Bug#1009906: haproxy: HTTPS proxyfied requests randomly delayed by 50 seconds (default timeout server)

[Ludovic Pouzenc]

Package: haproxy
Version: 2.2.9-2+deb11u3
Severity: important
X-Debbugs-Cc: bugrepo...@pouzenc.fr

Dear Maintainer,

We have a (Wordpress) PHP web-site hosted on 3 LAMP nodes. We use haproxy to 
load-balance the incomming web trafic.
We've got 240k lines of apache2 access log yesterday.

The problem can be reproduced with a test infra without any concurrent user
 and a basic test.php thats readfile("jquery.min.js")
 and a basic index.html referencing multiple (24) times the test.php
 to have Firefox starting multiple HTTP requests in parallel.

The problem is hard or impossible to trigger with Firefox with http2 enabled.
The problem is easy to reproduce with firefox forced in http/1.1 mode.
The problem doesn't show with a echo "Hello World" in test.php,
 it seems that the response size is important. 30kio is enough to trigger it 
for sure.

Out of 25 requests (including GET /), Firefox will get results about 20 of 
them, and about 4 will be delayed by a huge amount of 50 seconds.
(50 seconds if haproxy have : default timeout server 50000).

I tried nbproc 1 and nbthreads 1 with no improvements.
I tried haproxy 2.4.15-1~bpo11+1 and it DOES fix the situation without changing 
anything else.

  # apt install -t bullseye-backports haproxy

I didn't find any bugreports mentionning major troubles in "basic" usage of 
haproxy.
I post it here to get someone else luck with Googling about the troubles I hit.

I can't find exactly what line in haproxy changelog could correspond to this.
I think I can try, if useful, to find the smallest configuration that breaks.
PHP seems unrelated. Direct access to the apache don't show up any trouble.

It may be broken in Ubuntu 21.04 (hirsute) and Ubuntu 21.10 (impish) also.

Thanks for all the fish,
Ludovic

-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-13-amd64 (SMP w/1 CPU thread)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages haproxy depends on:
ii  adduser              3.118
ii  dpkg                 1.20.9
ii  init-system-helpers  1.60
ii  libc6                2.31-13+deb11u3
ii  libcrypt1            1:4.4.18-4
ii  libgcc-s1            10.2.1-6
ii  liblua5.3-0          5.3.3-1.1+b1
ii  libpcre2-8-0         10.36-2
ii  libssl1.1            1.1.1n-0+deb11u1
ii  libsystemd0          247.3-7
ii  lsb-base             11.1.0
ii  zlib1g               1:1.2.11.dfsg-2+deb11u1

haproxy recommends no packages.

Versions of packages haproxy suggests:
pn  haproxy-doc  <none>
pn  vim-haproxy  <none>

-- Configuration Files:
/etc/haproxy/haproxy.cfg changed:
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd 
listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        # See: 
https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites 
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
frontend http
    bind *:80
    mode http
    # redirects to https
    redirect scheme https if !{ ssl_fc }
    default_backend http
frontend https
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
    mode http
# [some acl with our IPs stripped here]
   default_backend http
backend http
    balance roundrobin
    # ensures the forwarded request includes the actual client IP address
    option forwardfor
    #defines the check HAProxy uses to test if a web server is still valid for 
forwarding requests
    option httpchk
    http-check send meth GET uri /
    # use cookies for sticky sessions
    cookie SRVNAME insert indirect nocache
    server www1 192.168.120.41:443 cookie s1 check ssl verify none 
on-marked-down shutdown-sessions alpn h2,http/1.1
    server www2 192.168.120.42:443 cookie s2 check ssl verify none 
on-marked-down shutdown-sessions alpn h2,http/1.1
    server www3 192.168.120.43:443 cookie s3 check ssl verify none 
on-marked-down shutdown-sessions alpn h2,http/1.1
backend letsencrypt
    server lua 127.0.0.1:8002
backend node3
    option forwardfor
    server www3 192.168.120.43:443 cookie s3 check ssl verify none 
on-marked-down shutdown-sessions alpn h2,http/1.1
backend node2
    option forwardfor
    server www2 192.168.120.42:443 cookie s2 check ssl verify none 
on-marked-down shutdown-sessions alpn h2,http/1.1
backend node1
    option forwardfor
    server www1 192.168.120.41:443 cookie s1 check ssl verify none 
on-marked-down shutdown-sessions alpn h2,http/1.1

-- no debconf information