Hi,
I am using haproxy to proxy SVN connections. The process works as follows:
* The SVN client opens a TCP connection and sends multiple pipelined GET
requests
* HAProxy opens a connection to a backend for each request
* The backends respond with chunked data
* Haproxy sends each reply back to the client in the appropriate order
Unfortunately, in this scenario, I believe I'm running into a bug
whereby the chunked content is being corrupted. To me, it appears that
parts of the content being repeated and overrunning the end of the chunk.
I'm attaching 2 pcap files, one containing a corrupt stream of requests
and responses, and the other containing the clean request and response
for one of the corrupt files. Both captures were taken simultaneously on
the host running HAProxy. Also attached is my full config.
Please let me know if you have any ideas, or if there is any more
information I can provide.
Charlie
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10000
nosplice
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
defaults
log global
balance roundrobin
option dontlognull
option http-server-close
timeout connect 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
timeout client 3600s
timeout server 3600s
listen stats
bind 185.22.208.17:8888 transparent
bind 185.22.208.18:8888 transparent
mode http
option httplog
stats enable
stats admin if TRUE
stats uri /
stats hide-version
stats auth xxxxxxxx:xxxxxxxx
listen codebase
bind 185.22.208.194:80 transparent
bind 185.22.208.194:443 transparent ssl crt /etc/haproxy/ssl/codebase.pem crt /etc/haproxy/ssl/code.buckleconsulting.com.pem crt /etc/haproxy/ssl/code.0x0049.com.pem crt /etc/haproxy/ssl/support.biteda.com.pem crt /etc/haproxy/ssl/projecten.chessweb.eu.pem
bind 2a00:67a0:a:3::194:80 transparent
bind 2a00:67a0:a:3::194:443 transparent ssl crt /etc/haproxy/ssl/codebase.pem crt /etc/haproxy/ssl/code.buckleconsulting.com.pem crt /etc/haproxy/ssl/code.0x0049.com.pem crt /etc/haproxy/ssl/support.biteda.com.pem crt /etc/haproxy/ssl/projecten.chessweb.eu.pem
bind 185.22.208.195:80 transparent
bind 185.22.208.195:443 transparent ssl crt /etc/haproxy/ssl/codebase_svn.pem
bind 2a00:67a0:a:3::195:80 transparent
bind 2a00:67a0:a:3::195:443 transparent ssl crt /etc/haproxy/ssl/codebase_svn.pem
mode http
option httplog
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:test.codebasehq.com
server codebase05 185.22.208.60:80 check
server codebase06 185.22.208.61:80 check
server codebase07 185.22.208.62:80 check
server codebase08 185.22.208.63:80 check
errorfile 500 /etc/haproxy/errors/codebase/500.http
errorfile 502 /etc/haproxy/errors/codebase/502.http
errorfile 503 /etc/haproxy/errors/codebase/503.http
errorfile 504 /etc/haproxy/errors/codebase/504.http
# Customer-specific redirects, manually configured here
redirect prefix https://atechmedia.codebasehq.com code 307 if { hdr(host) -i atech.codebasehq.com }
redirect prefix http://codebase.thinkingjuice.co.uk code 307 if { hdr(host) -i emerge.codebasehq.com }
listen codebase_ssh
bind 185.22.208.194:22 transparent
bind 2a00:67a0:a:3::194:22 transparent
bind 185.22.208.196:443 transparent
bind 2a00:67a0:a:3::196:443 transparent
mode tcp
option tcplog
server codebase05 185.22.208.60:2222 check
server codebase06 185.22.208.61:2222 check
server codebase07 185.22.208.62:2222 check
server codebase08 185.22.208.63:2222 check
listen sirportly
bind 185.22.208.199:80 transparent
bind 185.22.208.199:443 transparent ssl crt /etc/haproxy/ssl/sirportly.pem
bind 2a00:67a0:a:3::199:80 transparent
bind 2a00:67a0:a:3::199:443 transparent ssl crt /etc/haproxy/ssl/sirportly.pem
bind 185.22.208.209:80 transparent
bind 185.22.208.209:443 transparent ssl crt /etc/haproxy/ssl/custservhq.pem crt /etc/haproxy/ssl/chaptereight.pem crt /etc/haproxy/ssl/welfordmedia.pem crt /etc/haproxy/ssl/deploy.pem crt /etc/haproxy/ssl/codebase.pem crt /etc/haproxy/ssl/support.thisiszone.com.pem
bind 2a00:67a0:a:3::209:80 transparent
