On 5/8/2022 3:16 AM, Willy Tarreau wrote:
There's no good solution to this, except by forcing the exact address yourself. The BSD socket API doesn't permit to send UDP packets from a specific source, so the commonly used approach for clients is to bind while sending the first packet, but that doesn't work for a server that faces many clients, as it would restrict the traffic to the first IP used.
Thanks for that info. I got it working. I set the wildcard entry in my internal DNS to the VIP, configured a specific name to point to the machine's primary address, and then bound quic directly to the VIP address only. TCP bindings are still 0.0.0.0. Then I changed the port forwarding in my router to point ports 22/tcp, 80/tcp, 443/tcp, and 443/udp to the VIP.
Adding documentation about this quirk of UDP sounds like an excellent idea. The doc for QUIC should point the user to the doc for UDP for details.
Note that in order for the two haproxy nodes to bind to the virtual address you'll likely have to enable ip_nonlocal_bind, but I guess you already have it.
When I had two haproxy instances, I didn't need ip_nonlocal_bind. Probably because I used 0.0.0.0 for all bindings and the VIP didn't exist at the time. The dev version has proven stable enough for my purposes that I eliminated the second instance. If I have a problem with it in the near future, I can roll back to a prior commit and rebuild.
Thanks, Shawn
