Re: failover / masterslave protocol for brokers behind HAProxy

[Tim Bain <tb...@alumni.duke.edu>]

I think you may be right: because of the SSL termination, your load
balancer may be appearing to be alive even when the broker it's fronting is
dead, and so the failover logic won't work. Does the failover work
correctly if you switch to regular TCP for the transport? That would prove
or disprove the theory.

Tim

On May 31, 2017 6:49 AM, "jochenw" <jo...@googlemail.com> wrote:

> Hi,
>
> I have a configuration where a broker needs to make a network connection to
> brokers behind a load balancer (HAProxy) which make a master-slave
> configuration. The HAProxy does the routing based upon the SSL SNI, and
> does
> the SSL termination.
>
> So the uri for the network connector looks like this:
>
> uri="static:(failover:(ssl://broker1-alias:61617,ssl://
> broker2-alias:61617)?maxReconnectAttempts=0)"
>
> or, since the brokers behind the load balancer work in master-slave-mode:
>
> uri="masterslave:(ssl://broker1-alias:61617,ssl://broker2-alias:61617)"
>
> However, the switchover does not work when stopping the first broker so the
> second one takes over. The network connector always connects to the
> broker1-alias:61617, delivers the information that the connection was
> successful („Successfully connected to ssl://broker1-alias:61617”) but then
> fails (java.io.EOFException / java.util.concurrent.TimeoutException).
>
> It never tries with broker2-alias.
>
> Could it be that the switchover to the second broker is only triggered when
> the connection to the port 61617 fails? That port is always available,
> since
> the HAProxy listens to it (both aliases lead to the IP address of the
> HAProxy), only the further routing to the first broker fails when this
> broker is down. Or does the masterslave / failover protocol detect that the
> IP address/port combination for both brokers is the same and then never
> uses
> the second one because of this?
>
> Does anybody have experience with such scenarios and would have a solution
> for the failover/masterslave protocol when connecting to brokers behind a
> load balancer?
>
> Regards,
> Jochen
>
>
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.
> nabble.com/failover-masterslave-protocol-for-brokers-behind-HAProxy-
> tp4726787.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>

Re: failover / masterslave protocol for brokers behind HAProxy

[jochenw <jo...@googlemail.com>]

Hi Tim,

what you propose is difficult to test, since the HA proxy can only deliver
the SSL ports (it routes based upon SNI, so SSL is mandatory for the
routing). It won't work with plain tcp ports.

However, if I still use SSL but directly define mapped ports for both
brokers in the network connector uri, thus bypassing the HA proxy, all works
fine:

uri="masterslave:(ssl://servername:something17,ssl://servername:something19)"

where something17 and something19 are the mapped ports 61617 for both
brokers.

Also connection to the tcp ports this way works:

uri="masterslave:(tcp://servername:something16,ssl://servername:something18)",

something16 and something18 being the mapped port 61616 for the brokers.


So it really looks like failover doesn't work with SSL if the SSL
termination is done before the connection "reaches" the broker.

If somebody has a clever solution to have redundant brokers behind such a
proxy with the failover working anyways, this would be very welcome  (the HA
proxy bypassing is no option for me).

Regads,
Jochen





--
View this message in context: http://activemq.2283324.n4.nabble.com/failover-masterslave-protocol-for-brokers-behind-HAProxy-tp4726787p4727511.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.