HaProxy stick-table along with nbproc higher than 1

haproxy

I have configured a rule based on the number of IP connections using stick-table with HaProxy such as the following:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    maxconn 60000

backend connectionstablev4
   stick-table type ip size 1m expire 60s store conn_cur

frontend smtpv4
    bind :25

    tcp-request connection track-sc0 src table connectionstablev4
    acl connabuse sc_conn_cur(0,connectionstablev4) gt 5
    
   tcp-request connection reject if connabuse

    # Reject any client that speak before the aloha
    tcp-request inspect-delay 1s
    acl content_present req_len gt 0
    tcp-request content reject if content_present

    default_backend smtp_backend

backend smtp_backend
    mode tcp
    timeout server 1m
    timeout connect 5s

    # Health check
    option smtpchk HELO mx1.improvmx.com

    server srv1 127.0.0.1:2525 check send-proxy maxconn 500

And it works great.

But as soon as I add more processes, like this (in the global section) :

global
    # ... same as above

    nbproc  6
    cpu-map  1 1
    cpu-map  2 2
    cpu-map  3 3
    cpu-map  4 4
    cpu-map  5 5
    cpu-map  6 6

The max connections per IP stops working.

I suspect that the stick-table are per-process basis instead of globally, but I couldn't find any information on that matter.

The issue is clearly with the nbproc/cpu-map because as soon as I remove just this part, everything else works fine.

Is there some rule or configuration to set to indicates HaProxy to use the same stick-table for all the processes?

Thanks in advance.


Use threads instead of processes. Your problems with processes are mentioned right in the documentation.

https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#3.1-nbthread

This setting is only available when support for threads was built in. It makes haproxy run on threads. This is exclusive with "nbproc". While "nbproc" historically used to be the only way to use multiple processors, it also involved a number of shortcomings related to the lack of synchronization between processes (health-checks, peers, stick-tables, stats, ...) which do not affect threads. As such, any modern configuration is strongly encouraged to migrate away from "nbproc" to "nbthread". "nbthread" also works when HAProxy is started in foreground. On some platforms supporting CPU affinity, when nbproc is not used, the default "nbthread" value is automatically set to the number of CPUs the process is bound to upon startup. This means that the thread count can easily be adjusted from the calling process using commands like "taskset" or "cpuset". Otherwise, this value defaults to 1. The default value is reported in the output of "haproxy -vv". See also "nbproc".

Related

POODLE Ciphers !SSLv3 = Protocol or cipher suite mismatch
.htaccess block access when HTTP_HOST is IP (Security)
XenServer 6.2 VM 100% CPU and 100% memory usage and won't boot
How to check which SMB Version is enabled on Windows Server 2008 R2
Nginx reverse proxy making root webapp into custom path
Use CNAME for SMTP Server
How to allow FTP on Google Compute Engine Windows VM?
Can other Windows Servers be in the same AD domain with a Windows Essentials server?
Turning multiple lines into one comma separated line [duplicate]
Nullable types: better way to check for null or zero in c#
How to set heap size for sbt?
Clear screen in shell