On Wed, Jul 11, 2012 at 07:03:52AM +0200, Baptiste wrote:
> Hey,
>
> Depends at which phase of the health check Chrome maintains the
> connection opened, you can give a try to HAProxy's content inspection:
> listen https
> mode tcp
> balance roundrobin
> acl clienthello req_ssl_hello_type 1
>
> # use tcp content accepts to detects ssl client and server hello.
> tcp-request inspect-delay 5s
> tcp-request content accept if clienthello
You need to add this line here :
tcp-request content reject
because the tcp-request rules default to accept when none match. Otherwise
this should indeed work.
BTW, someone recently reported to me that chrome sometimes failed on SNI.
Now I understand : the guy was mixing SSL and SSH on the same port : if
the client does not send anything then it's SSH. Chrome was getting the
SSH page from time to time and decided that the server did not support
TLS so it then stopped using SNI. Now I understand why it was not sending
any handshake, this is because of this new broken behaviour which saves
one speculative roundtrip but which also consumes memory on servers for
nothing...
Regards,
Willy
