On Sep 26, 2008, at 5:01 PM, Till Neudecker wrote:
I have a pretty normal loadbalancing setup (2 relayd-loadbalancer, 2
backend
hosts). The loadbalancer accepts ssl-encrypted sessions and forwards
them
unencrypted to the backend-hosts. Because all the hosts are on the
same LAN
I set the global timeout-directive to 200ms.
When now connecting from a slow internet-connection to my service, I
often
receive a "SSL accept timeout". After changing the global timeout to
2000ms
the problem disappears. The man-pages only says timeout limits the
time for
the checks of the backend-hosts but nothing about the SSL-handshake
from
clients.
Can someone agree or disgree to my guess that timeout also limits
the time
for the SSL-handshake?
I have had this exact same experience this past week. I'm sure others
can give you the specific details but my conclusion was that the
timeout for relayd takes in the whole connection. This means that
first the client connects to relayd which then does the SSL
handshaking and so forth and then after this is successful relayd
connects to the internal host. I think this process just takes too
long when using SSL. I also made note that when I used relayd to add
SSL to a service running on the same server as relayd, there were no
issues.
Bryan
