Re: stunnel, haproxy and HTTP 1.1 with Tomcat

From: Brett Delle Grazie <brett.dellegrazie#intact-is.com>
Date: Sat, 25 Sep 2010 08:14:02 +0100


Hi Willy,

On Sat, 2010-09-25 at 07:51 +0200, Willy Tarreau wrote:
> Hi Brett,
>
> On Thu, Sep 23, 2010 at 11:04:21AM +0100, Brett Delle Grazie wrote:
> > Forgot ... stunnel version is 4.15
> > On Thu, 2010-09-23 at 11:00 +0100, Brett Delle Grazie wrote:
> > > Hi,
> > >
> > > I'm using haproxy 1.4.8 with
> > > a) HTTP on port 80
> > > b) stunnel decrypting SSL traffic and forwarding it to port 81.
> > > stunnel has the xforwardedfor patch applied.
> > >
> > > HA proxy balances both ports 80 and 81 to two Tomcat backends (one for
> > > HTTP, one for HTTPS)
> > >
> > > My config currently uses option httpclose and appears to work fine.
> > >
> > > Is there a way I can enable pipelining on the client side (i.e.
> > > http-server-close) that won't break when SSL is in use?
>
> No, because the problem then becomes that the stunnel patch will only
> work on the first request. I'm currently thinking about a way to make
> stunnel+haproxy integration much more transparent in order to improve
> that.
>

Thanks. I suspected that might be the problem.

Much obliged for your response and may I just say 'kudos' to you for a fantastic product. I will be asking the customer who uses it to donate.

> > > Do I need to use 'option http-pretend-keepalive' in the tomcat backends?
> > > Willy mentioned elsewhere that http-pretend-keepalive was necessary as
> > > until very recently it was making keep-alive impossible'. Does anyone
> > > know what version of Tomcat will work _without_ this option?
>
> This option should only be used to make tomcat advertise its content
> length, otherwise some versions won't, thus preventing any keep-alive
> from being possible. Also, there have been some reports of a non-standard
> version of tomcat which did not close the connection immediately after
> sending a response whose length could not be determined, thus causing
> long response times. I'm not sure that standard versions are affected
> because I've already encountered setups working perfectly with option
> httpclose in the past.
>

FYI, We're using Tomcat 6.0.29 and it appears to work just fine.

> Regards,
> Willy
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________

-- 
Best Regards,

Brett Delle Grazie

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
Received on 2010/09/25 09:14

This archive was generated by hypermail 2.2.0 : 2010/09/25 09:30 CEST