Hi Pavlos,

On Tue, May 31, 2016 at 12:06:14PM +0200, Pavlos Parissis wrote:
> 
> On 30/05/2016 05:24 ????, Nenad Merdanovic wrote:
> > Hello Bjorn,
> > 
> > On 5/30/2016 4:29 PM, Björn Zettergren wrote:
> >> Hi,
> >>
> >> I've been playing around with the ECC+RSA certificate on same IP as
> >> described in the haproxy blog at
> >> http://blog.haproxy.com/2015/07/15/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/
> >>
> >> However, I get unexpected results when testing and I'm thinking that
> >> my problem is with the sample fetching of req.ssl_ec_ext on incoming
> >> requests being inconsistent or haproxy starts processing the request
> >> before enough of the data has been sent. I don't know how to
> >> troubleshoot any further or how to get it working, if it's at all
> >> expected to work "as advertised".
> > 
> > Yes, it seems like the case is that the fetch is only called once, when
> > there is not enough data in the buffer. You can work around this like:
> > tcp-request inspect-delay 5s
> 
> That option was never clear to me what it does.
> Does it introduce a delay on user's request?
> I think it only delays the inspection of the request from haproxy
> but the actual request isn't delayed.
> 
> Am I right?

That's more or less it. Just to make it very clear, it tells haproxy that
when facing *incomplete* data preventing it from taking a decision, it
should wait this long. What's important to know is that ACLs implement a
three-state match :
  - does not match
  - does match
  - uncertain, need more info

If you're waiting for a TLS hello and someone sends an HTTP request,
it will immediately not match so there is no delay. If someone sends a
valid TLS hello message that haproxy can fully parse, there's no delay
either. But if the data start like a TLS hello but are incomplete (eg
due to a packet loss causing a retransmission), you want haproxy to
wait a bit. This tells how long to wait. Past this delay, the pattern
doesn't match.

That's exactly similar to the http-request timeout for HTTP in fact.

Cheers,
Willy

Reply via email to