SSL Load balancing with session affinity


#1

Hello,

I am a newbie trying to configure HAPRoxy to do load balancing with session affinity. I have adapted haproxy.cfg found here http://blog.haproxy.com/2011/07/04/maintain-affinity-based-on-ssl-session-id/ so it looks like this:

global

log         127.0.0.1 local2
chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
# does not work in tcp mode – option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 6000

frontend main
bind *:9443
option tcplog
mode tcp
default_backend app

backend app
mode tcp
balance roundrobin
stick-table type binary len 32 size 60k expire 60m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2

# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello

# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
server  lanneluc-node1 lanneluc-node1.server.com:9443 check  
server  lanneluc-node2 lanneluc-node2.server.com:9443 check 
server  lanneluc-node3 lanneluc-node3.server.com:9443 check 
server  lanneluc-node5 lanneluc-node5.server.com:9443 check 

listen stats *:1936
stats uri /
stats admin if TRUE
stats enable
stats hide-version
stats auth root:clu8ter8
stats refresh 3s

I have couple of questions about this:

  1. Does this config look correct?
  2. What is the best way to verify that the session affinity actually works, using logging perhaps, or some other way?

Many thanks
Alex


#2

for your second question: the log shows which fontend / backend / server handled a request, so you may verify stickiness here.
or you could inject a header on the backend server, identifying itself.

then go on a reload spree and check the log / header.


#3

So haproxy will make sure that the sessions are sticky based on the Session ID, however do understand that TLS tickets will make your job harder here, as it will bypass the session ID affinity on haproxy. You will have to generate common TLS ticket keys, distribute them to all your backends and rotate them frequently. Also avoid storing them on disk (use tmpfs).

I have found Vincent Bernat’s rfc5077-client to be incredibly useful to test resumption:

git clone https://github.com/vincentbernat/rfc5077.git
cd rfc5077
make rfc5077-client

./rfc5077-client <server>

#4

What about this solution?

Is that a more dumb solution where the “stickiness” is based on the client IP?