Hi All,
We are using Haproxy 1.8.3 and have a peculiar situation. We want to remove
idle client connections but without specifying HAProxy timeout, basically
we want to rely on backend to detect whether client is idle or not because
sometimes backend might not be able to send any data on a connection for
long time for some reasons and we do not want to close connection with
client because of this. Currently backend is able to detect idle client and
kill the connection between HAproxy and backend, but looks like HAProxy is
not closing the connection with client. The connection b/w backend and
HAProxy goes in FIN_WAIT1 state on the backend side but it is still showing
ESTABLISHED on HAProxy side. Also the connection b/w client and HAProxy
remains in ESTABLISHED state. This situation does not change unless client
is killed. I have also tried 'option nolinger' and it did not help.
tcp 5462444 0 127.0.0.1:40567 127.0.0.1:8081
ESTABLISHED 6768/haproxy (Connection b/w Haproxy and backend - Haproxy
side)
tcp6 0 216432 10.60.106.229:80 10.62.185.40:52924
ESTABLISHED 6768/haproxy (Connection b/w client and HAProxy)
tcp6 0 4109430 127.0.0.1:8081 127.0.0.1:40567
FIN_WAIT1 - (Connection b/w Haproxy and backend - backend side
)
Below is haproxy config -
=====================
global
# paths setup
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
# stats setup
# Can use this socket to check the stats of the first process.
stats socket /run/haproxy/admin.sock mode 660 level admin
stats bind-process 1
stats timeout 30s
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options ssl-min-ver TLSv1.0
ssl-dh-param-file /etc/ssl/rfc3526_group14_dhparam.pem
# mode setup
# master-worker mode, introduced in 1.8, is the only mode suitable
to our use case.
# For more details, see
https://www.haproxy.com/blog/whats-new-haproxy-1-8/.
master-worker
# muticore setup
# This template value will be filled by haproxy.sh in run time on
each blade.
nbproc 4
# DH key setup
# Sets the maximum size of the Diffie-Hellman parameters used for
generating
# the ephemeral/temporary Diffie-Hellman key in case of DHE key
exchange.
tune.ssl.default-dh-param 2048
defaults
mode http
log global
option httplog # Enable logging of HTTP request, session
state and timers
option dontlognull # Disable logging of null connections
option dontlog-normal # only log HTTP requests that error'ed out
frontend haproxy-frontend
bind :::80 v4v6
bind :::443 v4v6 ssl crt /ssd/net/ca/gui.pem
default_backend ir-http-server-backend
backend ir-http-server-backend
http-request add-header __pure-internal-http-tls-version
"%[ssl_fc_protocol]"
server server1 127.0.0.1:8081
option nolinger
=================
Please let me know if you have any idea.
Thanks,
Shishir
