Reputation: 1
How to use Haproxy sticky session ignoring client IP?
I am using haproxy as load balancer for 3 application servers and before client traffic reached this load balancer, it will first hit a WAF which the WAF has multiple random distributed IPs. So as the connection renew, the original session could jump to another server due to changes of session cookies which I do not want that to happen.
The WAF vendor had advised me to either set the load-balancer's session Identifier to use X-Real-IP when making session cookies. Or delete IP combination from the identification for making session cookies which I do not know how to do so. Can advise me on this?
Below is my haproxy setting.
frontend http_frontend
bind *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
use_backend static if url_static
default_backend bk_http
frontend https_frontend
bind *:443
mode tcp
default_backend bk_https
backend static
balance roundrobin
server static 127.0.0.1:4331 check
backend bk_http
mode http
balance roundrobin
stick on src table bk_https
cookie SRVNAME insert
server web1 ip1:80 check cookie SA check
server web2 ip2:80 check cookie SB check
backend bk_https
mode tcp
balance leastconn
stick-table type ip size 2000k expire 30m
stick on src
default-server inter 1s
cookie SRVNAME insert
server web1 ip1:443 check cookie web1
server web2 ip2:443 check cookie web2
Upvotes: 0
Views: 3474
Answers (1)
Reputation: 156
I think cookie is available only in http mode, in TCP mode you need to do ssl affinity
Try this :
#maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 20M expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
server XXX:443 check
server YYY:443 check
option ssl-hello-chk
For check that, enable stats by socket and connect 2 browsers on site by haproxy :
stats socket /var/lib/haproxy/stats
bash#> echo "show table" | socat unix-connect:/var/lib/haproxy/stats stdio
# table: BACKEND_NAME, type: binary, size:20971520, used:2
bash#>echo "show table BACKEND_NAME" | socat unix-connect:/var/lib/haproxy/stats stdio
# table: BACKEND_NAME, type: binary, size:20971520, used:2
0x7f9ca0f24314:
key=8A3DF855010388A4DD94F71E0FEAF7A54A7032EA56D477D20F59B4F28CEF183B use=0
exp=1264499 server_id=1
0x7f9ca0f245c4:
key=C7EA05BA85730EAF725035EFB3C4F7537FCCCFD0469FB45A4A2DE85308ECF1C7 use=0
exp=1696667 server_id=2
Warning, if you have nbproc enable, affinity is limited on process.
Upvotes: 3
Related Questions
- Is it possible in haproxy to have sticky sessions based on cookie and still load balance?
- Sticky session and ssl passthrough
- Can I have sticky sessions with HAProxy and socket.io with authentication?
- HAProxy how to permanently stick on clientid
- Openshift HAproxy sticky session issue
- Haproxy sticky sessions
- HAProxy how to "stick-table" ip connection to same backend?
- HAProxy with SSL (https) and Sticky Session
- haproxy and sticky session
- How to do sticky load-balancing with HAProxy with Session transfer to new servers