LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
Reload this Page [SOLVED] Haproxy session problem
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-09-2016, 02:30 AM   #1
redssr
Member
 
Registered: Oct 2013
Location: Dist Nasik MH State Country India
Distribution: Linux
Posts: 108

Rep: Reputation: Disabled
Haproxy session problem

Hello,

Experts,

I have a five layer load balancing structure with 1 haproxy, 2 webservers and 2 db server (master-slave). When i point my domain/subdomains to one of my web servers they works gr8 without any problem, but when i point them to my haproxy it gets into problem. The developers are saying that the problem is related to the php session, the session is not getting released. Means After login to the website the users are unable to logout. The user has to click 2-3 times to get logout.

Even I also had got confirmed that its related to haproxy config problem. i tried the apsession parameter for sticky php session in two different ways but no luck. Here are my two differnt haproxy config methods

Code:
global
	log 127.0.0.1 local0
        chroot /var/lib/haproxy
        stats socket /var/run/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
	maxconn 60000
	tune.ssl.default-dh-param 4096

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL).
        #ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
        ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#    ssl-default-bind-options no-sslv3 no-tlsv1
    tune.ssl.default-dh-param 4096

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50001
	option forwardfor
	option http-server-close

frontend http_front
    bind *:80
 maxconn 60000
    reqadd X-Forwarded-Proto:\ http
capture cookie PHPSESSID len 32
acl host_student hdr(host) -i mystudentsurvey.net
acl host_newone hdr(host) -i newone.mystudentsurvey.net
acl host_achilles hdr(host) -i achilles.mystudentsurvey.net
acl host_reports hdr(host) -i reports.mystudentsurvey.net
acl host_app hdr(host) -i app.mystudentsurvey.net
use_backend newone if host_newone
use_backend achilles if host_achilles
use_backend reports if host_reports


frontend https_front
   bind *:443 ssl crt /etc/ssl/certs/newone.mystudentsurvey.net.pem ssl crt  ssl crt /etc/ssl/certs/reports.mystudentsurvey.net.pem  ssl crt /etc/ssl/certs/mystudentsurvey.net.pem ssl crt /etc/ssl/certs/achilles.mystudentsurvey.net.pem
   reqadd X-Forwarded-Proto:\ https
capture cookie PHPSESSID len 32
acl host_newone hdr(host) -i newone.mystudentsurvey.net
acl host_achilles hdr(host) -i achilles.mystudentsurvey.net
acl host_reports hdr(host) -i reports.mystudentsurvey.net
use_backend newone if host_newone
use_backend achilles if host_achilles
use_backend reports if host_reports

backend newone
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server web1 10.132.31.245:80 maxconn 60000 cookie check
    server web2 10.132.84.150:80 maxconn 60000 cookie check
    server sweb1 10.132.31.245:443 maxconn 60000 cookie check ssl verify none
    server sweb2 10.132.84.150:443 maxconn 60000 cookie check ssl verify none
    appsession PHPSESSID len 32 timeout 3h request-learn prefix

backend achilles
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server web1 10.132.31.245:80 maxconn 60000 cookie check
    server web2 10.132.84.150:80 maxconn 60000 cookie check
    server sweb1 10.132.31.245:443 maxconn 60000 cookie check ssl verify none
    server sweb2 10.132.84.150:443 maxconn 60000 cookie check ssl verify none
    appsession PHPSESSID len 32 timeout 3h request-learn prefix

backend reports
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server web1 10.132.31.245:80 maxconn 60000 cookie check
    server web2 10.132.84.150:80 maxconn 60000 cookie check
    server sweb1 10.132.31.245:443 maxconn 60000 cookie check ssl verify none
    server sweb2 10.132.84.150:443 maxconn 60000 cookie check ssl verify none
    appsession PHPSESSID len 32 timeout 3h request-learn prefix
2nd method

Code:
global
	log 127.0.0.1 local0
        chroot /var/lib/haproxy
        stats socket /var/run/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
	maxconn 60000
	tune.ssl.default-dh-param 4096

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL).
        #ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
        ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#    ssl-default-bind-options no-sslv3 no-tlsv1
    tune.ssl.default-dh-param 4096

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50001
	option forwardfor
	option http-server-close

frontend http_front
    bind *:80
 maxconn 60000
    reqadd X-Forwarded-Proto:\ http
capture cookie PHPSESSID len 32
acl host_student hdr(host) -i mystudentsurvey.net
acl host_newone hdr(host) -i newone.mystudentsurvey.net
acl host_achilles hdr(host) -i achilles.mystudentsurvey.net
acl host_reports hdr(host) -i reports.mystudentsurvey.net
acl host_app hdr(host) -i app.mystudentsurvey.net
use_backend newone if host_newone
use_backend achilles if host_achilles
use_backend reports if host_reports


