>Synopsis: relayd rejects 'too large' POST >2GB
>Category: amd64, system
>Environment:
System : OpenBSD 4.9
Details : OpenBSD 4.9 (GENERIC.MP) #819: Wed Mar 2
06:57:49 MST 2011
[email protected]:/usr/src/sys/arch/amd64/compile/GE
NERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
We have relayd terminating SSL in front of an application
that requires fairly large file uploads. All is well until
a user attempts to upload a file >2 GB in size. The request
fails immediately (the client reports the connection was
reset), and relayd logs this message:
relay ext_ssl, session 33753 (1 active), 0, 10.6.66.76 ->
127.0.0.1:8080, too large
The normal traffic flow in our configuration is:
client -> pf (ext_ip:443) -> relayd (lo:443) ->
haproxy (lo:8080) -> app server
Honestly I'm not sure if this behavior is intended or hardcoded
somewhere but I couldn't seem to find such a limitation looking
through the relayd code, or a knob in relayd.conf. If this behavior
is indeed a feature then perhaps it could be documented.
dmesg and relayd config below.
>How-To-Repeat:
Attempt to send an HTTP POST using a file >2 GB in size through
a relayd SSL proxy.
>Fix:
None known, bypassing relayd (by sending directly either
through HAProxy or to the backend servers) works of course but
isn't an acceptable workaround.
dmesg:
OpenBSD 4.9 (GENERIC.MP) #819: Wed Mar 2 06:57:49 MST 2011
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3211264000 (3062MB)
avail mem = 3111759872 (2967MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9e000 (48 entries)
bios0: vendor American Megatrends Inc. version "080016" date 07/05/2011
bios0: Supermicro X8DTG-D
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG SLIT OEMB HPET SSDT EINJ BERT ERST HEST
acpi0: wakeup devices NPE1(S4) NPE2(S4) NPE3(S4) NPE4(S4) NPE5(S4)
NPE6(S4) NPE7(S4) NPE8(S4) NPE9(S4) NPEA(S4) P0P1(S4) USB0(S4)
USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4)
USBE(S4) GBE_(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4)
P0P9(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU L5630 @ 2.13GHz, 2133.67 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU L5630 @ 2.13GHz, 2133.41 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG
cpu1: 256KB 64b/line 8-way L2 cache
cpu2 at mainbus0: apid 18 (application processor)
cpu2: Intel(R) Xeon(R) CPU L5630 @ 2.13GHz, 2133.41 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG
cpu2: 256KB 64b/line 8-way L2 cache
cpu3 at mainbus0: apid 20 (application processor)
cpu3: Intel(R) Xeon(R) CPU L5630 @ 2.13GHz, 2133.41 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG
cpu3: 256KB 64b/line 8-way L2 cache
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Xeon(R) CPU L5630 @ 2.13GHz, 2133.41 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG
cpu4: 256KB 64b/line 8-way L2 cache
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Xeon(R) CPU L5630 @ 2.13GHz, 2133.41 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG
cpu5: 256KB 64b/line 8-way L2 cache
cpu6 at mainbus0: apid 19 (application processor)
cpu6: Intel(R) Xeon(R) CPU L5630 @ 2.13GHz, 2133.41 MHz
cpu6:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG
cpu6: 256KB 64b/line 8-way L2 cache
cpu7 at mainbus0: apid 21 (application processor)
cpu7: Intel(R) Xeon(R) CPU L5630 @ 2.13GHz, 2133.41 MHz
cpu7:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG
