Welcome! Log In Create A New Profile

Advanced

Issue with multiple users on same LAN at client

Posted by Tony Zakula 
Tony Zakula
Issue with multiple users on same LAN at client
March 18, 2017 02:40PM
Hi,

We are having an issue when multiple users are on the same lan connecting
to out network. We are running a network hosting maybe 20 servers/domains
behind one HA proxy. Users on different networks connect fine. We are
terminating SSL connections.

Any ideas on how to trace this down? Seems only an issue when clients are
on the same Lan. Sample config below.

Thanks,

Tony

***
HA-Proxy version 1.7.0-1ppa1~trusty 2016/12/04

Sample Config

global
log 127.0.0.1 local0
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 100000
ulimit-n 300040
tune.maxrewrite 1024
#tune.bufsize 32768

# Spread checks with some randomness
spread-checks 5

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Added by TZ for Kodaris
# Not supported by Java7 and earlier clients. We may need to remove
tune.ssl.default-dh-param 2048

# Added this for further security due to SSL Weak Ciphers.
# https://cipherli.st/
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH

defaults
log global
mode http
maxconn 100000
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout http-keep-alive 10s
timeout connect 10s
timeout client 90s
timeout server 60s
timeout check 60s
retries 2
option redispatch

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend application
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
mode http
monitor-uri /haproxy_test
option httplog
log global


frontend applicationSSL
bind 0.0.0.0:443 ssl crt /etc/ssl/haproxy/kodarisWildcard.pem crt
/etc/ssl/haproxy/ ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3
mode http
monitor-uri /haproxy_test
option httplog
log global
reqadd X-Forwarded-Proto:\ https
# HSTS - 16000000 seconds: a bit more than 6 months
http-response set-header Strict-Transport-Security "max-age=16000000;
includeSubDomains; preload;"
# Click Jacking - Prevents an iFrame
# TODO - Need to audit site and see if we can remove iframes and use
Cors, also need to remove iframe
http-response set-header X-Frame-Options SAMEORIGIN
compression algo gzip
compression type text/html text/plain text/javascript
application/javascript application/xml text/css

redirect prefix http://www.kodaris.com code 301 if { hdr(host) -i
kodaris.com }

# content switching based on SNI
use_backend kodaris if { ssl_fc_sni domain1.com }
# 20 domains below this

default_backend domain1

backend domain1
mode http
option forwardfor
server node1 10.0.2.149:8080 check inter 1m

backend domain2
mode http
option forwardfor
balance roundrobin
cookie JSESSIONID prefix nocache
server node1 10.0.1.190:8080 check inter 1m cookie node1 maxconn 1000
server node2 10.0.1.184:8080 check inter 1m cookie node2 maxconn 1000
Lukas Tribus
Re: Issue with multiple users on same LAN at client
March 18, 2017 08:00PM
Hello Tony,


Am 18.03.2017 um 14:29 schrieb Tony Zakula:
> Hi,
>
> We are having an issue when multiple users are on the same lan
> connecting to out network. We are running a network hosting maybe 20
> servers/domains behind one HA proxy. Users on different networks
> connect fine. We are terminating SSL connections.

Check your kernel settings, what is net.ipv4.tcp_tw_reuse and
net.ipv4.tcp_tw_recycle set to?

net.ipv4.tcp_tw_recycle must be 0 (disabled).
net.ipv4.tcp_tw_recycle is bad.


More about this from Vincent Bernat:
https://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux
Tony Zakula
Re: Issue with multiple users on same LAN at client
March 18, 2017 09:50PM
Thank you! Worked like a charm! Setting them to 0. Have been looking for
that for several weeks. :-)

I think we enabled that when we were load testing but it was a different
issue when we fixed why our sites were not responding, and we never
reverted the settings.

If you have a donation avenue, be happy to accommodate. :-)

On Sat, Mar 18, 2017 at 2:49 PM, Lukas Tribus <[email protected]> wrote:

> Hello Tony,
>
>
> Am 18.03.2017 um 14:29 schrieb Tony Zakula:
>
>> Hi,
>>
>> We are having an issue when multiple users are on the same lan connecting
>> to out network. We are running a network hosting maybe 20 servers/domains
>> behind one HA proxy. Users on different networks connect fine. We are
>> terminating SSL connections.
>>
>
> Check your kernel settings, what is net.ipv4.tcp_tw_reuse and
> net.ipv4.tcp_tw_recycle set to?
>
> net.ipv4.tcp_tw_recycle must be 0 (disabled).
> net.ipv4.tcp_tw_recycle is bad.
>
>
> More about this from Vincent Bernat:
> https://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux
>
>
Sorry, only registered users may post in this forum.

Click here to login