Re: SSL Pass through and sticky session

From: Mir Islam <mislam#mirislam.com>
Date: Mon, 7 Nov 2011 11:16:08 -0800


Yea that is the problem. Right now SSL is terminated at the application level on each server. There is no way to inspect the cookie even if the server sets one. Sticky session in TCP mode can be done by source IP (that is why I have balance source). But that creates the other problem as I mentioned. Folks coming from behind NAT will hit the same server and not get load balanced. Because HAProxy will think they are all the same. I was trying to find out if there is something else that could be done. From my own logical reasoning, no. :) but I have been wrong before so I was hoping someone had similar issue.

Thanks
Mir

On Nov 7, 2011, at 11:09 AM, Vivek Malik wrote:

> You are running haproxy in a tcp mode since you are relaying SSL and decrypting on the backend. Cookies can only be analyzed in HTTP mode. Not sure how to do sticky sessions in tcp mode.
>
> Vivek
>
> On Mon, Nov 7, 2011 at 2:03 PM, Mir Islam <mislam#mirislam.com> wrote:
> Is it possible to utilize some sort of sticky session for incoming requests? SSL connections are terminated at the servers in the backend. Right now I can do source IP based balance. But then users behind a firewall/NAT will not get load balanced correctly. Instead, they all end up on same server. That is my main problem.
>
>
> Here is a portion of my config. I added the cookie param but I guess it will work with http only. Anyway, any help/pointer is appreciated.
>
>
>
> listen ssl-relay 0.0.0.0:443
> option ssl-hello-chk
> balance source
> server inst1 10.254.2.145:443 check inter 2000 fall 3
> server inst2 10.46.19.211:443 check inter 2000 fall 3
>
> option httpclose # disable keep-alive
> option checkcache # block response if set-cookie & cacheable
>
> cookie HASERVERID inser
>
Received on 2011/11/07 20:16

This archive was generated by hypermail 2.2.0 : 2011/11/07 20:30 CET