cpu7: 256KB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 6 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 4, remapped to apid 6
ioapic1 at mainbus0: apid 7 pa 0xfec8a000, version 20, 24 pins
ioapic1: misconfigured as apic 6, remapped to apid 7
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (NPE2)
acpiprt2 at acpi0: bus 2 (NPE3)
acpiprt3 at acpi0: bus -1 (NPE4)
acpiprt4 at acpi0: bus 6 (NPE5)
acpiprt5 at acpi0: bus -1 (NPE6)
acpiprt6 at acpi0: bus 10 (NPE7)
acpiprt7 at acpi0: bus -1 (NPE8)
acpiprt8 at acpi0: bus 11 (NPE9)
acpiprt9 at acpi0: bus -1 (NPEA)
acpiprt10 at acpi0: bus 15 (P0P1)
acpiprt11 at acpi0: bus 14 (P0P4)
acpiprt12 at acpi0: bus -1 (P0P5)
acpiprt13 at acpi0: bus -1 (P0P6)
acpiprt14 at acpi0: bus -1 (P0P7)
acpiprt15 at acpi0: bus -1 (P0P8)
acpiprt16 at acpi0: bus -1 (P0P9)
acpicpu0 at acpi0: C3, C2, C1, PSS
acpicpu1 at acpi0: C3, C2, C1, PSS
acpicpu2 at acpi0: C3, C2, C1, PSS
acpicpu3 at acpi0: C3, C2, C1, PSS
acpicpu4 at acpi0: C3, C2, C1, PSS
acpicpu5 at acpi0: C3, C2, C1, PSS
acpicpu6 at acpi0: C3, C2, C1, PSS
acpicpu7 at acpi0: C3, C2, C1, PSS
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep 2133 MHz: speeds: 2134, 2133, 2000, 1867,
1733, 1600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 5520 Host" rev 0x22
ppb0 at pci0 dev 1 function 0 "Intel X58 PCIE" rev 0x22
pci1 at ppb0 bus 1
ppb1 at pci0 dev 3 function 0 "Intel X58 PCIE" rev 0x22
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 "IDT 89HPES12N3A" rev 0x0e
pci3 at ppb2 bus 3
ppb3 at pci3 dev 2 function 0 "IDT 89HPES12N3A" rev 0x0e
pci4 at ppb3 bus 4
em0 at pci4 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06:
apic 7 int 12 (irq 5), address a0:36:9f:00:53:6d
em1 at pci4 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06:
apic 7 int 11 (irq 11), address a0:36:9f:00:53:6c
ppb4 at pci3 dev 4 function 0 "IDT 89HPES12N3A" rev 0x0e
pci5 at ppb4 bus 5
em2 at pci5 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06:
apic 7 int 10 (irq 10), address a0:36:9f:00:53:6f
em3 at pci5 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06:
apic 7 int 0 (irq 15), address a0:36:9f:00:53:6e
ppb5 at pci0 dev 5 function 0 "Intel X58 PCIE" rev 0x22
pci6 at ppb5 bus 6
ppb6 at pci6 dev 0 function 0 "IDT 89HPES12N3A" rev 0x0e
pci7 at ppb6 bus 7
ppb7 at pci7 dev 2 function 0 "IDT 89HPES12N3A" rev 0x0e
pci8 at ppb7 bus 8
em4 at pci8 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06:
apic 7 int 5 (irq 5), address a0:36:9f:00:52:25
em5 at pci8 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06:
apic 7 int 3 (irq 11), address a0:36:9f:00:52:24
ppb8 at pci7 dev 4 function 0 "IDT 89HPES12N3A" rev 0x0e
pci9 at ppb8 bus 9
em6 at pci9 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06:
apic 7 int 1 (irq 10), address a0:36:9f:00:52:27
em7 at pci9 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06:
apic 7 int 2 (irq 15), address a0:36:9f:00:52:26
ppb9 at pci0 dev 7 function 0 "Intel X58 PCIE" rev 0x22
pci10 at ppb9 bus 10
ppb10 at pci0 dev 9 function 0 "Intel X58 PCIE" rev 0x22
pci11 at ppb10 bus 11
ppb11 at pci11 dev 0 function 0 "Intel IOP333 PCIE-PCIX" rev 0x00
pci12 at ppb11 bus 12
arc0 at pci12 dev 14 function 0 "Areca ARC-1210" rev 0x00: apic 7 int
23 (irq 11)
arc0: 4 ports, 256MB SDRAM, firmware V1.48 2009-12-31
scsibus0 at arc0: 16 targets
