Hi,
We are having an issue when multiple users are on the same lan connecting
to out network. We are running a network hosting maybe 20 servers/domains
behind one HA proxy. Users on different networks connect fine. We are
terminating SSL connections.
Any ideas on how to trace this down? Seems only an issue when clients are
on the same Lan. Sample config below.
Thanks,
Tony
***
HA-Proxy version 1.7.0-1ppa1~trusty 2016/12/04
Sample Config
global
log 127.0.0.1 local0
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 100000
ulimit-n 300040
tune.maxrewrite 1024
#tune.bufsize 32768
# Spread checks with some randomness
spread-checks 5
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Added by TZ for Kodaris
# Not supported by Java7 and earlier clients. We may need to remove
tune.ssl.default-dh-param 2048
# Added this for further security due to SSL Weak Ciphers.
# https://cipherli.st/
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
defaults
log global
mode http
maxconn 100000
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout http-keep-alive 10s
timeout connect 10s
timeout client 90s
timeout server 60s
timeout check 60s
retries 2
option redispatch
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend application
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
mode http
monitor-uri /haproxy_test
option httplog
log global
frontend applicationSSL
bind 0.0.0.0:443 ssl crt /etc/ssl/haproxy/kodarisWildcard.pem crt
/etc/ssl/haproxy/ ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3
mode http
monitor-uri /haproxy_test
option httplog
log global
reqadd X-Forwarded-Proto:\ https
# HSTS - 16000000 seconds: a bit more than 6 months
http-response set-header Strict-Transport-Security "max-age=16000000;
includeSubDomains; preload;"
# Click Jacking - Prevents an iFrame
# TODO - Need to audit site and see if we can remove iframes and use
Cors, also need to remove iframe
http-response set-header X-Frame-Options SAMEORIGIN
compression algo gzip
compression type text/html text/plain text/javascript
application/javascript application/xml text/css
redirect prefix http://www.kodaris.com code 301 if { hdr(host) -i
kodaris.com }
# content switching based on SNI
use_backend kodaris if { ssl_fc_sni domain1.com }
# 20 domains below this
default_backend domain1
backend domain1
mode http
option forwardfor
server node1 10.0.2.149:8080 check inter 1m
backend domain2
mode http
option forwardfor
balance roundrobin
cookie JSESSIONID prefix nocache
server node1 10.0.1.190:8080 check inter 1m cookie node1 maxconn 1000
server node2 10.0.1.184:8080 check inter 1m cookie node2 maxconn 1000
