Lukas, For the record: are you using HAproxy SSL functionality or do you > use something else, like stunnel or stud in front of haproxy? That > would make a big difference. >
We're terminating the SSL connections in haproxy, itself -- no stunnel or stud. > Also, with what IE release on which Windows OS have you been able > to reproduce this? A lot of things have changed in the IE releases > and the tcp stacks as well (one of the links talks about a bug in the > NT 4.0 tcp stack for example). > It's starting to sound like those links I provided earlier might not apply, but you're right about MS/IE and their ever-changing network stack, so I'll answer your question nevertheless. :) We've gotten quite a few reports from users, and it seems like they're all using Windows 8 or 8.1 and IE 11. That's also the version I was able to successfully reproduce this on. I also thought I'd include this for posterity -- it was some out-of-band communication with Willy, which I hope he doesn't mind me including. On Sat, Feb 22, 2014 at 1:40 AM, Willy Tarreau wrote: > OK thanks. So what it looks like is that MSIE is using the awful > preconnect mechanism that its competitors chrome and firefox use > as well, but the difference is that it doesn't know how to do it > correctly! Because as you can see, there's no request sent over > the connection in 10 seconds. And it starts using it after receiving > the close... I suppose it's wrong for me to be responding to that in a different thread, but I'll give it a shot anyway. I wholeheartedly agree that IE is doing multiple things wrong, here... making a request after the FIN, as well as reading a response that was made before the request was even made. However, I'm a bit confused as to why HAProxy was sending a 408 at all in this instance. There wasn't a request made prior to it sending that 408, so something seems a bit fishy there, too. I could be completely missing something, though. > You should try to clear the 408 message to see if MSIE handles the > situation any better. But that would be a shame, because this message > exists exactly for this purpose and all web servers emit it, so all > MSIE users are bothered by this stupid bug. > In order to do this, just add the following in your frontend : > errorfile 408 /dev/null Good call! It sounds to me like that would be a reasonable workaround for these folks using IE. A bummer for everyone else, but hopefully they won't be adversely affected. I'll change my timeouts back to the more-sane 10 or 15 seconds, and start using a null 408 error file to see what the reports from our users sound like. It shouldn't be too long before we have an idea if that helped or not. -- Andy Walker System Administrator FBS - creators of flexmls 3415 39th St S Fargo, ND 58104 701-235-7300