sd0 at scsibus0 targ 0 lun 0: <Areca, ARC-1210-VOL#00, R001> SCSI3
0/direct fixed
sd0: 238418MB, 512 bytes/sec, 488281088 sec total
ppb12 at pci11 dev 0 function 2 "Intel IOP333 PCIE-PCIX" rev 0x00
pci13 at ppb12 bus 13
pchb1 at pci0 dev 14 function 0 vendor "Intel", unknown product 0x341c rev 0x22
pchb2 at pci0 dev 14 function 1 vendor "Intel", unknown product 0x341d rev 0x22
pchb3 at pci0 dev 14 function 2 vendor "Intel", unknown product 0x341e rev 0x22
"Intel X58 IOxAPIC" rev 0x22 at pci0 dev 19 function 0 not configured
"Intel X58 Misc" rev 0x22 at pci0 dev 20 function 0 not configured
"Intel X58 GPIO" rev 0x22 at pci0 dev 20 function 1 not configured
"Intel X58 RAS" rev 0x22 at pci0 dev 20 function 2 not configured
"Intel X58 Throttle" rev 0x22 at pci0 dev 20 function 3 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 0 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 1 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 2 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 3 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 4 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 5 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 6 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 7 not configured
uhci0 at pci0 dev 26 function 0 "Intel 82801JI USB" rev 0x00: apic 6
int 16 (irq 15)
uhci1 at pci0 dev 26 function 1 "Intel 82801JI USB" rev 0x00: apic 6
int 21 (irq 14)
uhci2 at pci0 dev 26 function 2 "Intel 82801JI USB" rev 0x00: apic 6
int 19 (irq 5)
ehci0 at pci0 dev 26 function 7 "Intel 82801JI USB" rev 0x00: apic 6
int 18 (irq 11)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb13 at pci0 dev 28 function 0 "Intel 82801JI PCIE" rev 0x00: apic 6
int 17 (irq 10)
pci14 at ppb13 bus 14
em8 at pci14 dev 0 function 0 "Intel PRO/1000 (82576)" rev 0x01: apic
6 int 16 (irq 15), address 00:25:90:53:bc:b6
em9 at pci14 dev 0 function 1 "Intel PRO/1000 (82576)" rev 0x01: apic
6 int 17 (irq 10), address 00:25:90:53:bc:b7
uhci3 at pci0 dev 29 function 0 "Intel 82801JI USB" rev 0x00: apic 6
int 23 (irq 7)
uhci4 at pci0 dev 29 function 1 "Intel 82801JI USB" rev 0x00: apic 6
int 19 (irq 5)
uhci5 at pci0 dev 29 function 2 "Intel 82801JI USB" rev 0x00: apic 6
int 18 (irq 11)
ehci1 at pci0 dev 29 function 7 "Intel 82801JI USB" rev 0x00: apic 6
int 23 (irq 7)
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb14 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x90
pci15 at ppb14 bus 15
vga1 at pci15 dev 1 function 0 "Matrox MGA G200eW" rev 0x0a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 31 function 0 "Intel 82801JIR LPC" rev 0x00
pciide0 at pci0 dev 31 function 2 "Intel 82801JI SATA" rev 0x00: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using apic 6 int 19 (irq 5) for native-PCI interrupt
ichiic0 at pci0 dev 31 function 3 "Intel 82801JI SMBus" rev 0x00: apic
6 int 18 (irq 11)
iic0 at ichiic0
iic0: addr 0x2e 00=40 words 00=4040 01=0000 02=0000 03=0000 04=0000
05=0000 06=0000 07=0000
"w83795g" at iic0 addr 0x2f not configured
iic0: addr 0x2f 00=80 01=1d 02=ff 03=78 04=33 05=55 06=ff 08=0f 0b=ff
10=10 11=78 12=be 13=80 14=7d 15=7c 17=c0 1b=8e 1c=8a 1d=8d 1e=8d
1f=14 21=2d 22=7f 23=80 24=80 25=1f 26=37 2e=0a 2f=09 30=09 31=09
32=06 33=06 34=06 35=06 3d=ff 3e=ff 3f=ff 40=1e 48=ff 49=7f 4a=7f
4b=ff 4d=7f 4e=3f 4f=ff 56=ff 57=ff 58=81 5a=01 6b=64 6c=64 6d=ff
