服务器 Gind.cn
  1. 服务器 Gind.cn
  3. haproxy 1.5特定源IP地址在haproxy日志中显示<NOSRV> 503 SC
Intereting Posts
Ubuntu服务器挂在系统日志和其他文件中的ascii NUL字符(^ @ ^ @ ^ @ …) PostgreSQL备份WAL ShellScript Windows 2008 R2 AD服务器无风扇闪存系统 如何设置/克服Synology DS214与DSM 5的samba / cifs 2.1中的文件大小限制/“file too large”错误 Strongswan运行两个charon进程 等待3天后,无法访问服务器上的IP地址 在什么情况下,Apache允许不匹配的HTTP_HOST通过? 简单的摄像头服务器 取消选中“密码永不过期”时密码何时到期 Windows Server 2003 Active-Directory迁移 Mailscanner:如何阻止HTML附件只 GPO最佳实践:安全组筛选与OU Nginx允许特定文件夹中的跨源请求 (应该是)相同文件的文件下载不一致 如何以编程方式将EC2 EBS AMI迁移到其他地区?

haproxy 1.5特定源IP地址在haproxy日志中显示<NOSRV> 503 SC

我有一个不寻常的问题(正如每个人在这个网站上做的那样)。 我有端口80和443上的HAProxy监听。我将SSLencryption卸载到HAproxy并将所有stream量传递到端口80上的Web服务器。在我的HAProxy服务器前面有一个防火墙,NAT规则指向我的内部监听IP地址HAProxy的。 我们正在通过端口443上的SSL获得一个不寻常的503消息,用于通过SSL的随机IP源地址。其他随机IP地址在SSL上正常工作。 我们的服务是一个API,大部分stream量都会通过,但是很小的比例会达到503。

这是一个HAProxy日志条目可以正常工作,而且不起作用: 

localhost haproxy[5404]: XXX.XXX.XXX.XXX:54787 [15/Jun/2016:22:46:57.592] https_in_ssl~ http_www2/web1 32/0/0/232/264 200 747 - - ---- 5/4/0/1/0 0/0 "POST /webservices/ourService.asmx HTTP/1.1"

不工作: 

 localhost haproxy[5404]: XXX.XXX.XXX.XXX:55494 [15/Jun/2016:22:46:39.514] https_in_ssl~ https_in_ssl/<NOSRV> -1/-1/-1/-1/227 503 212 - - SC-- 3/2/0/0/0 0/0 "POST /webservices/ourService.asmx HTTP/1.0"

我注意到的一件事是在不工作的日志条目中,前端和后端是相同的。

这是我的configuration文件: 

 peers prodHAproxypeers peer haproxylb1 10.0.0.145:1024 peer haproxylb2 10.0.0.146:1024 global log 127.0.0.1 local0 # log /dev/log local0 # log /dev/log local1 notice chroot /var/lib/haproxy stats socket /var/lib/haproxy/stats stats timeout 30s tune.ssl.default-dh-param 2048 user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull option redispatch option forwardfor option http-server-close maxconn 5000 timeout connect 5s timeout client 5h timeout server 5h timeout queue 30s timeout http-request 5s timeout http-keep-alive 15s listen stats *:1936 mode http stats enable stats hide-version stats realm Haproxy\ Statistics stats uri /haproxy_stats stats auth admin:hardPassword stats admin if TRUE frontend http_in bind *:80 ###Add new acl and use_backend entry for each new site ###new backend sections will be needed as well acl is_www1 hdr(host) -i www1.domainname.com acl is_www2 hdr(host) -i www2.domainname.com acl is_www3 hdr(host) -i www3.domainname.com acl is_www4 hdr(host) -i www4.domainname.com acl is_wildcardwww hdr_end(host) -i domainname.com use_backend http_www1 if is_www1 use_backend http_www2 if is_www2 use_backend http_www3 if is_www3 use_backend http_www4 if is_www4 use_backend http_www5 if is_www5 option forwardfor option http-server-close frontend https_in_ssl mode http bind *:443 ssl crt /etc/ssl/private/ no-sslv3 reqadd X-Forwarded-Proto:\ https use_backend http_www1 if { ssl_fc_sni www1.domainname.com } use_backend http_www2 if { ssl_fc_sni www2.domainname.com } acl is_ssl_www5 hdr_end(host) -i domainname.com use_backend http_www5 if is_ssl_www5 backend http_www1 balance source cookie SRV_ID prefix stick-table type ip size 1m expire 6h peers prodHAproxypeers stick on src ###This site does not use host header - only the page name is needed### # option httpchk HEAD /Default.aspx ###Added host header so haproxy can route around NLB - use below for checking### option httpchk HEAD /Default.aspx HTTP/1.1\r\nHost:\ www1.domainname.com server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check server p-websvr03 10.0.0.115:80 cookie pweb3 weight 5 check server p-websvr04 10.0.0.118:80 cookie pweb4 weight 5 check backend http_www2 balance roundrobin stick-table type ip size 1m expire 6h peers prodHAproxypeers stick on src ###This site uses host headers so this type of check is required### option httpchk HEAD /default.htm HTTP/1.1\r\nHost:\ www2.domainname.com server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check server p-websvr03 10.0.0.113:80 cookie pweb3 weight 5 check server p-websvr04 10.0.0.116:80 cookie pweb4 weight 5 check backend http_www3 balance roundrobin cookie SRV_ID prefix stick-table type ip size 1m expire 6h peers prodHAproxypeers stick on src ###This site does not use host header - only the page name is needed### option httpchk HEAD /login.aspx HTTP/1.1\r\nHost:\ www3.domainname.com server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check server p-websvr03 10.0.0.113:80 cookie pweb3 weight 5 check server p-websvr04 10.0.0.116:80 cookie pweb4 weight 5 check backend http_www4 balance roundrobin cookie SRV_ID prefix stick-table type ip size 1m expire 6h peers prodHAproxypeers stick on src ###This site uses host header so this type of check is required### option httpchk HEAD /default.aspx HTTP/1.1\r\nHost:\ www4.domainname.com server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check server p-websvr03 10.0.0.113:80 cookie pweb3 weight 5 check server p-websvr04 10.0.0.116:80 cookie pweb4 weight 5 check backend http_www5 balance roundrobin cookie SRV_ID prefix stick-table type ip size 1m expire 6h peers prodHAproxypeers stick on src ###This site uses host header so this type of check is required### option httpchk HEAD /default.aspx HTTP/1.1\r\nHost:\ www5.domainname.com server p-websvr01 10.0.0.10:80 cookie pweb1 weight 45 check server p-websvr02 10.0.0.11:80 cookie pweb2 weight 45 check server p-websvr03 10.0.0.115:80 cookie pweb3 weight 5 check server p-websvr04 10.0.0.117:80 cookie pweb4 weight 5 check

在日志条目中查看SC--

这是后端服务器的问题,或者是HAProxy和后端之间的networking问题,而不是前端,与连接客户端的IP地址无关。

从文档中的“断开连接的会话状态”

SC [后端]服务器或其与haproxy之间的设备明确拒绝TCP连接(代理接收到TCP RST或ICMP消息)。 在某些情况下,它也可以是networking堆栈,告诉代理服务器不可达(例如:没有路由,或本地networking上没有ARP响应)。 在HTTP模式下发生这种情况时,状态码可能是502或503。

http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#8.5