Re: problems with session timeout

Hi,

On Mon, Dec 21, 2009 at 06:41:56PM +0100, Carlo Granisso wrote:
> Hello, I have this configuration for my proxy:
>
>
>
> defaults
>
> log global
>
> option httplog
>
> option logasap
>
> option tcplog
>
> retries 2
>
> redispatch
>
> maxconn 2000
>
> option abortonclose
>
> contimeout 1800000
>
> clitimeout 1800000
>
> srvtimeout 1800000

Huh, those timeouts are extreme (30 minutes) !

> listen MY_BALANCER PUBLIC_IP_ADDRESS:80,PUBLIC_IP_ADDRESS:443
>
> option persist

it's not certain you really want "option persist". It ensures that one client with a cookie will always go to a server it has a cookie for, even if the server is down.

> option redispatch
>
> option httpclose

this option will be ignored, you're not in HTTP mode.  

> option httpchk GET ROOT/drain.html
>
> http-check disable-on-404
>
> balance source
>
> #option ssl-hello-chk
>
> option forwardfor

this option will be ignored, you're not in HTTP mode.  

>
> #source 192.168.0.230 usesrc clientip
>
> cookie SERVERID insert

this option will be ignored, you're not in HTTP mode. Anyway, you don't have any cookie set on your servers.  

> appsession SERVERID len 52 timeout 30m

this option will be ignored, you're not in HTTP mode, so there is nothing to learn in response.  

> server SERVER1 192.168.0.150 check port 80 inter 1000 rise 1 fall 2
> maxconn 1000
>
> server SERVER2 192.168.0.151 check port 80 inter 1000 rise 1 fall 2
> maxconn 1000
>
>
>
> For the configuration, sessions timeout must be 30minutes. Right?

I'm not sure about what you call a "session" here. You have set your TCP session timeouts to 30 minutes, which means that they will remain connected for 30 minutes after anybody talks on them. While this can make sense on some protocols such as RDP where sessions last long, on HTTP it does not make any sense. You should configure them to last for the maximum duration of a response from your servers (eg: 20-30 seconds max).

Also, your connection timeout is at 30 minutes too. So basically there is no timeout, because no one will wait for 30 minutes for a connection to establish to a server. Good values are around 5 seconds in general, as this covers a TCP retransmit.

> So, if I put in "maintenance mode" SERVER2, sessions on this servers expires
> within seconds and haproxy redirect users to SERVER1.

I better think that those sessions normally complete an new sessions go to the other server. That's the point of the maintenance mode, to stop accepting new users and only keep the ones associated to the server. However, since you're not in HTTP mode, you don't have any stickiness, you're in pure TCP, so once a session terminates, its owner will connect to the other server.

You'd better use two distinct sections, one in TCP mode for port 443 and the other one in HTTP mode for port 80. But be careful, HTTPS will not be analysed and no cookie will be matched there, so the stickiness and the maintenance mode will still not work for HTTPS.

Hoping this helps,
Willy Received on 2009/12/21 21:58