stats admin if TRUE

frontend http_in
        bind *:80
        ###Add new acl and use_backend entry for each new site
        ###new backend sections will be needed as well
        acl is_www1 hdr(host) -i www1.domainname.com
        acl is_www2 hdr(host) -i www2.domainname.com
        acl is_www3 hdr(host) -i www3.domainname.com
        acl is_www4 hdr(host) -i www4.domainname.com
        acl is_wildcardwww hdr_end(host) -i domainname.com
        use_backend http_www1 if is_www1
        use_backend http_www2 if is_www2
        use_backend http_www3 if is_www3
        use_backend http_www4 if is_www4
        use_backend http_www5 if is_www5
        option forwardfor
        option http-server-close

frontend https_in_ssl
        mode http
        bind *:443 ssl crt /etc/ssl/private/ no-sslv3
        reqadd X-Forwarded-Proto:\ https
        use_backend http_www1 if { ssl_fc_sni www1.domainname.com }
        use_backend http_www2 if { ssl_fc_sni www2.domainname.com }

        acl is_ssl_www5 hdr_end(host) -i domainname.com
        use_backend http_www5 if is_ssl_www5


backend http_www1
        balance source
        cookie SRV_ID prefix
        stick-table type ip size 1m expire 6h peers prodHAproxypeers
        stick on src
        ###This site does not use host header - only the page name is needed###
#       option httpchk HEAD /Default.aspx
        ###Added host header so haproxy can route around NLB - use below for checking###
        option httpchk HEAD /Default.aspx HTTP/1.1\r\nHost:\ www1.domainname.com
        server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
        server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
        server p-websvr03 10.0.0.115:80 cookie pweb3 weight 5 check
        server p-websvr04 10.0.0.118:80 cookie pweb4 weight 5 check

backend http_www2
        balance roundrobin
        stick-table type ip size 1m expire 6h peers prodHAproxypeers
        stick on src
        ###This site uses host headers so this type of check is required###
        option httpchk HEAD /default.htm HTTP/1.1\r\nHost:\ www2.domainname.com
        server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
        server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
        server p-websvr03 10.0.0.113:80 cookie pweb3 weight 5 check
        server p-websvr04 10.0.0.116:80 cookie pweb4 weight 5 check

backend http_www3
        balance roundrobin
        cookie SRV_ID prefix
        stick-table type ip size 1m expire 6h peers prodHAproxypeers
        stick on src
        ###This site does not use host header - only the page name is needed###
        option httpchk HEAD /login.aspx HTTP/1.1\r\nHost:\ www3.domainname.com
        server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
        server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
        server p-websvr03 10.0.0.113:80 cookie pweb3 weight 5 check
        server p-websvr04 10.0.0.116:80 cookie pweb4 weight 5 check

backend http_www4
        balance roundrobin
        cookie SRV_ID prefix
        stick-table type ip size 1m expire 6h peers prodHAproxypeers
        stick on src
        ###This site uses host header so this type of check is required###
        option httpchk HEAD /default.aspx HTTP/1.1\r\nHost:\ www4.domainname.com
        server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
        server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
        server p-websvr03 10.0.0.113:80 cookie pweb3 weight 5 check
        server p-websvr04 10.0.0.116:80 cookie pweb4 weight 5 check

backend http_www5
        balance roundrobin
        cookie SRV_ID prefix
        stick-table type ip size 1m expire 6h peers prodHAproxypeers
        stick on src
        ###This site uses host header so this type of check is required###
        option httpchk HEAD /default.aspx HTTP/1.1\r\nHost:\ www5.domainname.com
        server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
        server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
        server p-websvr03 10.0.0.115:80 cookie pweb3 weight 5 check
        server p-websvr04 10.0.0.117:80 cookie pweb4 weight 5 check

答案1

看到SC--日志条目了吗?

这是您的后端服务器的问题,或者是 HAProxy 和后端之间的网络问题……不是在前端,也不是与连接客户端的 IP 地址有关。

来自文档中的“断开连接时的会话状态”:

SC[后端] 服务器或其与 haproxy 之间的设备明确拒绝了 TCP 连接(代理收到 TCP RST 或 ICMP 消息作为回应)。在某些情况下,也可能是网络堆栈告诉代理服务器无法访问(例如:没有路由,或本地网络上没有 ARP 响应)。当在 HTTP 模式下发生这种情况时,此处的状态代码可能是 502 或 503。

http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#8.5

相关内容