Login/Register
What's the exact meaning of "session" in haproxy?
Asked Answered
Solved sessionhaproxy
T

2

11

When I open the haproxy statistics report page of my http proxy server, I saw something like this:

Cum. connections:   280073
Cum. sessions   :   3802
Cum. HTTP requests: 24245

I'm not using 'appsession' and any other cookie related command in the configuration. So what's 'session' means here?

I guess haproxy identify http session by this order:

  1. Use cookie or query string if it's exists in the configuration.
  2. Use SSL/TLS session.
  3. Use ip address and TCP connection status.

Am I Right?

Tun answered 16/10, 2015 at 10:39 Comment(0)
H
9

In fact sessions were not introduced after but before connections. An end-to-end connection was called a "session". With the introduction of SSL, proxy protocol and layer4 ACLs, it was needed to cut the end-to-end sessions in smaller parts, hence the introduction of "connections". Zerodeux has perfectly explained what you're observing.

Hemline answered 20/11, 2015 at 7:47 Comment(2)
Thank you Willy, so two connections (one "client to haproxy" + one "haproxy to backend server") constructed a haproxy level session right? With http-reuse always option in http mode, the successfully shared backend connection also make a haproxy session?Tun
Not exactly. The session is the entity which holds all the elements attached to a client-side connection. It carries a stream (several ones later with HTTP/2) which is attached to the client connection on one side and (possibly) a server connection on the other side. When you reuse connections, they're in fact stolen from one stream and assigned to another one. At some point you'll have to look at the code, it will help ;-)Hemline
P
16

I was asking myself the very same question this morning.

Searching through http://www.haproxy.org/download/1.5/doc/configuration.txt I came accross this very short definition (hidden in a parameter description) :

A session is a connection that was accepted by the layer 4 rules.

In your case, you're obviously using Haproxy as a layer7/HTTP loadbalancer. If a session is a TCP connection, due to client-side / frontend Keep-Alive, it's normal to have more HTTP reqs than sessions.

Then I guess the high connection number shows that a lot of incoming connections were rejected even before being considered by the HTTP layer. For instance via IP-based ACLs.

As a far as I understand, the 'session' word was introduced to make sure two different concepts were not mixed :

  • a (TCP) connection : it's a discrete event
  • a (TCP) session : it's a state which tracks various metadata and has some duration; most importantly Haproxy workload (CPU and memory) should be mostly related to the number of sessions (both arrival rate and concurrent number)
Precautious answered 5/11, 2015 at 9:29 Comment(3)
There is no ACL entry to reject the connections and http requests. But I have two front-end: one for http: Cum. connections: 336829 Cum. sessions: 336829 Cum. HTTP requests: 337483, another for https: Cum. connections: 338179 Cum. sessions: 5249 Cum. HTTP requests: 22995. You can see the http statistics is very reasonable, but I could not understand the https one.Tun
Int this case it might be a lot of TCP connections on your HTTPS backend that did not make it past the SSL handshake. Stupid bot/spiders/scanners may generate this kind of noise (most of them are very badly programmed HTTP(S) clients). That's just a wild guess.Precautious
your wild guess is perfectly accurate.Hemline
H
9

In fact sessions were not introduced after but before connections. An end-to-end connection was called a "session". With the introduction of SSL, proxy protocol and layer4 ACLs, it was needed to cut the end-to-end sessions in smaller parts, hence the introduction of "connections". Zerodeux has perfectly explained what you're observing.

Hemline answered 20/11, 2015 at 7:47 Comment(2)
Thank you Willy, so two connections (one "client to haproxy" + one "haproxy to backend server") constructed a haproxy level session right? With http-reuse always option in http mode, the successfully shared backend connection also make a haproxy session?Tun
Not exactly. The session is the entity which holds all the elements attached to a client-side connection. It carries a stream (several ones later with HTTP/2) which is attached to the client connection on one side and (possibly) a server connection on the other side. When you reuse connections, they're in fact stolen from one stream and assigned to another one. At some point you'll have to look at the code, it will help ;-)Hemline

© 2022 - 2024 — McMap. All rights reserved.