HAProxy - dropping connections



  • My first foray into HAProxy, and I've been bashing my head against a wall trying to sort this one out.

    I've got a pfSense 2.4.2-p1 install w/ HAProxy going to 2 different internal servers. Both servers load just fine, and you can navigate and browse.

    However, if you do anything that takes time on either one, the connections are interrupted and dropped. One is an internal project management app on an IIS server, the other is a file hosting server running Rumpus. Timeout shouldn't be an issue as I've set both to 20 minutes. Doesn't appear to be load related as CPU load is minimal (80% free).

    Downloading a file through the file manager, it starts at full speed then after a few MB it drops steadily in speed until the browser eventually reports a connection error.

    Any help would be appreciated.

    Config:

    Automaticaly generated, dont edit manually.

    Generated on: 2018-03-23 16:59

    global
    maxconn 1000
    stats socket /tmp/haproxy.socket level admin
    uid 80
    gid 80
    nbproc 1
    chroot /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param 1024
    server-state-file /tmp/haproxy_server_state
    lua-load /var/etc/haproxy/luascript_acme-http01-webroot.lua

    listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend ACME_Validation
    bind WAN1:80 name WAN1:80 
    bind WAN2:80 name WAN2:80 
    bind LAN:80 name LAN:80 
    mode http
    log global
    option http-keep-alive
    timeout client 30000
    acl url_acme_http01 path_beg -i /.well-known/acme-challenge/
    acl url_redirect_https path_sub -i /.well-known/acme-challenge/
    http-request use-service lua.acme-http01  if  METH_GET url_acme_http01
    http-request redirect scheme https code 301  if  !url_redirect_https

    frontend SharedFrontEnd-merged
    bind WAN1:443 name WAN1:443 ssl  crt /var/etc/haproxy/SharedFrontEnd.pem 
    bind WAN2:443 name WAN2:443 ssl  crt /var/etc/haproxy/SharedFrontEnd.pem 
    bind LAN:443 name LAN:443 ssl  crt /var/etc/haproxy/SharedFrontEnd.pem 
    mode http
    log global
    option http-keep-alive
    timeout client 120000000
    acl WEB_APP hdr_beg(host) -i WEB_APP
    acl Rumpus hdr_beg(host) -i ftpserver
    use_backend WEB_APP_http_ipvANY  if  WEB_APP
    use_backend Rumpus_http_ipvANY  if  Rumpus

    backend WEB_APP_http_ipvANY
    mode http
    log global
    timeout connect 120000
    timeout server 120000
    retries 3
    option httpchk OPTIONS /
    server WEB_APP WEB_APP_LAN:80 check inter 1000

    backend Rumpus_http_ipvANY
    mode http
    log global
    cookie  nocache
    timeout connect 12000000
    timeout server 12000000
    retries 3
    option httpchk GET /
    server FTPServer FTP_LAN:80 check inter 1000
    pfSense is © 2004 - 2018 by Rubicon Communications, LLC (Netgate). All Rights Reserved. [view license]



  • Your server timeout is 2 minutes for the webapp, and a connect timeout shouldn't really be above 10 seconds, if it takes 10 seconds to get a working tcp connection there is some serious network issues even when accessing a server over the internet..
    As for dropping established connections there could be different factors causing that.. Configuring the syslog on the haproxy settings tab(perhaps to the local syslog unixsocket) and enabling 'detailed logs' on the frontend should help tell if the client or server breaks the connection or a timeout is hit perhaps..
    In case of doubt also run also capture the packets on both wan and lan side of haproxy to check with wireshark which side traffic gets interrupted.