Hi!
I've set up haproxy to load balance two (later more) RDP servers (MS
Terminal Services) without any connection broker (later I want to add
a second haproxy to make sure all parts keep working even if one part
fails).
So:
2x backend terminal servers running on port 3389
1x haproxy connfigured for load balancing, listening on port 3389
some clients to connect to haproxy on port 3389
Config is (based on
https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html):
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none
peers nxmux
peer nxmux01 *:3388
frontend ft_rdp
mode tcp
bind *:3389 name rdp
timeout client 1h
log global
option tcplog
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp
backend bk_rdp
mode tcp
balance leastconn
timeout server 1h
timeout connect 4s
log global
option tcplog
stick-table type string len 32 size 10k expire 8h peers nxmux
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389 ssl
default-server inter 3s rise 2 fall 3
#server nxnode01 10.169.16.105:3389 weight 10 check
#server nxnode02 10.169.16.106:3389 weight 10 check
server nxnode03 10.169.16.107:3389 weight 10 check
server nxnode04 10.169.16.108:3389 weight 10 check
I can connect to both clients directly from all clients.
If I try to connect to haproxy it fails.
Any idea what I missed?
# haproxy -vv
HA-Proxy version 1.7.9 2017/08/18
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe
--
Thomas
I've set up haproxy to load balance two (later more) RDP servers (MS
Terminal Services) without any connection broker (later I want to add
a second haproxy to make sure all parts keep working even if one part
fails).
So:
2x backend terminal servers running on port 3389
1x haproxy connfigured for load balancing, listening on port 3389
some clients to connect to haproxy on port 3389
Config is (based on
https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html):
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none
peers nxmux
peer nxmux01 *:3388
frontend ft_rdp
mode tcp
bind *:3389 name rdp
timeout client 1h
log global
option tcplog
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp
backend bk_rdp
mode tcp
balance leastconn
timeout server 1h
timeout connect 4s
log global
option tcplog
stick-table type string len 32 size 10k expire 8h peers nxmux
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389 ssl
default-server inter 3s rise 2 fall 3
#server nxnode01 10.169.16.105:3389 weight 10 check
#server nxnode02 10.169.16.106:3389 weight 10 check
server nxnode03 10.169.16.107:3389 weight 10 check
server nxnode04 10.169.16.108:3389 weight 10 check
I can connect to both clients directly from all clients.
If I try to connect to haproxy it fails.
Any idea what I missed?
# haproxy -vv
HA-Proxy version 1.7.9 2017/08/18
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe
--
Thomas