haproxy icon indicating copy to clipboard operation
haproxy copied to clipboard

Published 20 hours ago verified publisher icon haproxy

Configuring 'default-server resolve-prefer ipv4' does not seem to work

Open h-haaks opened this issue 2 years ago • 2 comments

Detailed Description of the Problem

By looking av the resolvers code I found that setting 'resolve-prefer ipv4' should make the resolver search for A-records and then fallback to AAAA if A is not found.

Since we are using ipv4 for all backends I added 'default-server resolve-prefer ipv4' to the defaults section. This had no effect on the resolvers.

The only way to get this working is by adding 'resolve-prefer ipv4' on every server in every backend.

Expected Behavior

Configuring 'resolve-prefer ipv4' in server or default-server should behave the same.

Steps to Reproduce the Behavior

1: Start tcpdump on port 53 2: Start haproxy with a config as described below 3: Watch haproxy query for AAAA before A records 4: stop haproxy 5: stop tcpdump 6: Add 'resolve-prefer ipv4' to the server line 7: Start tcpdump on port 53 8: Start haproxy 9: Watch haproxy query for A before AAAA records

Do you have any idea what may have caused this?

It looks like 'resolve-prefer' is never read from 'default-server' settings.

Do you have an idea how to solve the issue?

No

What is your configuration?

global
  chroot  /var/lib/haproxy
  daemon
  group  haproxy
  log  10.0.x.x local0
  maxconn  4000
  pidfile  /var/run/haproxy.pid
  server-state-base  /var/lib/haproxy/
  server-state-file  last_state
  ssl-default-bind-ciphers  TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
  ssl-default-bind-options  no-sslv3 no-tlsv10 no-tlsv11
  ssl-default-server-ciphers  TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
  ssl-default-server-options  no-sslv3 no-tlsv10 no-tlsv11
  stats  socket /var/lib/haproxy/stats level admin
  stats  timeout 2m
  tune.ssl.default-dh-param  2048
  user  haproxy

defaults
  balance  roundrobin
  default-server  check
  default-server  resolvers my-resolver
  default-server  resolve-prefer ipv4
  default-server  init-addr last,libc,none
  load-server-state-from-file  global
  log  global
  maxconn  8000
  mode  http
  option  httplog
  option  httpchk
  retries  3
  timeout  http-request 10s
  timeout  queue 1m
  timeout  connect 10s
  timeout  client 1m
  timeout  server 1m
  timeout  check 10s

resolvers my-resolver
  nameserver dnsmasq 127.0.0.1:53
  accepted_payload_size 8192

frontend my-frontend
  bind 10.0.x.x:8080
  default_backend my-backend

backend my-backend
  server my-server my-server.mydomain.com:8080

Output of haproxy -vv

HAProxy version 2.4.18-1d80f18 2022/07/27 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2026.
Known bugs: http://www.haproxy.org/bugs/bugs-2.4.18.html
Running on: Linux 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Mon Nov 15 20:49:28 UTC 2021 x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE=1 USE_LINUX_TPROXY=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_PROMEX=1
  DEBUG   = 

Feature list : +EPOLL -KQUEUE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC +PROMEX -MEMORY_PROFILING

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1k  FIPS 25 Mar 2021
Running on OpenSSL version : OpenSSL 1.1.1k  FIPS 25 Mar 2021
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.4
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.42 2018-03-20
Running on PCRE version : 8.42 2018-03-20
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 8.5.0 20210514 (Red Hat 8.5.0-10)

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTTP       side=FE|BE     mux=H2       flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
            fcgi : mode=HTTP       side=BE        mux=FCGI     flags=HTX|HOL_RISK|NO_UPG
       <default> : mode=HTTP       side=FE|BE     mux=H1       flags=HTX
              h1 : mode=HTTP       side=FE|BE     mux=H1       flags=HTX|NO_UPG
       <default> : mode=TCP        side=FE|BE     mux=PASS     flags=
            none : mode=TCP        side=FE|BE     mux=PASS     flags=NO_UPG

Available services : prometheus-exporter
Available filters :
	[SPOE] spoe
	[CACHE] cache
	[FCGI] fcgi-app
	[COMP] compression
	[TRACE] trace

Last Outputs and Backtraces

No response

Additional Information

No response

h-haaks avatar Aug 15 '22 13:08 h-haaks

I also noticed that I had to restart (stop/start ) the haproxy service after adding 'resolve-prefer ipv4' to evry server. Just a reload of config did not change dns resloves from AAAA to A.

h-haaks avatar Aug 15 '22 21:08 h-haaks

That's because of the state-file. State-files do not contain configuration information, just the last state. A number of conflicting situations between config and state are addressed and resolved, but not all can. There's a plan to completely rewrite that part so that a copy of the related config elements is stored with the dump, allowing to detect config changes that require to ignore parts of the state file, but that's a huge work. In general a better option than a restart is to delete the state file during the reload (it will depend on your startup scripts).

wtarreau avatar Aug 18 '22 06:08 wtarreau