bind 2a00:67a0:a:3::209:443 transparent ssl crt /etc/haproxy/ssl/custservhq.pem crt /etc/haproxy/ssl/chaptereight.pem crt /etc/haproxy/ssl/welfordmedia.pem crt /etc/haproxy/ssl/deploy.pem crt /etc/haproxy/ssl/codebase.pem crt /etc/haproxy/ssl/support.thisiszone.com.pem
mode http
option httplog
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:test.sirportly.com
server sirportly01 185.22.208.55:80 check
server sirportly02 185.22.208.56:80 check
errorfile 500 /etc/haproxy/errors/sirportly/500.http
errorfile 502 /etc/haproxy/errors/sirportly/502.http
errorfile 503 /etc/haproxy/errors/sirportly/503.http
errorfile 504 /etc/haproxy/errors/sirportly/504.http
listen deploy
bind 185.22.208.198:80 transparent
bind 185.22.208.198:443 transparent ssl crt /etc/haproxy/ssl/deploy.pem
bind 2a00:67a0:a:3::198:80 transparent
bind 2a00:67a0:a:3::198:443 transparent ssl crt /etc/haproxy/ssl/deploy.pem
mode http
option httplog
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:test.deployhq.com
server deploy03 185.22.208.26:80 check
server deploy04 185.22.208.32:80 check
errorfile 500 /etc/haproxy/errors/deploy/500.http
errorfile 502 /etc/haproxy/errors/deploy/502.http
errorfile 503 /etc/haproxy/errors/deploy/503.http
errorfile 504 /etc/haproxy/errors/deploy/504.http
# Customer-specific redirects, manually configured here
redirect prefix https://randwmedia.deployhq.com code 307 if { hdr(host) -i designtodevelop.deployhq.com }
listen deliver
bind 185.22.208.205:80 transparent
bind 185.22.208.205:443 transparent ssl crt /etc/haproxy/ssl/deliver.pem
bind 2a00:67a0:a:3::205:80 transparent
bind 2a00:67a0:a:3::205:443 transparent ssl crt /etc/haproxy/ssl/deliver.pem
mode http
option httplog
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:test.deliverhq.com
server deliver01 185.22.208.30:80 check
server deliver02 185.22.208.31:80 check
errorfile 500 /etc/haproxy/errors/deliver/500.http
errorfile 502 /etc/haproxy/errors/deliver/502.http
errorfile 503 /etc/haproxy/errors/deliver/503.http
errorfile 504 /etc/haproxy/errors/deliver/504.http
I am using haproxy to proxy SVN connections. The process works as follows:
* The SVN client opens a TCP connection and sends multiple pipelined GET
requests
* HAProxy opens a connection to a backend for each request
* The backends respond with chunked data
* Haproxy sends each reply back to the client in the appropriate order
Unfortunately, in this scenario, I believe I'm running into a bug
whereby the chunked content is being corrupted. To me, it appears that
parts of the content being repeated and overrunning the end of the chunk.
I'm attaching 2 pcap files, one containing a corrupt stream of requests
and responses, and the other containing the clean request and response
for one of the corrupt files. Both captures were taken simultaneously on
the host running HAProxy. Also attached is my full config.
Please let me know if you have any ideas, or if there is any more
information I can provide.
Charlie
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10000
nosplice
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
defaults
log global
balance roundrobin
option dontlognull
option http-server-close
timeout connect 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
timeout client 3600s
timeout server 3600s
listen stats
bind 185.22.208.17:8888 transparent
bind 185.22.208.18:8888 transparent
mode http
option httplog
stats enable
stats admin if TRUE
stats uri /
stats hide-version
stats auth xxxxxxxx:xxxxxxxx
listen codebase
bind 185.22.208.194:80 transparent
bind 185.22.208.194:443 transparent ssl crt /etc/haproxy/ssl/codebase.pem crt /etc/haproxy/ssl/code.buckleconsulting.com.pem crt /etc/haproxy/ssl/code.0x0049.com.pem crt /etc/haproxy/ssl/support.biteda.com.pem crt /etc/haproxy/ssl/projecten.chessweb.eu.pem
bind 2a00:67a0:a:3::194:80 transparent
bind 2a00:67a0:a:3::194:443 transparent ssl crt /etc/haproxy/ssl/codebase.pem crt /etc/haproxy/ssl/code.buckleconsulting.com.pem crt /etc/haproxy/ssl/code.0x0049.com.pem crt /etc/haproxy/ssl/support.biteda.com.pem crt /etc/haproxy/ssl/projecten.chessweb.eu.pem
