RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment
]: 192.168.35.1:62502 [08/Jan/2014:11:51:06.097] etlive_https etlive_https/etlive2 1/0/12 2032 -- 0/0/0/0/0 0/0 Jan 8 11:51:06 lb1 haproxy[22836]: 192.168.35.1:62502 [08/Jan/2014:11:51:06.097] etlive_https etlive_https/etlive2 1/0/12 2032 -- 0/0/0/0/0 0/0 Jan 8 11:51:06 lb1 haproxy[22836]: 192.168.35.1:62505 [08/Jan/2014:11:51:06.109] etlive_https etlive_https/etlive1 1/0/12 2032 -- 0/0/0/0/0 0/0 Jan 8 11:51:06 lb1 haproxy[22836]: 192.168.35.1:62505 [08/Jan/2014:11:51:06.109] etlive_https etlive_https/etlive1 1/0/12 2032 -- 0/0/0/0/0 0/0 Jan 8 11:51:06 lb1 haproxy[22836]: 192.168.35.1:62507 [08/Jan/2014:11:51:06.122] etlive_https etlive_https/etlive2 1/0/12 2032 -- 0/0/0/0/0 0/0 These HAproxy log and rfc5077-client log files show where is no sticky sessions usage and ssl session id changes ! Here is my HAproxy vonfiguration again: global #stats socket /var/run/haproxy.sock mode 666 stats socket /var/run/haproxy.stat mode 666 log /dev/loglocal0 info log /dev/loglocal0 notice # log 127.0.0.1 local0 chroot /var/lib/haproxy maxconn 10 maxpipes 3 ulimit-n 50 user root group haproxy daemon defaults log global option tcplog option dontlognull retries 3 option redispatch option splice-auto timeout connect 5000ms timeout client 5ms timeout server 5ms option tcp-smart-accept # option tcp-smart-connect frontend etlive_http bind 192.168.35.254:81,192.168.35.253:81 mode http redirect location https://eteenindus.mnt.ee/eteenused/main.jsf frontend etlive_https bind 192.168.35.254:4431,192.168.35.253:4431 option tcplog maxconn 1 log global default_backend etlive_https backend etlive_https mode tcp # option ssl-hello-chk # option httpchk GET /test.html option tcplog balance roundrobin stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello server etlive1 192.168.35.232:443 check maxconn 5000 server etlive2 192.168.35.233:443 check maxconn 5000 Lauri-Alo Adamson AS Andmevara -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Sunday, January 05, 2014 9:57 PM To: Lauri-Alo Adamson; haproxy@formilux.org Subject: RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment Hi, > My web servers contain text file wich contain name of that server. > Then put following line to web browser https://X.X.X.X/index.txt and > browse this page it displays server name One server file index.txt > contains server name etee-live1 and other server the file contains > this server name etee-live2. If affinity works browser displays always > the same server name and then in the sticky tabel must contain one entry. > > But in my SSL affinity case web browser displays once one server name > and on the other refresh browser displays other server name . Then i > look sticky table it displays two entries but in then SSL affinity - > (SSL sticky session) case there must be one entry. > > My sticky table displys: > echo "show table etlive_https" | socat > unix-connect:/var/run/haproxy.stat stdio # table: etlive_https, type: > binary, size:30720, used:2 > 0x17eddd4: > key=7D4CD359DDAB9F3F7F976E7A995045670FFF0118FDDB72773165273BE6DA16FA > use=0 exp=1778829 server_id=2 > 0x17ee1d4: > key=905273E4AC943682F48106A6BD0486F8FD60F8B80E4860FE7032F7D69DC2 > use=0 exp=1783937 server_id=1 That sounds like your apache backend server doesn't actually cache the session. > If undestood you correctly you suspect that SSL sessions are changing > all the time. What software is responsible changing SSL sessioon ID - > browser , Apache web server ?! The Apache backend server (the browsers you mentioned all reuse the SSL session ID by default). > Person who configred these apache server ensures that these things are > working Please double check with that person that the configuration directives SSLSessionCache [1] and SSLSessionCacheTimeout [2] are properly configured. It looks like Apache by default does not cache at all. Also you can try with Vincent's test tool at [3] whether session resumption is actually done or not. Regards, Lukas [1] http://httpd.apache.org/docs/2.4/mod/mod_ssl
RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment
Hello ! I checked the apache configuration and they are folllowing SSLSessionCache"shmcb:/usr/local/apache2/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 Additional information and qustions I was thinking my be something is worng with my firewall/haproxy setup ?! Physical server acts as iptables firelwall which with two ethernet interfaces - one is external (Internet side) -eth0 on one internal interface eth4. I configured ip tables firewall wich has inside the haproxy which listens on internal interface (eth4).. It has NAT and port translation rule : All who make connections to 213.184.41.164 to port 443 they fall in 192.168.35.254 to port 4431 . On haproxy listens on this port 4431.(frontend). I have also Access list wich control of Access to 192.168.35.254 port 4431. There is aslo similar NAT - and port transalation rule for http traffic to help to direct traffic to https site. There are also two JBoss servers which are access through firewall (haproxy) and has in front apache web servers mod_proxy whith AJP . In the JBoss java application server runs application with identity card http://www.id.ee authentification on apache web servers. Identity card authentification works currently correctly only with haproxy source ip address stickiness using roundrobin loadbalancing mode. Then i use ssl session id stickines haproxy configuration then sticness do not work properly and identity card logins do not work porperly or we can login but login would be soon lost etc. 192.168.35.254 is ip address where haproxy frontends are tcp ports 81 ,4431 listening 192.168.35.232 is ip address one of web servers 192.168.35.233 is ip address one of web servers Server Ethernet interfaces has his own ip address. What server interfaces must i use with tcpdump to collect information to troublesohuot ssl sessioon id ? My haproxy configuration again: defaults log global option tcplog option dontlognull retries 3 option redispatch option splice-auto timeout connect 5000ms timeout client 5ms timeout server 5ms option tcp-smart-accept # option tcp-smart-connect frontend etlive_http bind 192.168.35.254:81,192.168.35.253:81 mode http redirect location https://eteenindus.mnt.ee/eteenused/main.jsf frontend etlive_https bind 192.168.35.254:4431,192.168.35.253:4431 option tcplog maxconn 1 log global default_backend etlive_https backend etlive_https mode tcp # option ssl-hello-chk # option httpchk GET /test.html option tcplog balance roundrobin stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello server etlive1 192.168.35.232:443 check maxconn 5000 server etlive2 192.168.35.233:443 check maxconn 5000 Lauri-Alo Adamson AS Andmevara -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Sunday, January 05, 2014 9:57 PM To: Lauri-Alo Adamson; haproxy@formilux.org Subject: RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment Hi, > My web servers contain text file wich contain name of that server. > Then put following line to web browser https://X.X.X.X/index.txt and > browse this page it displays server name One server file index.txt > contains server name etee-live1 and other server the file contains > this server name etee-live2. If affinity works browser displays always > the same server name and then in the sticky tabel must contain one entry. > > But in my SSL affinity case web browser displays once one server name > and on the other refresh browser displays other server name . Then i > look sticky table it displays two entries but in then SSL affinity - > (SSL sticky session) case there must be one entry. > > My sticky table displys: > echo "show table etlive_https" | socat > unix-connect:/var/run/haproxy.stat stdio # table: etlive_https, type: > binary, size:30720, used:2 > 0x17eddd4: > key=7D4CD359DDAB9F3F7F976E7A995045670FFF0118FDDB72773165273BE6DA16FA > use=0 exp=1778829 server_id=2 > 0x17ee1d4: > key=905273E4AC943682F48106A6BD0486F8FD60F8B80E4860FE7032F7D69DC2 > use=0 exp=1783937 server_id=1 That sounds like your apache backend server doesn't actually ca
RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment
