Hi Julien - I'm not entirely sure I understand your comment.

I think that you may be saying that the connection should never be flagged
as private for SNI.  That makes sense to me, and would be an easy
alternative diff, but seems to run counter to Willy's intent in
commit 387ebf84dd, as well as the current state of the docs.

My read of ssl_sock_set_servername is that the case where a given backend
happens to be targeting multiple instances of applications served via SNI
from a single IP is already handled - if the hostname doesn't match, the
(SSL | TLS) handshake is forced, which I think means that the only
component of connection reuse in that case would be at the TCP level (and I
believe desirable for performance)..

Is the following diff what you had in mind, or did you have a different
intent?

diff --git a/doc/configuration.txt b/doc/configuration.txt
index fdcdb04fa..ff5bbf573 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -5265,9 +5265,6 @@ http-reuse { never | safe | aggressive | always }
     - connections made with "usesrc" followed by a client-dependent value
       ("client", "clientip", "hdr_ip") are marked private and never shared;

-    - connections sent to a server with a TLS SNI extension are marked
private
-      and are never shared;
-
     - connections with certain bogus authentication schemes (relying on the
       connection) like NTLM are detected, marked private and are never
shared;

diff --git a/src/backend.c b/src/backend.c
index ebc5050cb..b7b335262 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1581,7 +1581,6 @@ int connect_server(struct stream *s)
                        if (smp_make_safe(smp)) {
                                ssl_sock_set_servername(srv_conn,

smp->data.u.str.area);
-                               srv_conn->flags |= CO_FL_PRIVATE;
                        }
                }
 #endif /* USE_OPENSSL */


On Thu, Dec 19, 2019 at 12:24 AM Julien Pivotto <roidelapl...@inuits.eu>
wrote:

> On 18 Dec 16:46, Joshua Knox wrote:
> > A github issue was filed at
> https://github.com/haproxy/haproxy/issues/371
> >
> > The CONTRIBUTING guidelines requested discussion on the list, I believe
> the
> > included diff would address that issue and arguably be less surprising
> > behavior.
> >
> > The comment from ehocdet on the issue indicated that connection reuse
> could
> > be reused if SNI was incorporated into connection selection criteria.  I
> > think that that larger change would make sense for reuse in "http-reuse
> > safe" mode.
> >
> > There are currently a number of explicit checks for "http-reuse never"
> that
> > set the private connection flag (CO_FL_PRIVATE), I think that failing to
> > set it in this case is the logical counterpart.
> >
> > Thanks in advance,
> > Josh
>
> I would actually like the idea to remove the criteria to not reuse SNI
> connection, even in safe mode. After all there is not big difference
> once the connection is established and we can not change the value of
> sni() between requests anyway.
>
> --
>  (o-    Julien Pivotto
>  //\    Open-Source Consultant
>  V_/_   Inuits - https://www.inuits.eu
>

Reply via email to