Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Incomplete
-
10.4.13
-
OS : Debian Buster
Mariadb : 10.4.13
Galera : 4
Haproxy : 1.8.19
Description
Dear All,
Since I migrated from Mariadb 10.3.22 to 10.4.13, I get some regression with the use of proxy-protocol-networks.
Haproxy doesn't see any mysql backend alive anymore and my "clienthost" cannot authenticate themselves in Mariadb based on their IP.
On mariadb's side I tried the following things
- proxy-protocol-networks = 172.16.42.0/24, localhost
- proxy-protocol-networks = *
- proxy-protocol-networks = 172.16.42.8, 172.16.42.9, 172.16.42.10, localhost
and on haproxy's side :
backend mygalera
|
balance leastconn
|
mode tcp
|
option tcpka
|
option tcplog
|
option log-health-checks
|
retries 3
|
option mysql-check user haproxy
|
server myglra1 172.16.42.21:3306 check weight 1 send-proxy-v2
|
server myglra2 172.16.42.22:3306 check weight 1 send-proxy-v2
|
server myglra3 172.16.42.23:3306 check weight 1 send-proxy-v2
|
I also tried with "send-proxy"
On haproxy I get the following logs
May 27 10:10:21 haproxy001 haproxy[2958]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
|
May 27 10:10:21 haproxy001 haproxy[2958]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
|
May 27 10:31:53 haproxy001 haproxy[3056]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 1ms, status: 0/2 DOWN.
|
May 27 10:31:53 haproxy001 haproxy[3056]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 1ms, status: 0/2 DOWN.
|
May 27 10:31:54 haproxy001 haproxy[3056]: Health check for server mygalera/myglra2 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
|
May 27 10:31:54 haproxy001 haproxy[3056]: Health check for server mygalera/myglra2 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
|
May 27 10:31:54 haproxy001 haproxy[3056]: Health check for server mygalera/myglra3 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
|
May 27 10:31:54 haproxy001 haproxy[3056]: Health check for server mygalera/myglra3 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2
|
and after a while I get the followinf error for each of my galera's nodes
May 28 10:07:22 haproxy001 haproxy[4028]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "Host '172.16.42.9' is blocked because of many connection errors; unbloc
|
k with 'mysqladmin flush-hosts'", check duration: 3ms, status: 0/2 DOWN.
|
On my galera's nodes I get following errors repeating till the source ip is blocked
May 28 10:51:01 myglra001 mysqld[19634]: 2020-05-28 10:51:01 2144 [Warning] Aborted connection 2144 to db: 'unconnected' user: 'unauthenticated' host: '172.16.42.9' (This connection closed normally without authentication)
|
All of this leads to all backend seen as down.
I had a some test being done on a maxscale node and the behaviour/results are the same as haproxy (no live backend seen)
I was using proxy_protocol=true in my servers' definition in maxscale.cnf
If I skip all these proxy configuration things and create users in mariadb on haproxy's ips everything is working fine, but i lose the client IP.
Regards
Attachments
Issue Links
- relates to
-
-
- Closed
-