Hello ! Many thanks for your help I´m using Apache web server 2.4.x I used three browsers under MS Windows 7 Professional Service Pack 1 64-bit operatingsystem Windows Internet Explorer Version 9.0.8112.16421 Update Versions 9.0.23 Chiper Strength 256-bit Firefox 25.0.1 Google Chrome Version 31.0.1650.63 m I will try tcpdump to collect inframanion about server and browser SSL sessions ID. Some questions: If undestood you correctly you suspect that SSL sessions are changing all the time. What software is responsible changing SSL sessioon ID - browser , Apache web server ?! Does this mean that borwser cant be used with HAproxy with SSL sessioon afinity - sticky ssl sessions !? Lauri-Alo Adamson -Original Message- From: Cyril Bonté [mailto:cyril.bo...@free.fr] Sent: Saturday, January 04, 2014 9:26 PM To: Lauri-Alo Adamson; haproxy@formilux.org Cc: Lukas Tribus Subject: Re: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment Hi, Le 04/01/2014 20:09, Lauri-Alo Adamson a écrit : > Are you tcpdumping the frontent traffic? > If undestood correctly tcpdump displays encrypted traffic without > necessary information about affinity Yes it does. This will allow to check the SSL session id in each ClientHello/ServerHello message. From what I've read in the thread, I'm pretty sure your ID is changing all the time. Oh btw, you didn't say which browser you were using (and the version). > < Are you sure your backend servers have an session cache enabled and working? > Person who configred these apache server ensures that these things are > working I will tried source ip based affinity/stickiness and all > worked as expected > (http://blog.exceliance.fr/2011/07/12/send-user-to-the-same-backend-fo > r-both-http-and-https/) Yes sticking on the source ip is a better idea (even if it is not perfect for all usages). -- Cyril Bonté
RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment
Hello ! I will try to answer qustions and explain my case https://X.X.X.X/index.txt and browse this page it displays server name One server file index.txt contains server name etee-live1 and other server the file contains this server name etee-live2. If affinity works browser displays always the same server name and then in the sticky tabel must contain one entry. But in my SSL affinity case web browser displays once one server name and on the other refresh browser displays other server name . Then i look sticky table it displays two entries but in then SSL affinity - (SSL sticky session) case there must be one entry. My sticky table displys: echo "show table etlive_https" | socat unix-connect:/var/run/haproxy.stat stdio # table: etlive_https, type: binary, size:30720, used:2 0x17eddd4: key=7D4CD359DDAB9F3F7F976E7A995045670FFF0118FDDB72773165273BE6DA16FA use=0 exp=1778829 server_id=2 0x17ee1d4: key=905273E4AC943682F48106A6BD0486F8FD60F8B80E4860FE7032F7D69DC2 use=0 exp=1783937 server_id=1 Are you tcpdumping the frontent traffic? If undestood correctly tcpdump displays encrypted traffic without necessary information about affinity < Are you sure your backend servers have an session cache enabled and working? Person who configred these apache server ensures that these things are working I will tried source ip based affinity/stickiness and all worked as expected (http://blog.exceliance.fr/2011/07/12/send-user-to-the-same-backend-for-both-http-and-https/) NB : I will try to make my HAproxy with make clean; make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 and try experiment ssl sessioon affinity again. Lauri-Alo Adamson -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Friday, January 03, 2014 11:41 PM To: Lauri-Alo Adamson; haproxy@formilux.org Subject: RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment Hi, > Hello , > > Many thanks for your replay. This thing is more stranger i downloaded > and compiled serverl versions of HAproxy 1.5.x.x and the result was > alwase the same > > I experimented with following versions > > At first i testing with > http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev21.tar.gz > > After i tested with these > http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev20.tar.gz > http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev18.tar.gz > http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev17.tar.gz > > latest downloded was haproxy-ss-LATEST.tar.gz from > http://haproxy.1wt.eu/download/1.5/src/snapshot/ > > All the time the result was same Well, your make line looks very specific, whats the reason you use those CFLAGS