Baptiste, Please see my inline comments below:
> It could be related to opened but unused connections from some > browsers (chrome). > We know that the "SSL handshake failures" are related to connections made by the ColdFusion CFHTTP client. So in this specific case, there are no browsers involved. > The only way to confirm this behavior, is to capture some traffic > using tcpdump and see if you get connections reseted by HAProxy due to > client timeout with no client traffic or some real SSL handshake > failure. > Do you know what the various error conditions are in the HAProxy source code, that can generate this specific "SSL handshake failure" error message? > > Do you have an IPS in front of HAProxy? > What is an IPS? We are running our service on Amazon's AWS. Traffic hits HAProxy and it load balances requests to Node.js instances. Thank you very much for your quick response and help. Best, -- Thomas Amsler > Baptiste > > > On Wed, Oct 16, 2013 at 4:45 AM, Thomas Amsler <[email protected]> wrote: > > Hello, > > > > We are using HAProxy v1.5-dev19, and are seeing a lot of the following > > errors in our haproxy logs: > > > > <-- snip --> > > Oct 16 02:24:22 localhost haproxy[2473]: <some ip>:44950 > > [16/Oct/2013:02:24:22.643] https-in/1: SSL handshake failure > > Oct 16 02:30:47 localhost haproxy[2473]: <some ip>:37530 > > [16/Oct/2013:02:30:47.436] https-in/1: SSL handshake failure > > Oct 16 02:32:09 localhost haproxy[2473]: <some ip>:32930 > > [16/Oct/2013:02:32:08.709] https-in/1: SSL handshake failure > > Oct 16 02:32:28 localhost haproxy[2473]: <some ip>:38069 > > [16/Oct/2013:02:32:27.731] https-in/1: SSL handshake failure > > <-- snip --> > > > > This error occurs at a rate of 0.7%. It most often happens via ColdFusion > > CFHTTP connections. Could there be any issues with HAProxy or is this a > > client connection issue? > > > > Our server infrastructure handles REST as well as Socket.io (WetSocket) > > connections. > > > > > > Our config file: > > > > > > global > > nbproc 1 > > daemon > > maxconn 8192 > > log 127.0.0.1 local0 > > user ec2-user > > group ec2-user > > chroot /var/lib/haproxy > > > > defaults > > mode http > > option httplog > > log global > > # Add x-forwarded-for header. > > option forwardfor > > option http-server-close > > timeout connect 5s > > timeout client 30s > > timeout server 30s > > # Long timeout for WebSocket connections. > > timeout tunnel 1h > > > > # Redirect HTTP to HTTPS > > frontend http-in > > bind *:80 > > acl is_aggiefeed hdr_end(host) -i aggiefeed.ucdavis.edu > > redirect prefix https://aggiefeed.ucdavis.edu code 301 if > is_aggiefeed > > > > # HTTPS > > frontend https-in > > bind *:443 ssl crt /home/ec2-user/ssl/aggiefeed.pem > > default_backend servers > > errorfile 503 /home/ec2-user/errorfiles/503.http > > > > backend servers > > balance roundrobin > > cookie SERVERID insert indirect nocache > > server server1 10.0.1.100:8080 cookie server1 weight 1 maxconn 4096 > > check > > server server2 10.0.1.101:8080 cookie server2 weight 1 maxconn 4096 > > check > > > > > > > > Best, > > Thomas Amsler > > http://gplus.to/tamsler >
