Hi,
I'm running into a problem when using HTTP pipelining (SVN client) with
an HAProxy SSL frontend. It appear that sometimes (randomly) after
several pipelined requests have been processed, the next pipelined
request on the same SSL socket is simply ignored, as if the request has
not been read from the TLS stream.
The client hangs waiting for a response, and the server idles (calling
poll).
The behaviour can be observed when using an SSL (HTTPS) listener, but
not when using a regular HTTP listener. It occurs when using poll,
epoll, and select modes. It does not occur when using stud as a
standalone TLS proxy in front of HAProxy.
As per my previous bug report, the client is on a slow DSL connection
and the backend on a gigabit connection. I am also running a patch
provided by Willy for my previous bug. I hope this is not relevant.
Please find the following potentially useful files at
http://nutty.tk/haproxy-4.tar.gz (too large for email)
* Configuration file
* Packet trace (Backend HTTP + Frontend HTTPS)
* strace -o log -qvxT -tts 16384 -p 13865
* SVN Client output
* TLS key and certificate
Sorry for making work for you this week!
Version information:
HA-Proxy version 1.5.13 2015/06/26
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Charlie
Charlie Smurthwaite aTech Media
tel. 01202 901 222 (ext. 603) email. charlie@atechmedia.com<mailto:charlie@atechmedia.com> web. atechmedia.comhttp://atechmedia.com
aTech Media Limited is a registered company in England and Wales. Registration Number 5523199. Registered Office: Unit 9 Winchester Place, North Street, Poole, Dorset, BH15 1NX. VAT Registration Number: GB 868 861 560. This e-mail is confidential and for the intended recipient only. If you are not the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender.
I'm running into a problem when using HTTP pipelining (SVN client) with
an HAProxy SSL frontend. It appear that sometimes (randomly) after
several pipelined requests have been processed, the next pipelined
request on the same SSL socket is simply ignored, as if the request has
not been read from the TLS stream.
The client hangs waiting for a response, and the server idles (calling
poll).
The behaviour can be observed when using an SSL (HTTPS) listener, but
not when using a regular HTTP listener. It occurs when using poll,
epoll, and select modes. It does not occur when using stud as a
standalone TLS proxy in front of HAProxy.
As per my previous bug report, the client is on a slow DSL connection
and the backend on a gigabit connection. I am also running a patch
provided by Willy for my previous bug. I hope this is not relevant.
Please find the following potentially useful files at
http://nutty.tk/haproxy-4.tar.gz (too large for email)
* Configuration file
* Packet trace (Backend HTTP + Frontend HTTPS)
* strace -o log -qvxT -tts 16384 -p 13865
* SVN Client output
* TLS key and certificate
Sorry for making work for you this week!
Version information:
HA-Proxy version 1.5.13 2015/06/26
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Charlie
Charlie Smurthwaite aTech Media
tel. 01202 901 222 (ext. 603) email. charlie@atechmedia.com<mailto:charlie@atechmedia.com> web. atechmedia.comhttp://atechmedia.com
aTech Media Limited is a registered company in England and Wales. Registration Number 5523199. Registered Office: Unit 9 Winchester Place, North Street, Poole, Dorset, BH15 1NX. VAT Registration Number: GB 868 861 560. This e-mail is confidential and for the intended recipient only. If you are not the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender.