HAProxy - dropping connections
-
My first foray into HAProxy, and I've been bashing my head against a wall trying to sort this one out.
I've got a pfSense 2.4.2-p1 install w/ HAProxy going to 2 different internal servers. Both servers load just fine, and you can navigate and browse.
However, if you do anything that takes time on either one, the connections are interrupted and dropped. One is an internal project management app on an IIS server, the other is a file hosting server running Rumpus. Timeout shouldn't be an issue as I've set both to 20 minutes. Doesn't appear to be load related as CPU load is minimal (80% free).
Downloading a file through the file manager, it starts at full speed then after a few MB it drops steadily in speed until the browser eventually reports a connection error.
Any help would be appreciated.
Config:
Automaticaly generated, dont edit manually.
Generated on: 2018-03-23 16:59
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 1024
server-state-file /tmp/haproxy_server_state
lua-load /var/etc/haproxy/luascript_acme-http01-webroot.lualisten HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000frontend ACME_Validation
bind WAN1:80 name WAN1:80
bind WAN2:80 name WAN2:80
bind LAN:80 name LAN:80
mode http
log global
option http-keep-alive
timeout client 30000
acl url_acme_http01 path_beg -i /.well-known/acme-challenge/
acl url_redirect_https path_sub -i /.well-known/acme-challenge/
http-request use-service lua.acme-http01 if METH_GET url_acme_http01
http-request redirect scheme https code 301 if !url_redirect_httpsfrontend SharedFrontEnd-merged
bind WAN1:443 name WAN1:443 ssl crt /var/etc/haproxy/SharedFrontEnd.pem
bind WAN2:443 name WAN2:443 ssl crt /var/etc/haproxy/SharedFrontEnd.pem
bind LAN:443 name LAN:443 ssl crt /var/etc/haproxy/SharedFrontEnd.pem
mode http
log global
option http-keep-alive
timeout client 120000000
acl WEB_APP hdr_beg(host) -i WEB_APP
acl Rumpus hdr_beg(host) -i ftpserver
use_backend WEB_APP_http_ipvANY if WEB_APP
use_backend Rumpus_http_ipvANY if Rumpusbackend WEB_APP_http_ipvANY
mode http
log global
timeout connect 120000
timeout server 120000
retries 3
option httpchk OPTIONS /
server WEB_APP WEB_APP_LAN:80 check inter 1000backend Rumpus_http_ipvANY
mode http
log global
cookie nocache
timeout connect 12000000
timeout server 12000000
retries 3
option httpchk GET /
server FTPServer FTP_LAN:80 check inter 1000
pfSense is
2004 - 2018 by Rubicon Communications, LLC (Netgate). All Rights Reserved. [view license] -
Your server timeout is 2 minutes for the webapp, and a connect timeout shouldn't really be above 10 seconds, if it takes 10 seconds to get a working tcp connection there is some serious network issues even when accessing a server over the internet..
As for dropping established connections there could be different factors causing that.. Configuring the syslog on the haproxy settings tab(perhaps to the local syslog unixsocket) and enabling 'detailed logs' on the frontend should help tell if the client or server breaks the connection or a timeout is hit perhaps..
In case of doubt also run also capture the packets on both wan and lan side of haproxy to check with wireshark which side traffic gets interrupted.