@MrBasset wrote:
Hi,
We recently deployed a change to our HAProxy configuration for a client that needed to handle multiple different SSL certs and behaviours over the same IP/Port combination. For reasons I won’t go into, we couldn’t considered additional IPs, so instead we looked to utilise the SNI routing discussed in this blog to route the requests to different internal front-ends where we could terminate and handle the SSL as appropriate.
The configuration works and we have had no issues with the routing, however, the number of reported connections within the haproxy stats doubled for the Front Ends and Backends operating in TCP mode; whereas the Front Ends/Backends performing the SSL termination continue to report a similar number of connections to the figures we have prior to the change.
For example, using the names in the below, fe_TCP_SNI_Entry and be_Entry_B report 330 connections where as fe_Entry_Web_B reports 165 connections.
Has anyone experienced anything similar or have any suggestions as to why this difference (and exact doubling of the connections)? The increase in reported connections is playing havoc with our monitoring and scaling configuration.
HAProxy version:
$ haproxy -v HA-Proxy version 1.6.4 2016/03/13(yes, we know that we need to update)
Sanitised Configuration
global user haproxy group haproxy maxconn 100000 spread-checks 5 pidfile /var/run/haproxy.pid chroot /var/lib/haproxy stats socket /var/run/haproxy.sock mode 600 user haproxy level admin stats socket /caci/haproxy/stats/haproxy.sock mode 600 user shinken level operator log 127.0.0.1 local3 info #default SSL locations ca-base /etc/ssl/certs crt-base /etc/ssl/private <snip ... removed SSL opts and ciphers /> defaults log global mode http #Don't log messages with no data exchange - relying on BrightSolid to protect from port scans option dontlognull option log-separate-errors option splice-auto option http-server-close option redispatch option contstats retries 3 <snip. ... removed timeouts and errors /> frontend fe_TCP_SNI_Entry mode tcp bind 0.0.0.0:443 tcp-request inspect-delay 2s tcp-request content accept if { req_ssl_hello_type 1 } acl admin req.ssl_sni -i admin."${HAPROXY_DOMAIN}" no log use_backend be_Entry_A if admin use_backend be_Entry_B backend be_Entry_B ## Performs an internal proxy redirect to the conventional HTTP SSL termination. mode tcp server localhost localhost:46870 send-proxy frontend fe_Web_Https_B mode http ## Perform SSL termination bind localhost:46870 accept-proxy ssl crt /etc/ssl/private/web.pem <snip ... removed server def /> backend be_Entry_A ## Performs an internal proxy redirect to the HTTP frontend where ACL rules are applied. mode tcp server localhost localhost:46869 send-proxy frontend fe_Web_Https_A bind localhost:46869 accept-proxy ssl crt /etc/ssl/private/web2.pem ca-file /etc/ssl/private/client.crt verify optional crt-ignore-err all <snip ... remove SSL client certs and server defintions />Thanks in advance,
MrBasset
Posts: 3
Participants: 2