bind 185.22.208.195:80 transparent
bind 185.22.208.195:443 transparent ssl crt /etc/haproxy/ssl/codebase_svn.pem
bind 2a00:67a0:a:3::195:80 transparent
bind 2a00:67a0:a:3::195:443 transparent ssl crt /etc/haproxy/ssl/codebase_svn.pem
mode http
option httplog
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:test.codebasehq.com
server codebase05 185.22.208.60:80 check
server codebase06 185.22.208.61:80 check
server codebase07 185.22.208.62:80 check
server codebase08 185.22.208.63:80 check
errorfile 500 /etc/haproxy/errors/codebase/500.http
errorfile 502 /etc/haproxy/errors/codebase/502.http
errorfile 503 /etc/haproxy/errors/codebase/503.http
errorfile 504 /etc/haproxy/errors/codebase/504.http
# Customer-specific redirects, manually configured here
redirect prefix https://atechmedia.codebasehq.com code 307 if { hdr(host) -i atech.codebasehq.com }
redirect prefix http://codebase.thinkingjuice.co.uk code 307 if { hdr(host) -i emerge.codebasehq.com }
listen codebase_ssh
bind 185.22.208.194:22 transparent
bind 2a00:67a0:a:3::194:22 transparent
bind 185.22.208.196:443 transparent
bind 2a00:67a0:a:3::196:443 transparent
mode tcp
option tcplog
server codebase05 185.22.208.60:2222 check
server codebase06 185.22.208.61:2222 check
server codebase07 185.22.208.62:2222 check
server codebase08 185.22.208.63:2222 check
listen sirportly
bind 185.22.208.199:80 transparent
bind 185.22.208.199:443 transparent ssl crt /etc/haproxy/ssl/sirportly.pem
bind 2a00:67a0:a:3::199:80 transparent
bind 2a00:67a0:a:3::199:443 transparent ssl crt /etc/haproxy/ssl/sirportly.pem
bind 185.22.208.209:80 transparent
bind 185.22.208.209:443 transparent ssl crt /etc/haproxy/ssl/custservhq.pem crt /etc/haproxy/ssl/chaptereight.pem crt /etc/haproxy/ssl/welfordmedia.pem crt /etc/haproxy/ssl/deploy.pem crt /etc/haproxy/ssl/codebase.pem crt /etc/haproxy/ssl/support.thisiszone.com.pem
bind 2a00:67a0:a:3::209:80 transparent
bind 2a00:67a0:a:3::209:443 transparent ssl crt /etc/haproxy/ssl/custservhq.pem crt /etc/haproxy/ssl/chaptereight.pem crt /etc/haproxy/ssl/welfordmedia.pem crt /etc/haproxy/ssl/deploy.pem crt /etc/haproxy/ssl/codebase.pem crt /etc/haproxy/ssl/support.thisiszone.com.pem
mode http
option httplog
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:test.sirportly.com
server sirportly01 185.22.208.55:80 check
server sirportly02 185.22.208.56:80 check
errorfile 500 /etc/haproxy/errors/sirportly/500.http
errorfile 502 /etc/haproxy/errors/sirportly/502.http
errorfile 503 /etc/haproxy/errors/sirportly/503.http
errorfile 504 /etc/haproxy/errors/sirportly/504.http
listen deploy
bind 185.22.208.198:80 transparent
bind 185.22.208.198:443 transparent ssl crt /etc/haproxy/ssl/deploy.pem
bind 2a00:67a0:a:3::198:80 transparent
bind 2a00:67a0:a:3::198:443 transparent ssl crt /etc/haproxy/ssl/deploy.pem
mode http
option httplog
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:test.deployhq.com
server deploy03 185.22.208.26:80 check
server deploy04 185.22.208.32:80 check
errorfile 500 /etc/haproxy/errors/deploy/500.http
errorfile 502 /etc/haproxy/errors/deploy/502.http
errorfile 503 /etc/haproxy/errors/deploy/503.http
errorfile 504 /etc/haproxy/errors/deploy/504.http
# Customer-specific redirects, manually configured here
redirect prefix https://randwmedia.deployhq.com code 307 if { hdr(host) -i designtodevelop.deployhq.com }
listen deliver
bind 185.22.208.205:80 transparent
bind 185.22.208.205:443 transparent ssl crt /etc/haproxy/ssl/deliver.pem
bind 2a00:67a0:a:3::205:80 transparent
bind 2a00:67a0:a:3::205:443 transparent ssl crt /etc/haproxy/ssl/deliver.pem
mode http
option httplog
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:test.deliverhq.com
server deliver01 185.22.208.30:80 check
server deliver02 185.22.208.31:80 check
errorfile 500 /etc/haproxy/errors/deliver/500.http
errorfile 502 /etc/haproxy/errors/deliver/502.http
errorfile 503 /etc/haproxy/errors/deliver/503.http
errorfile 504 /etc/haproxy/errors/deliver/504.http