frontend https_front
   bind *:443 ssl crt /etc/ssl/certs/newone.mystudentsurvey.net.pem ssl crt  ssl crt /etc/ssl/certs/reports.mystudentsurvey.net.pem  ssl crt /etc/ssl/certs/mystudentsurvey.net.pem ssl crt /etc/ssl/certs/achilles.mystudentsurvey.net.pem
   reqadd X-Forwarded-Proto:\ https
capture cookie PHPSESSID len 32
acl host_snewone hdr(host) -i newone.mystudentsurvey.net
acl host_sstudent hdr(host) -i mystudentsurvey.net
acl host_sachilles hdr(host) -i achilles.mystudentsurvey.net
acl host_sreports hdr(host) -i reports.mystudentsurvey.net
use_backend newone if host_snewone
use_backend achilles if host_sachilles
use_backend reports if host_sreports

backend newone
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server web1 10.132.31.245:80 maxconn 60000 cookie check
    server web2 10.132.84.150:80 maxconn 60000 cookie check
    appsession PHPSESSID len 32 timeout 3h request-learn prefix

backend student
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server web1 10.132.31.245:80 maxconn 60000 cookie check
    server web2 10.132.84.150:80 maxconn 60000 cookie check
    appsession PHPSESSID len 32 timeout 3h request-learn prefix

backend achilles
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server web1 10.132.31.245:80 maxconn 60000 cookie check
    server web2 10.132.84.150:80 maxconn 60000 cookie check
    appsession PHPSESSID len 32 timeout 3h request-learn prefix

backend reports
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server web1 10.132.31.245:80 maxconn 60000 cookie check
    server web2 10.132.84.150:80 maxconn 60000 cookie check
    appsession PHPSESSID len 32 timeout 3h request-learn prefix

backend snewone
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server sweb1 10.132.31.245:443 maxconn 60000 cookie check ssl verify none
    server sweb2 10.132.84.150:443 maxconn 60000 cookie check ssl verify none
    appsession PHPSESSID len 32 timeout 3h request-learn prefix

backend sstudent
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server sweb1 10.132.31.245:443 maxconn 60000 cookie check ssl verify none
    server sweb2 10.132.84.150:443 maxconn 60000 cookie check ssl verify none
    appsession PHPSESSID len 32 timeout 3h request-learn prefix

backend sachilles
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server sweb1 10.132.31.245:443 maxconn 60000 cookie check ssl verify none
    server sweb2 10.132.84.150:443 maxconn 60000 cookie check ssl verify none
    appsession PHPSESSID len 32 timeout 3h request-learn prefix

backend sreports
    balance leastconn
option httpclose
option forwardfor
cookie PHPSESSID prefix nocache
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
   redirect scheme https if !{ ssl_fc }
    server sweb1 10.132.31.245:443 maxconn 60000 cookie check ssl verify none
    server sweb2 10.132.84.150:443 maxconn 60000 cookie check ssl verify none
    appsession PHPSESSID len 32 timeout 3h request-learn prefix
But still my problem is not resolving. I think there must be a minor mistake in my config which i am unable to catch.

Any replies will be appretiable

Regards,

Redssr
 
Old 12-09-2016, 03:06 AM   #2
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,521

Rep: Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015
I'm sorry I cannot be more specific, but your problem can occur because the web server isn't correctly switching from https to http on user logouts.
 
Old 12-09-2016, 03:27 AM   #3
redssr
Member
 
Registered: Oct 2013
Location: Dist Nasik MH State Country India
Distribution: Linux
Posts: 108

Original Poster
Rep: Reputation: Disabled
Dear AwesomeMachine,

Thanks for the reply, but i won't want to run my websites to http i want them to be on https only. Do you mean in my current configs i am trying to redirect traffic from https to http in haproxy? as a result its not working?

Regards,

Redssr
 
Old 12-09-2016, 03:39 AM   #4
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,521

Rep: Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015
So, even if users are not logged in they are using SSL? It's permissible to do it that way. But you have your haproxy checking on port 80. I'm not and expert in haproxy. PHP should take care of things even if haproxy is only listening on port 80. I mention it only as a possibility.
 
Old 12-09-2016, 03:54 AM   #5
redssr
Member
 
Registered: Oct 2013
Location: Dist Nasik MH State Country India
Distribution: Linux
Posts: 108

Original Poster
Rep: Reputation: Disabled
Hello AwesomeMachine,

Yes the users are on ssl on the time.
 
Old 12-23-2016, 09:12 AM   #6
redssr
Member
 
Registered: Oct 2013
Location: Dist Nasik MH State Country India
Distribution: Linux
Posts: 108

Original Poster
Rep: Reputation: Disabled
Hi AwesomeMachine,

Don't know what's the difference between my previous configs and below config, but the below config worked fine. Here is my below config.

Code:
global
	log 127.0.0.1 local0
        chroot /var/lib/haproxy
        stats socket /var/run/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
	 
	tune.ssl.default-dh-param 4096

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL).
        #ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
        ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#    ssl-default-bind-options no-sslv3 no-tlsv1
    tune.ssl.default-dh-param 4096

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50001
	option forwardfor
	option http-server-close
#        errorfile 400 /etc/haproxy/errors/400.http
#        errorfile 403 /etc/haproxy/errors/403.http
#        errorfile 408 /etc/haproxy/errors/408.http
#        errorfile 500 /etc/haproxy/errors/500.http
#        errorfile 502 /etc/haproxy/errors/502.http
#        errorfile 503 /etc/haproxy/errors/503.http
#        errorfile 504 /etc/haproxy/errors/504.http
frontend http_front
    bind *:80
     
    bind *:443 ssl crt /etc/ssl/certs/newone.mystudentsurvey.net.pem crt /etc/ssl/certs/app.mystudentsurvey.net.pem crt /etc/ssl/certs/reports.mystudentsurvey.net.pem crt /etc/ssl/certs/portal.mystudentsurvey.net.pem crt /etc/ssl/certs/survey.mystudentsurvey.net.pem crt /etc/ssl/certs/smartsurveyonline.mystudentsurvey.net.pem crt /etc/ssl/certs/cdn.mystudentsurvey.net.pem crt /etc/ssl/certs/achilles.mystudentsurvey.net.pem
    
    reqadd X-Forwarded-Proto:\ http
    acl host_newone hdr(host) -i newone.mystudentsurvey.net
    acl host_achilles hdr(host) -i achilles.mystudentsurvey.net
    acl host_reports hdr(host) -i reports.mystudentsurvey.net
    acl host_app hdr(host) -i app.mystudentsurvey.net
    acl host_api hdr(host) -i api.mystudentsurvey.net
    acl host_portal hdr(host) -i portal.mystudentsurvey.net
    acl host_survey hdr(host) -i survey.mystudentsurvey.net
    acl host_smartsurveyonline hdr(host) -i smartsurveyonline.mystudentsurvey.net
    acl host_cdn hdr(host) -i cdn.mystudentsurvey.net
 
    use_backend newone if host_newone
    use_backend achilles if host_achilles
    use_backend reports if host_reports
    use_backend app if host_app
    use_backend app if host_api
    use_backend default if host_portal
    use_backend survey if host_survey
    use_backend smartsurveyonline if host_smartsurveyonline
    use_backend default if host_cdn



backend newone
    redirect scheme https if !{ ssl_fc }
    balance leastconn
    option httpclose
    option forwardfor
    server web1 10.132.31.245   cookie check ssl verify none
    server web2 10.132.84.150   cookie check ssl verify none
    appsession laravel_session len 40 timeout 3h

backend achilles
    redirect scheme https if !{ ssl_fc }
    balance leastconn
    option httpclose
    option forwardfor
    server web1 10.132.31.245   cookie check ssl verify none
    server web2 10.132.84.150   cookie check ssl verify none
    appsession laravel_session len 40 timeout 3h

backend reports
    redirect scheme https if !{ ssl_fc }
    balance leastconn
    option httpclose
    option forwardfor
    server web1 10.132.31.245   cookie check ssl verify none
    server web2 10.132.84.150   cookie check ssl verify none
    appsession PHPSESSID len 26 timeout 3h request-learn

backend survey
    redirect scheme https if !{ ssl_fc }
    balance leastconn
    option httpclose
    option forwardfor
    server web1 10.132.31.245   cookie check ssl verify none
    server web2 10.132.84.150   cookie check ssl verify none
    appsession PHPSESSID len 32 timeout 3h

backend app
    redirect scheme https if !{ ssl_fc }
    balance leastconn
    option httpclose
    option forwardfor
    server web1 10.132.31.245   cookie check ssl verify none
    server web2 10.132.84.150   cookie check ssl verify none
    appsession PHPSESSID len 32 timeout 3h

backend smartsurveyonline
    redirect scheme https if !{ ssl_fc }
    balance leastconn
    option httpclose
    option forwardfor
    server web1 10.132.31.245   cookie check ssl verify none
    server web2 10.132.84.150   cookie check ssl verify none
    appsession ci_session len 40 timeout 3h

backend default
    redirect scheme https if !{ ssl_fc }
    balance leastconn
    option httpclose
    option forwardfor
    server web1 10.132.31.245 cookie  check ssl verify none
Marking this thread as resolved.

Thanks and regards,

Redssr
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Session key renegotiation if session lasts longer than configured (e.g. an hour) then session keys needs to be renegotiated. dakshinya Linux - Newbie 1 02-04-2016 04:15 PM
haproxy agarwalpranay Linux - Newbie 4 06-19-2010 01:31 AM
problem with session (CGI::Session) shifter Programming 1 03-20-2010 10:14 AM
Haproxy ,memcached ,mysql strange problem Eazy-Snatch Linux - Server 1 05-14-2008 02:54 AM
HAProxy balancing problem Sheridan Linux - Server 1 03-02-2008 12:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:15 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration