Hi and thanks for a great load balancer. We're developing a much more
complex proxy ruleset and being able to switch back to haproxy now
that it supports DNS resolution was a huge relief!
Unfortunately DNS resolution is not doing what I expect given the
configuration. When the downstream ELB to which the server points to
switches IP addresses the backend is failing with a L4 timeout on the
check. DNS queries are being made, see:
https://gist.github.com/btisdall/31b57b57fee19dc79637
This is the output of "show stat resolvers":
Resolvers section aws
nameserver aws_0:
sent: 2892976
valid: 2887729
update: 0
cname: 0
cname_error: 0
any_err: 0
nx: 0
timeout: 0
refused: 0
other: 0
invalid: 2887729
too_big: 0
truncated: 0
outdated: 0
Note that "valid" and "invalid" counts increase in exact step.
Switching to "resolve-prefer ipv4" had no effect on this.
Config
=====
resolvers aws
nameserver aws_0 10.111.0.2:53
# ...
server myserver some-server.example.com:80 check resolvers aws
Build Options
==========
HA-Proxy version 1.6.1 2015/10/20
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Regards,
--
Ben
complex proxy ruleset and being able to switch back to haproxy now
that it supports DNS resolution was a huge relief!
Unfortunately DNS resolution is not doing what I expect given the
configuration. When the downstream ELB to which the server points to
switches IP addresses the backend is failing with a L4 timeout on the
check. DNS queries are being made, see:
https://gist.github.com/btisdall/31b57b57fee19dc79637
This is the output of "show stat resolvers":
Resolvers section aws
nameserver aws_0:
sent: 2892976
valid: 2887729
update: 0
cname: 0
cname_error: 0
any_err: 0
nx: 0
timeout: 0
refused: 0
other: 0
invalid: 2887729
too_big: 0
truncated: 0
outdated: 0
Note that "valid" and "invalid" counts increase in exact step.
Switching to "resolve-prefer ipv4" had no effect on this.
Config
=====
resolvers aws
nameserver aws_0 10.111.0.2:53
# ...
server myserver some-server.example.com:80 check resolvers aws
Build Options
==========
HA-Proxy version 1.6.1 2015/10/20
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Regards,
--
Ben