Re: [RFC PATCH] HTTPS connection reuse with SNI
Hi Julien - I'm not entirely sure I understand your comment.
I think that you may be saying that the connection should never be flagged
as private for SNI. That makes sense to me, and would be an easy
alternative diff, but seems to run counter to Willy's intent in
commit 387ebf84dd, as well as the current state of the docs.
My read of ssl_sock_set_servername is that the case where a given backend
happens to be targeting multiple instances of applications served via SNI
from a single IP is already handled - if the hostname doesn't match, the
(SSL | TLS) handshake is forced, which I think means that the only
component of connection reuse in that case would be at the TCP level (and I
believe desirable for performance)..
Is the following diff what you had in mind, or did you have a different
intent?
diff --git a/doc/configuration.txt b/doc/configuration.txt
index fdcdb04fa..ff5bbf573 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -5265,9 +5265,6 @@ http-reuse { never | safe | aggressive | always }
- connections made with "usesrc" followed by a client-dependent value
("client", "clientip", "hdr_ip") are marked private and never shared;
-- connections sent to a server with a TLS SNI extension are marked
private
- and are never shared;
-
- connections with certain bogus authentication schemes (relying on the
connection) like NTLM are detected, marked private and are never
shared;
diff --git a/src/backend.c b/src/backend.c
index ebc5050cb..b7b335262 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1581,7 +1581,6 @@ int connect_server(struct stream *s)
if (smp_make_safe(smp)) {
ssl_sock_set_servername(srv_conn,
smp->data.u.str.area);
- srv_conn->flags |= CO_FL_PRIVATE;
}
}
#endif /* USE_OPENSSL */
On Thu, Dec 19, 2019 at 12:24 AM Julien Pivotto
wrote:
> On 18 Dec 16:46, Joshua Knox wrote:
> > A github issue was filed at
> https://github.com/haproxy/haproxy/issues/371
> >
> > The CONTRIBUTING guidelines requested discussion on the list, I believe
> the
> > included diff would address that issue and arguably be less surprising
> > behavior.
> >
> > The comment from ehocdet on the issue indicated that connection reuse
> could
> > be reused if SNI was incorporated into connection selection criteria. I
> > think that that larger change would make sense for reuse in "http-reuse
> > safe" mode.
> >
> > There are currently a number of explicit checks for "http-reuse never"
> that
> > set the private connection flag (CO_FL_PRIVATE), I think that failing to
> > set it in this case is the logical counterpart.
> >
> > Thanks in advance,
> > Josh
>
> I would actually like the idea to remove the criteria to not reuse SNI
> connection, even in safe mode. After all there is not big difference
> once the connection is established and we can not change the value of
> sni() between requests anyway.
>
> --
> (o-Julien Pivotto
> //\Open-Source Consultant
> V_/_ Inuits - https://www.inuits.eu
>
Re: [RFC PATCH] HTTPS connection reuse with SNI
On 18 Dec 16:46, Joshua Knox wrote: > A github issue was filed at https://github.com/haproxy/haproxy/issues/371 > > The CONTRIBUTING guidelines requested discussion on the list, I believe the > included diff would address that issue and arguably be less surprising > behavior. > > The comment from ehocdet on the issue indicated that connection reuse could > be reused if SNI was incorporated into connection selection criteria. I > think that that larger change would make sense for reuse in "http-reuse > safe" mode. > > There are currently a number of explicit checks for "http-reuse never" that > set the private connection flag (CO_FL_PRIVATE), I think that failing to > set it in this case is the logical counterpart. > > Thanks in advance, > Josh I would actually like the idea to remove the criteria to not reuse SNI connection, even in safe mode. After all there is not big difference once the connection is established and we can not change the value of sni() between requests anyway. -- (o-Julien Pivotto //\Open-Source Consultant V_/_ Inuits - https://www.inuits.eu signature.asc Description: PGP signature
[RFC PATCH] HTTPS connection reuse with SNI
A github issue was filed at https://github.com/haproxy/haproxy/issues/371
The CONTRIBUTING guidelines requested discussion on the list, I believe the
included diff would address that issue and arguably be less surprising
behavior.
The comment from ehocdet on the issue indicated that connection reuse could
be reused if SNI was incorporated into connection selection criteria. I
think that that larger change would make sense for reuse in "http-reuse
safe" mode.
There are currently a number of explicit checks for "http-reuse never" that
set the private connection flag (CO_FL_PRIVATE), I think that failing to
set it in this case is the logical counterpart.
Thanks in advance,
Josh
diff --git a/doc/configuration.txt b/doc/configuration.txt
index fdcdb04fa..3d00ecbd9 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -5266,7 +5266,7 @@ http-reuse { never | safe | aggressive | always }
("client", "clientip", "hdr_ip") are marked private and never shared;
- connections sent to a server with a TLS SNI extension are marked
private
- and are never shared;
+ and are never shared unless the mode is "always";
- connections with certain bogus authentication schemes (relying on the
connection) like NTLM are detected, marked private and are never
shared;
diff --git a/src/backend.c b/src/backend.c
index ebc5050cb..5cc866d27 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1581,7 +1581,10 @@ int connect_server(struct stream *s)
if (smp_make_safe(smp)) {
ssl_sock_set_servername(srv_conn,
smp->data.u.str.area);
- srv_conn->flags |= CO_FL_PRIVATE;
+
+ if ((s->be->options & PR_O_REUSE_MASK) !=
PR_O_REUSE_ALWS) {
+ srv_conn->flags |= CO_FL_PRIVATE;
+ }
}
}
#endif /* USE_OPENSSL */
