Re: Possible bug with compression

Sun, 26 May 2013 08:40:26 -0700 

Hey Baptiste,
Thanks for your answer. Just to be sure: if I do 'option http-server-close' in the defaults section and then use 'no option http-server-close' in the backend, the option is disabled for connections to that backend, right? 


I know http-server-close is not compatible with NTLM but I also have 
backends to different servers which can use http-server-close. So I juse 
disable it for certain backends.



Compression not being compatible with tunnel mode sounds good enough to 
me. If it's known then it's fine with me ;-)


Regards,

Sander

On 26.05.2013 16:04, Baptiste wrote:

Hi,

Your configuration is not compatible with NTLM.
NTLM requires the connection remains available over the time or
authentication is broken.
When you enable http-server-close, haproxy will change the connection
for each HTTP request.
So disable it, you'll pass in the "tunnel" mode.


That said, I'm almost sure compression is not compatible with tunnel 
mode.


Baptiste



On Thu, May 23, 2013 at 10:44 AM, Sander Klein <[email protected]> 
wrote:

Hi,


I think I've found a possible bug with the combination SSL, 
compression and
NTLM auth. But, I'm not sure if it's really a bug or if NTLM auth is 
crap

(well it is...).


When enabling compression the authorization fails sometimes. When I 
disable
compression everything is fine. I don't know if it's just a silly 
thing to

enable compression in this situation. Has anyone else tried this?

I'm running haproxy-dev18-ss-20130512 and my config is like:

defaults
  log global

  mode http

  compression algo gzip

  option http-server-close
  option tcp-smart-accept
  option tcp-smart-connect
  option abortonclose

frontend default-fe
  bind 1.2.3.4:80
  bind a:b:c:d:e:f:80
  bind 1.2.3.4:443 ssl crt /etc/haproxy/ssl/some.pem ciphers
RC4:HIGH:!aNULL:!MD5
  bind a:b:c:d:e:f:443 ssl crt /etc/haproxy/ssl/some.pem ciphers
RC4:HIGH:!aNULL:!MD5

  maxconn 512

  option httplog
  option forwardfor
  option splice-auto

  # Add X-Forwarded-* headers
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Ssl on if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if ! { ssl_fc }
  http-request set-header X-Forwarded-Ssl off if ! { ssl_fc }

  # Define hosts which need to redirect to HTTPS
  acl need_ssl hdr(Host) -i iis.host.local

  redirect scheme https if need_ssl ! { ssl_fc }

  # Define backends and redirect correct hostnames
  use_backend iis-backend if { hdr(Host) -i iis.host.local }

backend iis-backend
  fullconn 20

  no option http-server-close
  option httpchk GET / HTTP/1.0

  server iis-stuff 2.3.4.5:80 cookie iis check inter 2000


Regard,

Sander


























					Reply via email to