29 sticky ssl sessons are not working in my environment

Lauri-Alo Adamson Thu, 02 Jan 2014 04:43:03 -0800

Hello !

Problem description - then i access my two web servers through HA-Proxy version 
1.5-dev21-51437d2 2013/12/29
it acts as round robin load balancing  with out any ssl sticky sessions effect. 
I would be very pleased if some could help to make sticky ssl sessions work 
with out ssl offload.


Additional information:

My scticky tabel output produced by following command:
echo "show table etlive_https" | socat unix-connect:/var/run/haproxy.stat stdio

# table: etlive_https, type: binary, size:30720, used:4
0x11b7974: key=0F242856F62F68D2E7C50F7B809D577B00CE7758F74992B4F104A50724153CC6 
use=0 exp=1777208 server_id=2
0x11b7ad4: key=11B93E6CEC80076086F73CAFCDA6CEC90E55E12BCBCDD6278181201DA01E505A 
use=0 exp=1778917 server_id=2
0x11b7a24: key=7A4D134D9E7E02F35E68D69A516EA3DD965C75CA424E1E9BF08014232F7D3A3A 
use=0 exp=1777300 server_id=1
0x11b7774: key=D2564D3480E88117FD3864376E17BA6C5BA27E18D5000CEB2C888F18ADAAB550 
use=0 exp=1773268 server_id=1



I compiled  and linked haproxy Under Debian linux using following make options:

make TARGET=custom CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 
USE_LINUX_SPLICE=1 TARGET_CFLAGS="-O2 -mmmx -msse -mfpmath=sse -ffast-math 
-funsafe-loop-optimizations -funsafe-math-optimizations -fweb 
-frename-registers -fforce-addr -maccumulate-outgoing-args 
-momit-leaf-frame-pointer -funswitch-loops -fstack-protector"

and installed it:

    make PREFIX=/usr/local/haproxy install


My linux operatsystem is Linux lb1 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 
GNU/Linux

My haproxy information (haproxy -vv):
HA-Proxy version 1.5-dev21-51437d2 2013/12/29
Copyright 2000-2013 Willy Tarreau <[email protected]>

Build options :
  TARGET  = custom
  CPU     = native
  CC      = gcc
  CFLAGS  = -O2 -march=native -g -fno-strict-aliasing -O2 -mmmx -msse 
-mfpmath=sse -ffast-math -funsafe-loop-optimizations 
-funsafe-math-optimizations -fweb -frename-registers -fforce-addr 
-maccumulate-outgoing-args -momit-leaf-frame-pointer -funswitch-loops 
-fstack-protector
  OPTIONS = USE_LINUX_SPLICE=1 USE_ZLIB=1 USE_POLL=default USE_OPENSSL=1 
USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): no
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.30 2012-02-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND

Available polling systems :
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 2 (2 usable), will use poll.

My haproxy configuration file haproxy.cfg content :

global
#stats socket /var/run/haproxy.sock mode 666
stats socket /var/run/haproxy.stat mode 666
log /dev/log    local0 info
log /dev/log    local0 notice
# log 127.0.0.1 local0
chroot /var/lib/haproxy
maxconn 100000
maxpipes 30000
ulimit-n 500000
user root
group haproxy
daemon

defaults
log     global
option tcplog
option  dontlognull
retries 3
option redispatch
option splice-auto
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option tcp-smart-accept
# option tcp-smart-connect

frontend etlive_https
bind 192.168.35.254:4431,192.168.35.253:4431
option tcplog
maxconn 10000
log global
default_backend etlive_https

backend etlive_https
mode tcp
option ssl-hello-chk
# option  httpchk GET /test.html
option tcplog
balance roundrobin

    stick-table type binary len 32 size 30k expire 30m

    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.

    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

server etlive1 192.168.35.232:443 check maxconn 5000
server etlive2 192.168.35.233:443 check maxconn 5000


Lauri-Alo Adamson

HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment

Reply via email to