Sorry for the confusing config that I gave. I actually meant
==
listen https 0.0.0.0:44 <http://0.0.0.0:4445/>3
mode tcp
balance roundrobin
acl clienthello req_ssl_hello_type 1
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 20s
tcp-request content accept if clienthello
tcp-request content reject
server inst1 127.0.0.1:44 <http://127.0.0.1:443/>4 check inter
2000 fall 3
==
And on 444 I have Apache running in ssl mode.
Thanks,
Vikram
On Fri, Jul 13, 2012 at 2:16 AM, Vikram Nayak <[email protected]>wrote:
> Thanks for all the replies Willy, Baptiste and Lukas.
>
> Unfortunately we could not get the "tcp content" trick to work. Our guess
> is Chrome preconnect actually does a SSL handshake and so HAProxy does not
> have a choice and has to engage a Apache worker. We used the following
> ==
> listen https 0.0.0.0:44 <http://0.0.0.0:4445>3
>
> mode tcp
> balance roundrobin
> acl clienthello req_ssl_hello_type 1
> # use tcp content accepts to detects ssl client and server hello.
> tcp-request inspect-delay 20s
>
> tcp-request content accept if clienthello
> tcp-request content reject
> server inst1 127.0.0.1:443 check inter 2000 fall 3
> ==
>
> Lukas's suggestion was really helpful. I do not have any experience with
> stud/stunnel. So I will get to these in a week or so when I get some time.
> For now, we are using nginx for SSL termination and going the HAProxy route
> for all non-SSL. nginx will route from 443 to non-ssl Apache on 80.
> Hopefully will replace it with HAProxy+stud some time later.
>
>
> Thanks,
> Vikram
>
>
> On Thu, Jul 12, 2012 at 11:39 AM, Willy Tarreau <[email protected]> wrote:
>
>> On Wed, Jul 11, 2012 at 07:03:52AM +0200, Baptiste wrote:
>> > Hey,
>> >
>> > Depends at which phase of the health check Chrome maintains the
>> > connection opened, you can give a try to HAProxy's content inspection:
>> > listen https
>> > mode tcp
>> > balance roundrobin
>> > acl clienthello req_ssl_hello_type 1
>> >
>> > # use tcp content accepts to detects ssl client and server
>> hello.
>> > tcp-request inspect-delay 5s
>> > tcp-request content accept if clienthello
>>
>> You need to add this line here :
>>
>> tcp-request content reject
>>
>> because the tcp-request rules default to accept when none match. Otherwise
>> this should indeed work.
>>
>> BTW, someone recently reported to me that chrome sometimes failed on SNI.
>> Now I understand : the guy was mixing SSL and SSH on the same port : if
>> the client does not send anything then it's SSH. Chrome was getting the
>> SSH page from time to time and decided that the server did not support
>> TLS so it then stopped using SNI. Now I understand why it was not sending
>> any handshake, this is because of this new broken behaviour which saves
>> one speculative roundtrip but which also consumes memory on servers for
>> nothing...
>>
>> Regards,
>> Willy
>>
>>
>
