Rework haproxy config for stickiness and balance strategy#179
Conversation
vuntz
commented
Feb 8, 2017
vuntz
commented
- We enable stickiness based on SSL sessions
- We add the ability to do stickiness based on cookies
- We allow to define the balance strategy on a per-resource basis
- We stop overriding the default balance strategy (and therefore use roundrobin by default)
We have haproxy 1.5.x now, so we can use persistence for SSL sessions. This matters as if we want to allow people to not use "source" as balance algorithm, then we need to make sure that sessions keep going to the same backend to avoid breakages. This reverts commit 32323b0.
This is done in the LWRP and in the template; let's just do it in the LWRP to simplify the template.
| attribute :address, kind_of: String, default: "0.0.0.0" | ||
| attribute :port, kind_of: Integer, default: 0 | ||
| attribute :mode, kind_of: String, default: "http", equal_to: ["http", "tcp", "health"] | ||
| attribute :balance, kind_of: String, default: "", equal_to: ["", "roundrobin", "static-rr", "leastconn", "first", "source"] |
There was a problem hiding this comment.
Metrics/LineLength: Line is too long. [124/100] (https://github.com/SUSE/style-guides/blob/master/Ruby.md#metricslinelength)
AbelNavarro
left a comment
AbelNavarro
left a comment
There was a problem hiding this comment.
Speaking out of memory, I had trouble having complex configuration in a listen section in haproxy config file. A better approach would be a frontend + backend separate sections, but that would require major changes.
vuntz
force-pushed
the
haproxy-balance
branch
from
7b3f4b2 to
35f50fc
Compare
This is useful to achieve persistence for web apps which have a session, which is important in order to allow using a different algorithm than "source" for balancing without breaking sessions.
vuntz
force-pushed
the
haproxy-balance
branch
from
35f50fc to
9ceff98
Compare
This allows achieving persistence for a normal session, but also for the login form where there's usually a CSRF token (and which is not associated to a real session in the web app).
This enables customization of the balance strategy for each service.
The default in the haproxy cookbook is roundrobin, and this should actually work fine. In cases where this may be troublesome (like web apps), we can now configure stickiness to avoid issues. With roundrobin, we spread the load accross the various backends, which results in much improved performance.
vuntz
force-pushed
the
haproxy-balance
branch
from
9ceff98 to
d714d87
Compare
This works fine here. Just need to validate the SSL case, but everything else seems good. |
|
So overall, this looks good, except for horizon with ssl: there, the browser is creating multiple connections, so the ssl session id affinity doesn't work as expected. Easy workaround is to use the source balance strategy in that case. But I'll play a bit more with it. |
nicolasbock
left a comment
nicolasbock
left a comment
There was a problem hiding this comment.
Maybe I should add that it looks good to me once the gating tests pass.
dirkmueller
left a comment
dirkmueller
left a comment
There was a problem hiding this comment.
LGTM, can't really comment on the details without a lot of research myself
|
One change has been cherry-picked in #193, do consider reviewing that one. |
|
re-running a build on a separate PR to see if ssl is still broken. |
|
Given that the tests passed in #208 - including the SSL tests, I am merging this PR. |
|
Ah, I cannot merge it in the lack of passing CI. |
|
@nicolasbock @dirkmueller could you please transfer your +1 to #208 so we can get this change merged please? |
9 participants
