Hi, If you want to handle ssl offloading on haproxy and ssl session id persistance you should use: stick on ssl_session_id
Payload_lv method is used when haproxy doesn't perform ssl offloading and load balance in tcp mode. Note: in addition, there is a lot of fixes between dev16 and dev17. Regards, Emeric ----------------original message----------------- De: "Godbach" [email protected] A: [email protected] Date: Sat, 19 Jan 2013 01:47:02 +0800 ------------------------------------------------- > Hi, all > I have tested persistence on SSL session ID of haproxy-1.5-dev16. The > main configuration of frontend and backend as below: > frontend fe > bind 172.22.16.112:443 ssl crt /home/fortiadc/ca-user-key.pem > ca-file /home/fortiadc/ca-root.cer #verify required crl-file > /home/fortiadc/ca-root-crl.cer > maxconn 1048576 > use_backend be unless > > backend be > balance roundrobin > > # maximum SSL session ID length is 32 bytes. > stick-table type binary len 32 size 30k expire 30m > > acl clienthello req_ssl_hello_type 1 > acl serverhello rep_ssl_hello_type 2 > # use tcp content accepts to detects ssl client and server hello. > tcp-request inspect-delay 5s > tcp-request content accept if clienthello > > # no timeout on response inspect delay by default. > tcp-response content accept if serverhello > # SSL session ID (SSLID) may be present on a client or server hello. > # Its length is coded on 1 byte at offset 43 and its value starts > # at offset 44. > > # Match and learn on request if client hello. > # should be (44, 32) if sticking to SSL session ID ? > stick on payload_lv(43,1) if clienthello > > # Learn on response if server hello. > # should be (44, 32) if storing SSL session ID ? > stick store-response payload_lv(43,1) if serverhello > > server 1 10.128.7.1:80 cookie cookie weight 1 maxconn 0 slowstart 0s > server 2 127.0.0.1:80 cookie cookie weight 1 maxconn 0 slowstart 0s > > Both the acl and stick configurations are copied from introduction of > 'stick store-response' in manual. > > After testing, I found that haproxy has not stored SSL session ID > becaused of the acl 'clienthello' > has not matched. > > From the codes of SSL supporting, SSL_do_handshake() supplied by > OpenSSL library was called to do whole SSL handshake. > It means that haproxy doesn't have the chance to copy TCP payload > during SSL handshake to session buffer. As a result, > haproxy cannot check the data of handshake. Maybe we just check SSL > hello type in SSL record data. > > In addition, I want to know that the main configuration should be like > this if I want to stick on SSL session ID: > > stick on payload_lv(44,32) if clienthello > stick store-response payload_lv(44,32) if serverhello > > I am also wondering that whether I used incorrect configuration to > lead the failure or it is a bug indeed. > > Best Regards, > Godbach > >
