On Wed, Sep 03, 2025 at 10:48:40AM +0200, Amaury Denoyelle wrote: > On Wed, Sep 03, 2025 at 10:44:06AM +0200, Amaury Denoyelle wrote: > > On Tue, Sep 02, 2025 at 04:18:22PM +0000, Daniel Lenar wrote: > > > Hello, > > > I was struggling to get connection reuse working when check_reuse_pool > > > was enabled. My patch addresses what I had to do to get see TCP > > > connections being reused with my haproxy configuration below. > > > I had very simplistic haproxy.cfg. The IPs and hostnames have been > > > redacted. > > > global > > > log stdout format raw local0 > > > daemon > > > stats socket /tmp/stats > > > frontend main > > > bind *:8080 > > > mode http > > > option httplog > > > option http-keep-alive > > > log global > > > use_backend https:example.com > > > backend https:example.com > > > mode http > > > option httpchk GET /ready HTTP/1.1 > > > http-check send hdr Connection keep-alive hdr Host example.com hdr > > > User-Agent "Health-Check" > > > http-reuse always > > > default-server maxconn 2000 check-reuse-pool inter 3000 > > > pool-purge-delay 60s check ssl verify none > > > server servara 10.0.0.1:443 > > > server serverb 10.0.0.2:443 > > > server serverc 10.0.0.3:443 > > > > The tcpcheck_use_nondefault_connect() function was considering SSL as a > > > > none default connection. If your backed servers were using SSL, then > > > > you couldn’t reuse connections. In terms of http/https, only http > > > > backends were eligible for connection reuse. > > I have just seen your message so I did not conduct many tests. However, > > one thing that may explain a part of the problem is that you do not have > > "check-ssl" server keyword. Without it, checks will be performed in > > clear HTTP, thus it won't be able to reuse any connection from the pool > > as transport will not match. This explains why you had to change > > tcpcheck_use_nondefault_connect() to remove check->use_ssl. > Hum, please ignore this comment, I took the problem from the wrong side. > If there is any check-* keywords on the server line, we consider that > reuse should not be performed. Hence you must not specify any check-*, > except of course check-reuse-pool.
So, regarding check SSL activation, the solution would not be to change tcpcheck_use_nondefault_connect(), as it's still useful to detect if "check-ssl" has been set : in this case, reuse must not be performed. The solution instead is to not set check->use_ssl when it is inherited implicitely from the server configuration during init_srv_check(). This should be enough as it seems to allow to perform reuse now in my tests. Now, there remains the issues of the hash mismatch which I'm looking at and the draining of the connection for which I'm less comfortable than Christopher :) -- Amaury Denoyelle
