Re: Help with Chrome preconnects

Thu, 12 Jul 2012 13:46:44 -0700 

Thanks for all the replies Willy, Baptiste and Lukas.

Unfortunately we could not get the "tcp content" trick to work. Our guess
is Chrome preconnect actually does a SSL handshake and so  HAProxy does not
have a choice and has to engage a Apache worker. We used the following
==
listen https 0.0.0.0:44 <http://0.0.0.0:4445>3
        mode tcp
        balance roundrobin
        acl clienthello req_ssl_hello_type 1
        # use tcp content accepts to detects ssl client and server hello.
        tcp-request inspect-delay 20s
        tcp-request content accept if clienthello
        tcp-request content reject
        server  inst1 127.0.0.1:443 check inter 2000 fall 3
==

Lukas's suggestion was really helpful. I do not have any experience with
stud/stunnel. So I will get to these in a week or so when I get some time.
For now, we are using nginx for SSL termination and going the HAProxy route
for all non-SSL.  nginx will route from 443 to non-ssl Apache on 80.
Hopefully will replace it with HAProxy+stud some time later.


Thanks,
Vikram

On Thu, Jul 12, 2012 at 11:39 AM, Willy Tarreau <[email protected]> wrote:

> On Wed, Jul 11, 2012 at 07:03:52AM +0200, Baptiste wrote:
> > Hey,
> >
> > Depends at which phase of the health check Chrome maintains the
> > connection opened, you can give a try to HAProxy's content inspection:
> >    listen https
> >         mode tcp
> >         balance roundrobin
> >         acl clienthello req_ssl_hello_type 1
> >
> >         # use tcp content accepts to detects ssl client and server hello.
> >         tcp-request inspect-delay 5s
> >         tcp-request content accept if clienthello
>
> You need to add this line here :
>
>           tcp-request content reject
>
> because the tcp-request rules default to accept when none match. Otherwise
> this should indeed work.
>
> BTW, someone recently reported to me that chrome sometimes failed on SNI.
> Now I understand : the guy was mixing SSL and SSH on the same port : if
> the client does not send anything then it's SSH. Chrome was getting the
> SSH page from time to time and decided that the server did not support
> TLS so it then stopped using SNI. Now I understand why it was not sending
> any handshake, this is because of this new broken behaviour which saves
> one speculative roundtrip but which also consumes memory on servers for
> nothing...
>
> Regards,
> Willy
>
>

Reply via email to