我们在一个网站的 haproxy 上遇到了一个奇怪的行为:前端当前会话永远不会减少。
因此,在 3 或 4 天后达到限制,我们必须重新启动 haproxy 以重置活动连接。
后端服务器是一个带有 php7 的简单 nginx。这是 haproxy conf :
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 666 level user
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 50000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-tls-tickets no-sslv3
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
option dontlog-normal
option forwardfor
option redispatch
retries 3
compression algo gzip
compression type text/html text/plain text/css text/javascript application/javascript
timeout connect 4s
timeout client 10s
timeout server 30s
timeout http-keep-alive 500
timeout http-request 30s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend splash-frontend
mode http
maxconn 20000
bind xx.xx.xx.xx:80
redirect scheme https code 301 if !{ ssl_fc }
bind xx.xx.xx.xx:443 ssl crt /etc/haproxy/certs/splash.domain.net.pem alpn h2,http/1.1
default_backend splash-backend
http-response set-header Strict-Transport-Security max-age=15768000
backend splash-backend
balance roundrobin
mode http
server splash1 xx.xx.xx.xx:443 check inter 1000 ssl verify none
server splash2 xx.xx.xx.xx:443 check inter 1000 ssl verify none
server splash3 xx.xx.xx.xx:443 check inter 1000 ssl verify none
然后,用于服务器的 nginx conf:
user www-data www-data;
worker_processes 2;
pid /var/run/nginx.pid;
worker_rlimit_nofile 1024;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 512;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile "on";
tcp_nopush "on";
tcp_nodelay "on";
keepalive_timeout "5";
access_log "/var/log/nginx/access.log";
error_log /var/log/nginx/error.log error;
server_tokens off;
types_hash_max_size 2048;
include /etc/nginx/conf.d/*.conf;
upstream php-handler {
server 127.0.0.1:9000;
}
server {
listen 80;
listen 443 default ssl http2;
server_name splash.domain.net;
root /var/www/domain.net/splash;
include /etc/nginx/ssl.conf;
include /etc/nginx/errors.conf;
error_log syslog:server=xx.xx.xx.xx:11514 notice;
access_log syslog:server=xx.xx.xx.xx:11514,tag=nginx,severity=info;
location / {
index index.php;
try_files $uri $uri/ /index.php?$uri&$args;
}
location ~* \.(img|css|js|jpg|jpeg|gif|png|map)$ {
deny all;
}
location ~ \.php$ {
fastcgi_pass php-handler;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
proxy_cache off;
expires -1;
}
}
}
最后,网页来源:
<?php $redirectURL = isset($_GET['loginurl']) && $_GET['loginurl'] ? $_GET['loginurl'] : 'http://captiveportal.domain.net'; ?>
<!doctype html>
<html>
<head>
<title>Chargement...</title>
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Pragma" content="no-cache">
<meta name="viewport" content="width=device-width, user-scalable=no">
<noscript><meta http-equiv="refresh" content="3; url=<?php echo $redirectURL; ?>"></noscript>
<style>html{width: 100%;height: 100%;}body {margin: 0 auto;padding: 20px;width: auto;overflow-y: none;font-family: 'Open Sans',sans-serif;font-weight: 400;color: #777;text-align: center;}a {text-decoration: none;color: #777;}.content {padding: 15px;overflow: hidden;}.centered {position: absolute;top: 50%;left: 50%;transform: translateY(-50%) translateX(-50%);}.load-wrap{text-align: center;}.radio {display: inline-block;width: 180px;height: 180px;}</style>
<script type="text/javascript">function onLoad() { window.setTimeout( function(){ window.location = "<?php echo $redirectURL; ?>"; }, 2000 ); }</script>
</head>
<body onload="onLoad();">
<div class="content">
<a href="<?php echo $redirectURL; ?>">
<div class="centered">
<h3>Loading ...</p>
</div>
</a>
</div>
</body>
</html>我们的上下文是,用户位于强制门户后面,过程是:
1 - 用户对互联网的请求被强制门户拦截,并重定向到上述启动页面。
2a - 如果使用浏览器启动启动页面,则会有一个 javascript 或元重定向到强制门户网站,让用户接受条款并连接到互联网。
2b - 如果后台或非交互式应用程序请求启动页面,则在此处停止处理
我们使用 haproxy 管理的其他网站没有任何问题,但我们的启动页面不断增加当前连接,这是一个真正的问题。我们尝试了很多事情,但都没有成功,例如: - option server-http-close - option forceclose
对这个网页没有影响!我们需要一些帮助,因为可能有一件事我们不明白。有人有想法吗?