Hello ! Problem description - then i access my two web servers through HA-Proxy version 1.5-dev21-51437d2 2013/12/29 it acts as round robin load balancing with out any ssl sticky sessions effect. I would be very pleased if some could help to make sticky ssl sessions work with out ssl offload.
Additional information: My scticky tabel output produced by following command: echo "show table etlive_https" | socat unix-connect:/var/run/haproxy.stat stdio # table: etlive_https, type: binary, size:30720, used:4 0x11b7974: key=0F242856F62F68D2E7C50F7B809D577B00CE7758F74992B4F104A50724153CC6 use=0 exp=1777208 server_id=2 0x11b7ad4: key=11B93E6CEC80076086F73CAFCDA6CEC90E55E12BCBCDD6278181201DA01E505A use=0 exp=1778917 server_id=2 0x11b7a24: key=7A4D134D9E7E02F35E68D69A516EA3DD965C75CA424E1E9BF08014232F7D3A3A use=0 exp=1777300 server_id=1 0x11b7774: key=D2564D3480E88117FD3864376E17BA6C5BA27E18D5000CEB2C888F18ADAAB550 use=0 exp=1773268 server_id=1 I compiled and linked haproxy Under Debian linux using following make options: make TARGET=custom CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LINUX_SPLICE=1 TARGET_CFLAGS="-O2 -mmmx -msse -mfpmath=sse -ffast-math -funsafe-loop-optimizations -funsafe-math-optimizations -fweb -frename-registers -fforce-addr -maccumulate-outgoing-args -momit-leaf-frame-pointer -funswitch-loops -fstack-protector" and installed it: make PREFIX=/usr/local/haproxy install My linux operatsystem is Linux lb1 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux My haproxy information (haproxy -vv): HA-Proxy version 1.5-dev21-51437d2 2013/12/29 Copyright 2000-2013 Willy Tarreau <w...@1wt.eu> Build options : TARGET = custom CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing -O2 -mmmx -msse -mfpmath=sse -ffast-math -funsafe-loop-optimizations -funsafe-math-optimizations -fweb -frename-registers -fforce-addr -maccumulate-outgoing-args -momit-leaf-frame-pointer -funswitch-loops -fstack-protector OPTIONS = USE_LINUX_SPLICE=1 USE_ZLIB=1 USE_POLL=default USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): no Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND Available polling systems : poll : pref=200, test result OK select : pref=150, test result OK Total: 2 (2 usable), will use poll. My haproxy configuration file haproxy.cfg content : global #stats socket /var/run/haproxy.sock mode 666 stats socket /var/run/haproxy.stat mode 666 log /dev/log local0 info log /dev/log local0 notice # log 127.0.0.1 local0 chroot /var/lib/haproxy maxconn 100000 maxpipes 30000 ulimit-n 500000 user root group haproxy daemon defaults log global option tcplog option dontlognull retries 3 option redispatch option splice-auto timeout connect 5000ms timeout client 50000ms timeout server 50000ms option tcp-smart-accept # option tcp-smart-connect frontend etlive_https bind 192.168.35.254:4431,192.168.35.253:4431 option tcplog maxconn 10000 log global default_backend etlive_https backend etlive_https mode tcp option ssl-hello-chk # option httpchk GET /test.html option tcplog balance roundrobin stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello server etlive1 192.168.35.232:443 check maxconn 5000 server etlive2 192.168.35.233:443 check maxconn 5000 Lauri-Alo Adamson