我遇到了一个不寻常的问题(这个网站上的每个人都遇到了)。我让 HAProxy 监听端口 80 和 443。我将 SSL 加密卸载到 HAproxy,并将所有流量通过端口 80 传递到我的 Web 服务器。我的 HAProxy 服务器前面有一个防火墙,其 NAT 规则指向我的 HAProxy 内部监听 IP 地址。我们在端口 443 上通过 SSL 收到随机 IP 源地址的异常 503 消息。其他随机 IP 地址通过 SSL 工作正常。我们的服务是一个 API,大多数流量都会通过,但只有极小一部分会收到 503。
以下是一个可以正常工作的 HAProxy 日志条目和一个不能正常工作的 HAProxy 日志条目:
localhost haproxy[5404]: XXX.XXX.XXX.XXX:54787 [15/Jun/2016:22:46:57.592] https_in_ssl~ http_www2/web1 32/0/0/232/264 200 747 - - ---- 5/4/0/1/0 0/0 "POST /webservices/ourService.asmx HTTP/1.1"
不工作:
localhost haproxy[5404]: XXX.XXX.XXX.XXX:55494 [15/Jun/2016:22:46:39.514] https_in_ssl~ https_in_ssl/<NOSRV> -1/-1/-1/-1/227 503 212 - - SC-- 3/2/0/0/0 0/0 "POST /webservices/ourService.asmx HTTP/1.0"
我注意到的一件事是,在无效的日志条目中,前端和后端是相同的。
这是我的配置文件:
peers prodHAproxypeers
peer haproxylb1 10.0.0.145:1024
peer haproxylb2 10.0.0.146:1024
global
log 127.0.0.1 local0
# log /dev/log local0
# log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats
stats timeout 30s
tune.ssl.default-dh-param 2048
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
option forwardfor
option http-server-close
maxconn 5000
timeout connect 5s
timeout client 5h
timeout server 5h
timeout queue 30s
timeout http-request 5s
timeout http-keep-alive 15s
listen stats *:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy_stats
stats auth admin:hardPassword
stats admin if TRUE
frontend http_in
bind *:80
###Add new acl and use_backend entry for each new site
###new backend sections will be needed as well
acl is_www1 hdr(host) -i www1.domainname.com
acl is_www2 hdr(host) -i www2.domainname.com
acl is_www3 hdr(host) -i www3.domainname.com
acl is_www4 hdr(host) -i www4.domainname.com
acl is_wildcardwww hdr_end(host) -i domainname.com
use_backend http_www1 if is_www1
use_backend http_www2 if is_www2
use_backend http_www3 if is_www3
use_backend http_www4 if is_www4
use_backend http_www5 if is_www5
option forwardfor
option http-server-close
frontend https_in_ssl
mode http
bind *:443 ssl crt /etc/ssl/private/ no-sslv3
reqadd X-Forwarded-Proto:\ https
use_backend http_www1 if { ssl_fc_sni www1.domainname.com }
use_backend http_www2 if { ssl_fc_sni www2.domainname.com }
acl is_ssl_www5 hdr_end(host) -i domainname.com
use_backend http_www5 if is_ssl_www5
backend http_www1
balance source
cookie SRV_ID prefix
stick-table type ip size 1m expire 6h peers prodHAproxypeers
stick on src
###This site does not use host header - only the page name is needed###
# option httpchk HEAD /Default.aspx
###Added host header so haproxy can route around NLB - use below for checking###
option httpchk HEAD /Default.aspx HTTP/1.1\r\nHost:\ www1.domainname.com
server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
server p-websvr03 10.0.0.115:80 cookie pweb3 weight 5 check
server p-websvr04 10.0.0.118:80 cookie pweb4 weight 5 check
backend http_www2
balance roundrobin
stick-table type ip size 1m expire 6h peers prodHAproxypeers
stick on src
###This site uses host headers so this type of check is required###
option httpchk HEAD /default.htm HTTP/1.1\r\nHost:\ www2.domainname.com
server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
server p-websvr03 10.0.0.113:80 cookie pweb3 weight 5 check
server p-websvr04 10.0.0.116:80 cookie pweb4 weight 5 check
backend http_www3
balance roundrobin
cookie SRV_ID prefix
stick-table type ip size 1m expire 6h peers prodHAproxypeers
stick on src
###This site does not use host header - only the page name is needed###
option httpchk HEAD /login.aspx HTTP/1.1\r\nHost:\ www3.domainname.com
server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
server p-websvr03 10.0.0.113:80 cookie pweb3 weight 5 check
server p-websvr04 10.0.0.116:80 cookie pweb4 weight 5 check
backend http_www4
balance roundrobin
cookie SRV_ID prefix
stick-table type ip size 1m expire 6h peers prodHAproxypeers
stick on src
###This site uses host header so this type of check is required###
option httpchk HEAD /default.aspx HTTP/1.1\r\nHost:\ www4.domainname.com
server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
server p-websvr03 10.0.0.113:80 cookie pweb3 weight 5 check
server p-websvr04 10.0.0.116:80 cookie pweb4 weight 5 check
backend http_www5
balance roundrobin
cookie SRV_ID prefix
stick-table type ip size 1m expire 6h peers prodHAproxypeers
stick on src
###This site uses host header so this type of check is required###
option httpchk HEAD /default.aspx HTTP/1.1\r\nHost:\ www5.domainname.com
server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check
server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check
server p-websvr03 10.0.0.115:80 cookie pweb3 weight 5 check
server p-websvr04 10.0.0.117:80 cookie pweb4 weight 5 check
答案1
看到SC--
日志条目了吗?
这是您的后端服务器的问题,或者是 HAProxy 和后端之间的网络问题……不是在前端,也不是与连接客户端的 IP 地址有关。
来自文档中的“断开连接时的会话状态”:
SC
[后端] 服务器或其与 haproxy 之间的设备明确拒绝了 TCP 连接(代理收到 TCP RST 或 ICMP 消息作为回应)。在某些情况下,也可能是网络堆栈告诉代理服务器无法访问(例如:没有路由,或本地网络上没有 ARP 响应)。当在 HTTP 模式下发生这种情况时,此处的状态代码可能是 502 或 503。http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#8.5