Re: Help with Chrome preconnects

Tue, 10 Jul 2012 22:04:18 -0700 

Hey,

Depends at which phase of the health check Chrome maintains the
connection opened, you can give a try to HAProxy's content inspection:
   listen https
        mode tcp
        balance roundrobin
        acl clienthello req_ssl_hello_type 1

        # use tcp content accepts to detects ssl client and server hello.
        tcp-request inspect-delay 5s
        tcp-request content accept if clienthello

        server s1 192.168.1.1:443


It requires HAProxy 1.5.

The client (chrome) will have 5s to send its SSL clienthello, as long
as it does not do it, HAProxy won't even open a connection to the
server.
So if the chrome "bug" is related to this phase, it may help, if
chrome keeps the connection opened after this phase, it won't help.

You could try setting up "client timeout" and "server timeout".

Cheers


On Wed, Jul 11, 2012 at 3:45 AM, Vikram Nayak <[email protected]> wrote:
> hi,
>
> I am using HAProxy 1.4.x infront of Apache 2.2.x. For SSLs, I just do a tcp
> redirect from port 443. Like
> ==
> listen  ssl-relay 0.0.0.0:443
>         mode tcp
>         balance roundrobin
>         server  inst1 machinename:443 check inter 2000 fall 3
> ==
>
> Everything was running fine till Chrome introduced preconnects. I have
> logged a bug at http://code.google.com/p/chromium/issues/detail?id=87121
> Its a fairly long thread but the gist is the following :
> Chrome does some speculative SSL connects to the backend and does not close
> the handshake. The problem for us now is that the request goes to an Apache
> process and that process gets blocked for the entire duration of the
> timeout! If in httpd.conf we have 60seconds as timeout, there are one or two
> Apache processes that will get blocked in "Reading request" state for
> 60seconds thinking that the chrome user will use the connection! As you can
> easily see, this is really a drain on the process pool and very soon it
> maxes out on child processes.
>
> Is there anyway HAProxy can help here? As in, is there anyway HAProxy does
> not open an apache connection till there is any "activity" on the
> connection? Please let me know. I guess most systems would have this problem
> but for some reason, I can not find enough links on google.
> Or if you can think of other ways of handling this, please let me know that
> too.
>
> Thanks,
> Vikram

Reply via email to