manually and don't use on the other hand a specific TARGET? I suggest you give this a try: make clean; make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 \ USE_ZLIB=1 With the custom make TARGET, you are not using epoll, falling back to the slower poll(). This shouldn't make any difference regarding the ssl affinity though. Regarding that, your configuration looks ok, and you have tested a different releases, which make me think the issue may not be in haproxy. How do you know HAProxy doesn't maintains the correct affinity? Are you tcpdumping the frontent traffic? Are you sure your backend servers have an session cache enabled and working? Regards, Lukas
RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment
Hello , Many thanks for your replay. This thing is more stranger i downloaded and compiled serverl versions of HAproxy 1.5.x.x and the result was alwase the same I experimented with following versions At first i testing with http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev21.tar.gz After i tested with these http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev20.tar.gz http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev18.tar.gz http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev17.tar.gz latest downloded was haproxy-ss-LATEST.tar.gz from http://haproxy.1wt.eu/download/1.5/src/snapshot/ All the time the result was same Lauri-Alo Adamson -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Thursday, January 02, 2014 5:35 PM To: Lauri-Alo Adamson; haproxy@formilux.org Subject: RE: HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment Hi, > Problem description - then i access my two web servers through > HA-Proxy version 1.5-dev21-51437d2 2013/12/29 > > it acts as round robin load balancing with out any ssl sticky sessions > effect. I would be very pleased if some could help to make sticky ssl > sessions work with out ssl offload. Was this previously working and a upgrade to dev-21 introduced this problem or is this a new configuration which never worked? If the former is the case, please indicate what release you used previously and if possible, try dev-20 and dev-19. Also, you said you are using dev21-51437d2, which is actually post dev-21, so I suspect your are using git to download the source code. Are you able to "git bisect" this behavior? Regards, Lukas
HA-Proxy version 1.5-dev21-51437d2 2013/12/29 sticky ssl sessons are not working in my environment
Hello ! Problem description - then i access my two web servers through HA-Proxy version 1.5-dev21-51437d2 2013/12/29 it acts as round robin load balancing with out any ssl sticky sessions effect. I would be very pleased if some could help to make sticky ssl sessions work with out ssl offload. Additional information: My scticky tabel output produced by following command: echo "show table etlive_https" | socat unix-connect:/var/run/haproxy.stat stdio # table: etlive_https, type: binary, size:30720, used:4 0x11b7974: key=0F242856F62F68D2E7C50F7B809D577B00CE7758F74992B4F104A50724153CC6 use=0 exp=1777208 server_id=2 0x11b7ad4: key=11B93E6CEC80076086F73CAFCDA6CEC90E55E12BCBCDD6278181201DA01E505A use=0 exp=1778917 server_id=2 0x11b7a24: key=7A4D134D9E7E02F35E68D69A516EA3DD965C75CA424E1E9BF08014232F7D3A3A use=0 exp=1777300 server_id=1 0x11b7774: key=D2564D3480E88117FD3864376E17BA6C5BA27E18D5000CEB2C888F18ADAAB550 use=0 exp=1773268 server_id=1 I compiled and linked haproxy Under Debian linux using following make options: make TARGET=custom CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LINUX_SPLICE=1 TARGET_CFLAGS="-O2 -mmmx -msse -mfpmath=sse -ffast-math -funsafe-loop-optimizations -funsafe-math-optimizations -fweb -frename-registers -fforce-addr -maccumulate-outgoing-args -momit-leaf-frame-pointer -funswitch-loops -fstack-protector" and installed it: make PREFIX=/usr/local/haproxy install My linux operatsystem is Linux lb1 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux My haproxy information (haproxy -vv): HA-Proxy version 1.5-dev21-51437d2 2013/12/29 Copyright 2000-2013 Willy Tarreau Build options : TARGET = custom CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing -O2 -mmmx -msse -mfpmath=sse -ffast-math -funsafe-loop-optimizations -funsafe-math-optimizations -fweb -frename-registers -fforce-addr -maccumulate-outgoing-args -momit-leaf-frame-pointer -funswitch-loops -fstack-protector OPTIONS = USE_LINUX_SPLICE=1 USE_ZLIB=1 USE_POLL=default USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): no Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND Available polling systems : poll : pref=200, test result OK select : pref=150, test result OK Total: 2 (2 usable), will use poll. My haproxy configuration file haproxy.cfg content : global #stats socket /var/run/haproxy.sock mode 666 stats socket /var/run/haproxy.stat mode 666 log /dev/loglocal0 info log /dev/loglocal0 notice # log 127.0.0.1 local0 chroot /var/lib/haproxy maxconn 10 maxpipes 3 ulimit-n 50 user root group haproxy daemon defaults log global option tcplog option dontlognull retries 3 option redispatch option splice-auto timeout connect 5000ms timeout client 5ms timeout server 5ms option tcp-smart-accept # option tcp-smart-connect frontend etlive_https bind 192.168.35.254:4431,192.168.35.253:4431 option tcplog maxconn 1 log global default_backend etlive_https backend etlive_https mode tcp option ssl-hello-chk # option httpchk GET /test.html option tcplog balance roundrobin stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello server etlive1 192.168.35.232:443 check maxconn 5000 server etlive2 192.168.35.233:443 check maxconn 5000 Lauri-Alo Adamson
RE: Troubles of HAproxy 1.5-dev SSL-ID configuration
Hello again ! Many thanks for your answers ! I would be very pleased of snapshot. I would try to be more patience . I would try both - the haproxy older developer versioon and the the new developer version with patch. Lauri-Alo Adamson AS Andmevara -Original Message- From: Willy Tarreau [mailto:w...@1wt.eu] Sent: Tuesday, May 10, 2011 12:35 AM To: Cyril Bonté Cc: Lauri-Alo Adamson; haproxy@formilux.org Subject: Re: Troubles of HAproxy 1.5-dev SSL-ID configuration On Mon, May 09, 2011 at 08:13:43PM +0200, Cyril Bonté wrote: > Hi, > > Le lundi 9 mai 2011 07:41:50, Lauri-Alo Adamson a écrit : > > Hello! > > > > Anyone has not answered yet for my e-mail its sad ! Is there some > > kind of haproxy developer mailing list where the development > > versions are subject of disscussion. > > Oh yes, it was 1 month ago. > > > I have configured a Cisco CSS devices and had some experiences about > > them. Then I thinked that I try HAproxy development versioon that > > supports stiky SSL and I installed debian 6.0.1 x86_64 into VMware > > ESXi vitrualmahine and installed HAproxy 1.5-dev6 . After that I > > tried to create HAproxy configuration that uses sticky SSL sessions > > and try to start Haproxy i had following terror message > > > > root@haproxy:# /usr/local/sbin/haproxy -f /etc/haproxy/haproxy.conf > > [ALERT] 101/163223 (1993) : Proxy 'https': type of pattern not > > usable with type of stick-table 'https'. > > [ALERT] 101/163223 (1993) : Proxy 'https': type of pattern not > > usable with type of stick-table 'https'. > > [ALERT] 101/163223 (1993) : Fatal errors found in configuration. > > > > and haproxy demon do not start. > > > > If understand correctly I do not need to use tunnel to use SSL > > sticky sessioon configurations. My SSL sticky sessioon configuration > > originates form HAproxy 1.5-dev documention folder file > > configuration.txt example # Learn SSL session ID from both request > > and response and create affinity > > > > I would be pleased if any one could explain is it a bug of the > > HAproxy development version or is it my configuration problem ! > > It is a regression in HAProxy, I'll send a patch tonight after doing > some more tests. I've identified a missing line in the code but I must > check if there's no other parts that can affect the feature. > > For now, you can still try with haproxy 1.5-dev3, which doesn't have the bug. Cyril's fix will be in tomorrow's snapshot if you're interested. BTW Lauri-Alo, when one of your mail is not replied to in some reasonable delay ("reasonable" remaining to be defined by you), do not hesitate to repost. It's quite common on mailing lists that some mails are left unreplied forever, sometimes because some posters found a solution and do not report it, sometimes because they changed the initial requirements etc... I still have quite a number of unread mails in my box that will probably never be read, as they're simply too old. Regards, Willy
