Project

General

Profile

HAProxy very, very slow after login

Added by Mark Travis almost 2 years ago

I'm using HAProxy as a reverse proxy. It loads up the initial landing page pretty quickly from outside of the firewall.

Once the user logs in, however, it takes 13-15 seconds on average to serve a page.

I notice on the external machine that the URL never changes. It is always "mydomain.com"

In the HAProxy log, I can see where it's getting /?wtd= from wt, but it's not passing that back to the external browser. Is this causing the slow performance? Is there something I can turn on or off in HAProxy? Or do I need to suppress the "/?wtd=" from my wt app?


Replies (5)

RE: HAProxy very, very slow after login - Added by Mark Travis almost 2 years ago

Nevermind! I need to teach my internet provider's router (AT&T NVG599) how to do a loopback.

However, I have another question.

In wt_config.xml, there is the trusted-proxy-config section.

I've done nothing with this and HAProxy seems to be working fine. Do I need to set any of the trusted-proxies? (I don't have ssl enabled just yet but will soon.)

RE: HAProxy very, very slow after login - Added by Roel Standaert almost 2 years ago

There's certain extra information that reverse proxies can pass to the backend server. Wt supports these headers:

  • X-Forwarded-For (or another header set with <original-ip-header>): contains the original IP address of the client, this way WEnvironment::clientAddress() will actually report the client's IP address rather than the reverse proxy
  • X-Forwarded-Proto: indicates the original protocol (http or https) used by the client to connect to the reverse proxy
  • X-Forwarded-Port: the original port that the client connected to on the reverse proxy (usually 80 or 443)
  • X-Forwarded-Host: the original Host header sent by the client

Wt will only look at these headers if the reverse proxy is trusted. In very simple cases, and when not using TLS on the reverse proxy, things will work, but once you start enabling TLS, enabling WebSockets,... you may start to encounter issues if you didn't configure your reverse proxy to send those headers, and Wt to trust them.

RE: HAProxy very, very slow after login - Added by Mark Travis almost 2 years ago

Thanks Roel!

I think I might get the TLS stuff going very soon. I couldn't believe how fast my machine started getting port scanned by IP addresses in Moscow, St. Petersburg, and other malicious areas.

I've got HAProxy configured to identify and block brute force and other bad actors through http-request and backend stick-tables. (I'm really liking HAProxy!!)

Hope you don't mind if I ask another "stupid" question.

What address am I trusting in wt_config.xml? Hypothetically, the physical server is at 172.16.0.68. This is the IP that runs both HAProxy as well as Wt.

DNS points to this server via passthru to port 80. Wt is running 127.0.0.1:8080. HAProxy translates the 8080 requests back and forth to port 80.

I've got https running on port 4040, which i suppose will end up on port 443 to the outside world once I implement it.

How do I code the trusted-proxies section for Wt? Is it just 172.16.0.68? Or does HAProxy have another identifier?

RE: HAProxy very, very slow after login - Added by Roel Standaert almost 2 years ago

You need the IP address that HAProxy uses to connect to Wt. If Wt is only listening on 127.0.0.1 then any connections to it will go over the loopback interface, so you'd have to trust 127.0.0.1. For completeness you can use the loopback example from wt_config.xml.in:

<proxy>127.0.0.1/8</proxy>
<proxy>::1/128</proxy>
    (1-5/5)