Hello ! I checked the apache configuration and they are folllowing SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300
Additional information and qustions I was thinking my be something is worng with my firewall/haproxy setup ?! Physical server acts as iptables firelwall which with two ethernet interfaces - one is external (Internet side) -eth0 on one internal interface eth4. I configured ip tables firewall wich has inside the haproxy which listens on internal interface (eth4).. It has NAT and port translation rule : All who make connections to 213.184.41.164 to port 443 they fall in 192.168.35.254 to port 4431 . On haproxy listens on this port 4431.(frontend). I have also Access list wich control of Access to 192.168.35.254 port 4431. There is aslo similar NAT - and port transalation rule for http traffic to help to direct traffic to https site. There are also two JBoss servers which are access through firewall (haproxy) and has in front apache web servers mod_proxy whith AJP . In the JBoss java application server runs application with identity card http://www.id.ee authentification on apache web servers. Identity card authentification works currently correctly only with haproxy source ip address stickiness using roundrobin loadbalancing mode. Then i use ssl session id stickines haproxy configuration then sticness do not work properly and identity card logins do not work porperly or we can login but login would be soon lost etc. 192.168.35.254 is ip address where haproxy frontends are tcp ports 81 ,4431 listening 192.168.35.232 is ip address one of web servers 192.168.35.233 is ip address one of web servers Server Ethernet interfaces has his own ip address. What server interfaces must i use with tcpdump to collect information to troublesohuot ssl sessioon id ? My haproxy configuration again: defaults log global option tcplog option dontlognull retries 3 option redispatch option splice-auto timeout connect 5000ms timeout client 50000ms timeout server 50000ms option tcp-smart-accept # option tcp-smart-connect frontend etlive_http bind 192.168.35.254:81,192.168.35.253:81 mode http redirect location https://eteenindus.mnt.ee/eteenused/main.jsf frontend etlive_https bind 192.168.35.254:4431,192.168.35.253:4431 option tcplog maxconn 10000 log global default_backend etlive_https backend etlive_https mode tcp # option ssl-hello-chk # option httpchk GET /test.html option tcplog balance roundrobin stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello server etlive1 192.168.35.232:443 check maxconn 5000 server etlive2 192.168.35.233:443 check maxconn 5000 Lauri-Alo Adamson AS Andmevara -----Original Message----- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Sunday, January 05, 2014 9:57 PM To: Lauri-Alo Adamson; haproxy@formilux.org Subject: RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment Hi, > My web servers contain text file wich contain name of that server. > Then put following line to web browser https://X.X.X.X/index.txt and > browse this page it displays server name One server file index.txt > contains server name etee-live1 and other server the file contains > this server name etee-live2. If affinity works browser displays always > the same server name and then in the sticky tabel must contain one entry. > > But in my SSL affinity case web browser displays once one server name > and on the other refresh browser displays other server name . Then i > look sticky table it displays two entries but in then SSL affinity - > (SSL sticky session) case there must be one entry. > > My sticky table displys: > echo "show table etlive_https" | socat > unix-connect:/var/run/haproxy.stat stdio # table: etlive_https, type: > binary, size:30720, used:2 > 0x17eddd4: > key=7D4CD359DDAB9F3F7F976E7A995045670FFF0118FDDB72773165273BE6DA16FA > use=0 exp=1778829 server_id=2 > 0x17ee1d4: > key=905273E4AC943682F48106A6BD07777486F8FD60F8B80E4860FE7032F7D69DC2 > use=0 exp=1783937 server_id=1 That sounds like your apache backend server doesn't actually cache the session. > If undestood you correctly you suspect that SSL sessions are changing > all the time. What software is responsible changing SSL sessioon ID - > browser , Apache web server ?! The Apache backend server (the browsers you mentioned all reuse the SSL session ID by default). > Person who configred these apache server ensures that these things are > working Please double check with that person that the configuration directives SSLSessionCache [1] and SSLSessionCacheTimeout [2] are properly configured. It looks like Apache by default does not cache at all. Also you can try with Vincent's test tool at [3] whether session resumption is actually done or not. Regards, Lukas [1] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessioncache [2] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessioncachetimeout [3] https://github.com/vincentbernat/rfc5077/blob/master/rfc5077-client.c