Troubles of HAproxy 1.5-dev SSL-ID configuration
Hello! Anyone has not answered yet for my e-mail its sad ! Is there some kind of haproxy developer mailing list where the development versions are subject of disscussion. I have configured a Cisco CSS devices and had some experiences about them. Then I thinked that I try HAproxy development versioon that supports stiky SSL and I installed debian 6.0.1 x86_64 into VMware ESXi vitrualmahine and installed HAproxy 1.5-dev6 . After that I tried to create HAproxy configuration that uses sticky SSL sessions and try to start Haproxy i had following terror message root@haproxy:# /usr/local/sbin/haproxy -f /etc/haproxy/haproxy.conf [ALERT] 101/163223 (1993) : Proxy 'https': type of pattern not usable with type of stick-table 'https'. [ALERT] 101/163223 (1993) : Proxy 'https': type of pattern not usable with type of stick-table 'https'. [ALERT] 101/163223 (1993) : Fatal errors found in configuration. and haproxy demon do not start. If understand correctly I do not need to use tunnel to use SSL sticky sessioon configurations. My SSL sticky sessioon configuration originates form HAproxy 1.5-dev documention folder file configuration.txt example # Learn SSL session ID from both request and response and create affinity I would be pleased if any one could explain is it a bug of the HAproxy development version or is it my configuration problem ! Lauri Adamson AS Andmevara My haproxy.config content is following : global user haproxy group haproxy stats socket/tmp/haproxy daemon defaults contimeout 500 clitimeout 500 srvtimeout 500 listen stats :1936 mode http stats enable stats hide-version stats scope . stats realm Haproxy\ Statistics stats uri / stats stats auth Username:Password listen http 10.1.0.44:80 mode tcp balance leastconn maxconn 1 server web1 10.244.129.1:80 check server web2 10.244.129.2:80 check listen https 10.1.0.44:443 mode tcp balance leastconn maxconn 1 # maximum SSL session ID length is 32 bytes. stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello server web1 10.244.129.1:443 check server web2 10.244.129.2:443 check
HAproxy 1.5-dev SSL-ID troubles
Hello! I have configured a Cisco CSS devices and had some experieces about them. Then I thinked that I try HAproxy development versioon that suppots stiky SSL and I installed debian 6.0.1 x86_64 into VMware ESXi vitrualmahine and installed HAproxy 1.5-dev6 . After that I tried to create HAproxy configuration that uses sticky SSL sessions and try to start Haproxy i had following terror message root@haproxy:# /usr/local/sbin/haproxy -f /etc/haproxy/haproxy.conf [ALERT] 101/163223 (1993) : Proxy 'https': type of pattern not usable with type of stick-table 'https'. [ALERT] 101/163223 (1993) : Proxy 'https': type of pattern not usable with type of stick-table 'https'. [ALERT] 101/163223 (1993) : Fatal errors found in configuration. and haproxy demon do not start. If understand correctly I do not need to use tunnel to use SSL sticky sessioon configurations. My SSL sticky sessioon configuration originates form HAproxy 1.5-dev documention folder file configuration.txt example # Learn SSL session ID from both request and response and create affinity I would b ebe peased if any one explain is it a bug of the HAproxy development version or is it my configuration problem ! Lauri Adamson AS Andmevara My haproxy.config content is following : global user haproxy group haproxy stats socket/tmp/haproxy daemon defaults contimeout 500 clitimeout 500 srvtimeout 500 listen stats :1936 mode http stats enable stats hide-version stats scope . stats realm Haproxy\ Statistics stats uri / stats stats auth Username:Password listen http 10.1.0.44:80 mode tcp balance leastconn maxconn 1 server web1 10.244.129.1:80 check server web2 10.244.129.2:80 check listen https 10.1.0.44:443 mode tcp balance leastconn maxconn 1 # maximum SSL session ID length is 32 bytes. stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. # Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello server web1 10.244.129.1:443 check server web2 10.244.129.2:443 check