Hi John.
Am 17-09-2015 15:38, schrieb John Skarbek:
Certainly,
Thanks.
```
[~]$ haproxy -vv
HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau <[email protected]>
Build options :
TARGET = linux26
CPU = generic
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing
OPTIONS = USE_ZLIB=yes USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents =
200
You see here the bufsize ^^^^^^^ is 16K which displays BUFSIZE at build
time not the tune.bufsize(global.tune.bufsize).
Maybe this should be changed or modified?
This output is from
http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=src/haproxy.c#l240
http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=include/common/defaults.h#l26
I have found this with this search.
http://git.haproxy.org/?p=haproxy-1.5.git&a=search&h=HEAD&st=grep&s=BUFSIZE
The thing is that in init()
http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=src/haproxy.c#l493
the chunk_init(...) and alloc_trash_buffers(..) uses the
global.tune.bufsize
http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=src/haproxy.c#l508
Which is setup-ed at global init time.
http://git.haproxy.org/?p=haproxy-1.5.git;a=blob;f=src/haproxy.c#l121
To answer the question.
Digging into documentation, I glossed over the fact that the default
buffer size isn't 16k, but actually a lower 8192. Unfortunately my
fault, reading quickly got me to this point.
It looks to me that you should have 16K bufsize due to the fact that in
your config is no "tune.bufsize".
How reproducibly is the error?
BR Aleks
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
```
And the config:
```
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 200000
tune.ssl.default-dh-param 1024
nbproc 20
defaults
log global
mode http
compression algo gzip
compression type text/html text/plain
retries 3
timeout client 400s
timeout connect 5s
timeout server 400s
timeout tunnel 400s
option abortonclose
option redispatch
option tcpka
option http-keep-alive
timeout http-keep-alive 15s
balance leastconn
listen admin
bind 192.0.2.200:901 [1]
mode http
stats uri /
stats enable
frontend main
option httplog
capture request header CF-Connecting-IP len 64
capture request header CF-Ray len 64
bind 192.0.2.100:80 [2]
bind 192.0.2.100:443 [3] ssl crt /etc/ssl/certs/example.com [4]
ciphers
ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!DH
no-sslv3
maxconn 120000
reqidel ^x-forwarded-for:.*
reqidel ^client-ip:.*
acl static_asset_url url_beg /static/assets
use_backend example_s3_static_backend if static_asset_url
acl some_url url_beg /something
use_backend some_backend if some_url
redirect scheme https code 301 if !{ ssl_fc }
acl prod_is_down nbsrv(main_backend) lt 1
use_backend status_page if prod_is_down
default_backend main_backend
backend some_backend
option forwardfor
option httplog
reqirep ([\w:]+\s)(\/[\w\d]+)(\/.*) \1\ \3
option httpchk GET /healthcheck
server somenode01 192.0.2.1:8282 [5] weight 10 slowstart 1m maxconn
8192 check
server somenode02 192.0.2.2:8282 [6] weight 10 slowstart 1m maxconn
8192 check
backend main_backend
option forwardfor
option httplog
fullconn 132000
http-check expect status 200
cookie SERVERID insert indirect nocache
option httpchk GET /healthcheck
server mainnode01 192.0.2.11:443 [7] weight 10 slowstart 1m maxconn
8192 check check-ssl ssl verify none cookie ID1
server mainnode02 192.0.2.12:443 [8] weight 10 slowstart 1m maxconn
8192 check check-ssl ssl verify none cookie ID2
server mainnode03 192.0.2.13:443 [9] weight 10 slowstart 1m maxconn
8192 check check-ssl ssl verify none cookie ID3
backend example_s3_static_backend
option forwardfor
option httplog
reqirep ^Host: Host:\ example-static.s3.amazonaws.com [10]
reqirep ^([^\ :]*)\ (/[^/]+/[^/]+)(.*) \1\ \3
reqidel ^Authorization:.*
rspidel ^x-amz-id-2:.*
rspidel ^x-amz-request-id:.*
rspidel ^Server:.*
server aws_s3 example-static.s3-us-west-2.amazonaws.com:443 [11]
weight 10 slowstart 1m maxconn 8192 check check-ssl ssl verify required
ca-file /etc/ssl/certs/ca-bundle.crt inter 60s
backend status_page
redirect location http://unavailable.example.com code 307
```
On Thu, Sep 17, 2015 at 12:18 AM, Aleksandar Lazic <[email protected]>
wrote:
Hi John.
Am 17-09-2015 07:03, schrieb John Skarbek:
Good Morning!
So recently I went into battle between our CDN provider and our
application team due to some HTTP400's coming from somewhere. At
first
I never suspected haproxy to be at fault due to the way I was
groking
our logs. The end result is that I discovered haproxy doesn't log
the
GET request, but rather only logs a `BADREQ` with a termination
state of
`PR--`. Which based on reading documentation haproxy isn't going to
log
a 414, but instead a 400. I ponder if this is due to something
being
truncated forcing haproxy to see a malformed request.
Digging into documentation, I glossed over the fact that the default
buffer size isn't 16k, but actually a lower 8192. Unfortunately my
fault, reading quickly got me to this point. But due to reading
further
the following statement is where I finally have a question; under
the
config item tune.maxrewrite:
"...It is generally wise to set it to about 1024. It is
automatically
readjusted to half of bufsize if it is larger than that. This means
you
don't have to worry about it when changing bufsize"
Please can you post the output of haproxy -vv and the anonymized
configuration, thanks.
[snipp]
BR Aleks
--
John T Skarbek | [email protected]
Infrastructure Engineer, Engineering
1101 Haynes Street, Suite 105, Raleigh, NC 27604
720.921.8126 Office
Links:
------
[1] http://192.0.2.200:901
[2] http://192.0.2.100:80
[3] http://192.0.2.100:443
[4] http://example.com
[5] http://192.0.2.1:8282
[6] http://192.0.2.2:8282
[7] http://192.0.2.11:443
[8] http://192.0.2.12:443
[9] http://192.0.2.13:443
[10] http://example-static.s3.amazonaws.com
[11] http://example-static.s3-us-west-2.amazonaws.com:443
