Hi,
We recently deployed a change to our HAProxy configuration for a client that needed to handle multiple different SSL certs and behaviours over the same IP/Port combination. For reasons I won’t go into, we couldn’t considered additional IPs, so instead we looked to utilise the SNI routing discussed in this blog to route the requests to different internal front-ends where we could terminate and handle the SSL as appropriate.
The configuration works and we have had no issues with the routing, however, the number of reported connections within the haproxy stats doubled for the Front Ends and Backends operating in TCP mode; whereas the Front Ends/Backends performing the SSL termination continue to report a similar number of connections to the figures we have prior to the change.
For example, using the names in the below, fe_TCP_SNI_Entry and be_Entry_B report 330 connections where as fe_Entry_Web_B reports 165 connections.
Has anyone experienced anything similar or have any suggestions as to why this difference (and exact doubling of the connections)? The increase in reported connections is playing havoc with our monitoring and scaling configuration.
HAProxy version:
$ haproxy -v
HA-Proxy version 1.6.4 2016/03/13
(yes, we know that we need to update)
Sanitised Configuration
global
user haproxy
group haproxy
maxconn 100000
spread-checks 5
pidfile /var/run/haproxy.pid
chroot /var/lib/haproxy
stats socket /var/run/haproxy.sock mode 600 user haproxy level admin
stats socket /caci/haproxy/stats/haproxy.sock mode 600 user shinken level operator
log 127.0.0.1 local3 info
#default SSL locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
<snip ... removed SSL opts and ciphers />
defaults
log global
mode http
#Don't log messages with no data exchange - relying on BrightSolid to protect from port scans
option dontlognull
option log-separate-errors
option splice-auto
option http-server-close
option redispatch
option contstats
retries 3
<snip. ... removed timeouts and errors />
frontend fe_TCP_SNI_Entry
mode tcp
bind 0.0.0.0:443
tcp-request inspect-delay 2s
tcp-request content accept if { req_ssl_hello_type 1 }
acl admin req.ssl_sni -i admin."${HAPROXY_DOMAIN}"
no log
use_backend be_Entry_A if admin
use_backend be_Entry_B
backend be_Entry_B
## Performs an internal proxy redirect to the conventional HTTP SSL termination.
mode tcp
server localhost localhost:46870 send-proxy
frontend fe_Web_Https_B
mode http
## Perform SSL termination
bind localhost:46870 accept-proxy ssl crt /etc/ssl/private/web.pem
<snip ... removed server def />
backend be_Entry_A
## Performs an internal proxy redirect to the HTTP frontend where ACL rules are applied.
mode tcp
server localhost localhost:46869 send-proxy
frontend fe_Web_Https_A
bind localhost:46869 accept-proxy ssl crt /etc/ssl/private/web2.pem ca-file /etc/ssl/private/client.crt verify optional crt-ignore-err all
<snip ... remove SSL client certs and server defintions />
Thanks in advance,
MrBasset