Package: haproxy Version: 2.2.9-2+deb11u3 Severity: important X-Debbugs-Cc: bugrepo...@pouzenc.fr
Dear Maintainer, We have a (Wordpress) PHP web-site hosted on 3 LAMP nodes. We use haproxy to load-balance the incomming web trafic. We've got 240k lines of apache2 access log yesterday. The problem can be reproduced with a test infra without any concurrent user and a basic test.php thats readfile("jquery.min.js") and a basic index.html referencing multiple (24) times the test.php to have Firefox starting multiple HTTP requests in parallel. The problem is hard or impossible to trigger with Firefox with http2 enabled. The problem is easy to reproduce with firefox forced in http/1.1 mode. The problem doesn't show with a echo "Hello World" in test.php, it seems that the response size is important. 30kio is enough to trigger it for sure. Out of 25 requests (including GET /), Firefox will get results about 20 of them, and about 4 will be delayed by a huge amount of 50 seconds. (50 seconds if haproxy have : default timeout server 50000). I tried nbproc 1 and nbthreads 1 with no improvements. I tried haproxy 2.4.15-1~bpo11+1 and it DOES fix the situation without changing anything else. # apt install -t bullseye-backports haproxy I didn't find any bugreports mentionning major troubles in "basic" usage of haproxy. I post it here to get someone else luck with Googling about the troubles I hit. I can't find exactly what line in haproxy changelog could correspond to this. I think I can try, if useful, to find the smallest configuration that breaks. PHP seems unrelated. Direct access to the apache don't show up any trouble. It may be broken in Ubuntu 21.04 (hirsute) and Ubuntu 21.10 (impish) also. Thanks for all the fish, Ludovic -- System Information: Debian Release: 11.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-13-amd64 (SMP w/1 CPU thread) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages haproxy depends on: ii adduser 3.118 ii dpkg 1.20.9 ii init-system-helpers 1.60 ii libc6 2.31-13+deb11u3 ii libcrypt1 1:4.4.18-4 ii libgcc-s1 10.2.1-6 ii liblua5.3-0 5.3.3-1.1+b1 ii libpcre2-8-0 10.36-2 ii libssl1.1 1.1.1n-0+deb11u1 ii libsystemd0 247.3-7 ii lsb-base 11.1.0 ii zlib1g 1:1.2.11.dfsg-2+deb11u1 haproxy recommends no packages. Versions of packages haproxy suggests: pn haproxy-doc <none> pn vim-haproxy <none> -- Configuration Files: /etc/haproxy/haproxy.cfg changed: global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend http bind *:80 mode http # redirects to https redirect scheme https if !{ ssl_fc } default_backend http frontend https bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 mode http # [some acl with our IPs stripped here] default_backend http backend http balance roundrobin # ensures the forwarded request includes the actual client IP address option forwardfor #defines the check HAProxy uses to test if a web server is still valid for forwarding requests option httpchk http-check send meth GET uri / # use cookies for sticky sessions cookie SRVNAME insert indirect nocache server www1 192.168.120.41:443 cookie s1 check ssl verify none on-marked-down shutdown-sessions alpn h2,http/1.1 server www2 192.168.120.42:443 cookie s2 check ssl verify none on-marked-down shutdown-sessions alpn h2,http/1.1 server www3 192.168.120.43:443 cookie s3 check ssl verify none on-marked-down shutdown-sessions alpn h2,http/1.1 backend letsencrypt server lua 127.0.0.1:8002 backend node3 option forwardfor server www3 192.168.120.43:443 cookie s3 check ssl verify none on-marked-down shutdown-sessions alpn h2,http/1.1 backend node2 option forwardfor server www2 192.168.120.42:443 cookie s2 check ssl verify none on-marked-down shutdown-sessions alpn h2,http/1.1 backend node1 option forwardfor server www1 192.168.120.41:443 cookie s1 check ssl verify none on-marked-down shutdown-sessions alpn h2,http/1.1 -- no debconf information