6e=ff 6f=ff 70=ba 71=4b 72=ba 73=4b 74=ce 75=a9 76=88 77=70 78=8a
79=70 7a=88 7b=70 7c=ce 7d=a9 7e=ce 7f=a9 80=ff 82=ff 84=ff 86=ff
88=98 89=7b 8a=98 8b=7b 8c=98 8d=7b 8e=ff 90=ff 92=3f 94=ff 96=64
97=5f 98=55 99=50 9a=64 9b=5f 9c=55 9d=50 9e=64 9f=5f a0=55 a1=50
a2=64 a3=5f a4=55 a5=50 a6=4b a7=46 a8=55 a9=50 aa=64 ab=5f ac=55
ad=50 ae=64 af=5f b0=55 b1=50 b2=5f b3=5c b4=5f b5=5c b6=76 b7=76
b8=76 b9=76 ba=76 bb=76 bc=76 bd=76 be=ff bf=ff c0=ff c1=ff c2=ff
c3=ff c4=ee c5=ee c6=ee c7=ee c8=ee c9=ee ca=ee cb=ff cc=ff cd=ff
ce=ff cf=ff d9=22 da=24 db=0a dc=60 df=0a e6=bb e7=c0 e8=09 e9=09
ea=09 eb=09 ec=09 ed=22 ee=22 ef=02 f0=ff f9=0f fa=ff fb=51 fc=af
fd=5c fe=79 ff=50 words 00=80ff 01=1dff 02=ffff 03=78ff 04=33ff
05=55ff 06=ffff 07=00ff: w83795g
pciide1 at pci0 dev 31 function 5 "Intel 82801JI SATA" rev 0x00: DMA,
channel 0 wired to native-PCI, channel 1 wired to native-PCI
pciide1: using apic 6 int 19 (irq 5) for native-PCI interrupt
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627DHG-P rev 0x73
wbsio0 port 0x290/2 not configured
mtrr: Pentium Pro MTRR support
uhidev0 at uhub3 port 1 configuration 1 interface 0 "American
Megatrends Inc. Virtual Keyboard and Mouse" rev 1.10/1.00 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub3 port 1 configuration 1 interface 1 "American
Megatrends Inc. Virtual Keyboard and Mouse" rev 1.10/1.00 addr 2
uhidev1: iclass 3/1
ums0 at uhidev1
ums0: X report 0x0002 not supported
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
relayd.conf:
#
# Macros
#
ext_ssl_listener="127.0.0.1"
int_ssl_listener="127.0.0.2"
haproxy_listener="127.0.0.1"
web1="10.210.0.11"
web2="10.210.0.12"
web3="10.210.0.13"
web4="10.210.0.14"
app1="10.211.0.11"
app2="10.211.0.12"
app3="10.211.0.13"
app4="10.211.0.14"
#
# Global Options
#
interval 3
prefork 10
# No lower, this needs to cover a complete SSL handshake over high-latency
# connections (several hundred ms best case).
timeout 2000
#
# Each table will be mapped to a pf table.
#
table <haproxy> { $haproxy_listener }
table <webhosts> { $web1 $web2 $web3 $web4 }
table <apphosts> { $app1 $app2 $app3 $app4}
#
# Protocol and relays for SSL acceleration. Decrypted traffic is forwarded
# to haproxy listening on a loopback IP.
#
http protocol http_ssl {
# Rewrite headers. 'X-Forwarded-For' is critical, any client-provided
# value must be overwritten.
header change "X-Forwarded-For" to "$REMOTE_ADDR"
header change "X-Forwarded-By" to "$SERVER_ADDR:$SERVER_PORT"
header change "Connection" to "close"
# Various TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
ssl session cache disable
}
relay ext_ssl {
listen on $ext_ssl_listener port 443 ssl
protocol http_ssl
# Long timeout (30 min) required for large file uploads
session timeout 1800
forward to <haproxy> port 8080 check script
"/usr/local/bin/check_haproxy_ext.sh"
# If haproxy is dead, carry on by sending traffic directly
forward to <webhosts> port 8080 mode roundrobin interval 6 \
check http "/check.html" code 200
}
relay int_ssl {
listen on $int_ssl_listener port 443 ssl
protocol http_ssl
# Long timeout (30 min) required for large file uploads
session timeout 1800
forward to <haproxy> port 8081 check script
"/usr/local/bin/check_haproxy_int.sh"
# If haproxy is dead, carry on by sending traffic directly
forward to <apphosts> port 8080 mode roundrobin interval 6 \
check http "/check.html" code 200
