Re: haproxy work on my local lan but not from the itnternet

From: Willy Tarreau <>
Date: Thu, 13 Mar 2008 06:18:52 +0100

On Wed, Mar 12, 2008 at 11:59:47PM -0400, Guillaume Bourque wrote:
> Hi Willy,
> I found it ;-)


> There ware a routing problem on my Firewall / NAT box. So answer ( tcp
> ack) from the dispatcher never when back to the client on the internet.

yes, that's what appears in your trace :-)

> Now I will try to test the HA setup that if I loose de MASTER dispatcher
> I dont loose my open connections.

Clearly speaking, if you need this, you're using the wrong tool. It is simple, haproxy uses the OS (linux here) to manage the sockets, and the OS does not support socket migration to another system. Even if it would, haproxy would not be able to do this anyway because the internal states and buffers would have to be synchronized for every single packet.

For such a usage, you need a "dumb" load balancer (which works at packet level, which probably does not need to see an ACK at all to establish a session, and which would not maintain buffers). LVS would be fine for this I think.

However, check your client. I think that even if you close the TCP session between it and the server, it is able to re-establish a new one without loosing the user's session on the server. Most tools designed to work over the internet work like this today (browsers, ssl vpns, ...). To try this, simply restart haproxy while you have an open connection, and see if your client loses its session or if it's able to reconnect.

Willy Received on 2008/03/13 06:18

This archive was generated by hypermail 2.2.0 : 2008/03/13 06:30 CET