Hi Dustin, On Wed, Apr 28, 2010 at 04:51:41PM -0700, Dustin Moskovitz wrote: > Actually, I should have mentioned at the beginning that we are using > websockets to communicate with a *stateful* server, so we don't want to > close the connection.
I'm not speaking about closing the websockets connection at all. And that's what's nice with websockets, compared to earliser long-polling methods, it's that once the server asks to switch to websockets, a bidirectional tunnel is established over the HTTP connection between the client and the server. At this point, haproxy does not care anymore about what passes into it. > However, explicitly declaring "mode http" in either > the defaults section or the frontend & backend sections has made things > happy. Yes, that's expected. > Now, a new problem (please let me know if/when I should start new threads). > If I introduce ssl into the mix, I cannot get it to work with http over a > websockets connection (I have it working without websockets, so it is > otherwise ok). haproxy does not decrypt SSL by itself. You need something like stunnel, nginx or pound in front of it to handle it. I like stunnel for that because it does not mangle the HTTP part at all. However, if you don't want to decrypt the SSL traffic, you can make this instance work in TCP mode and have the server do the job. You won't have any persistence though, and the server will not get the client's IP address. > Using the config at the bottom of this email, if I hit port 80 with a > request or two and then move to ssl, haproxy will systematically *seg > fault*, like so: Yes, this was recently reported and fixed. It's only a debug mode issue. When running in debug mode, haproxy tries to display all headers it receives. When it receives invalid requests or responses (SSL traffic being invalid from an HTTP point of view), it dereferences a NULL pointer. The fix is pending in the tree. It is not a problem for you anyway, because when you see the segfault, it indicates that haproxy received something invalid which would not have worked in non-debug mode. Regards, Willy