Troubles of HAproxy 1.5-dev SSL-ID configuration

From: Lauri-Alo Adamson <Lauri.Adamson#andmevara.ee>
Date: Mon, 9 May 2011 08:41:50 +0300


Hello!  

Anyone has not answered yet for my e-mail its sad ! Is there some kind of haproxy developer mailing list where the development versions are subject of disscussion.  

I have configured a Cisco CSS devices and had some experiences about them. Then I thinked that I try HAproxy development versioon that supports stiky SSL and I installed debian 6.0.1 x86_64 into VMware ESXi vitrualmahine and installed HAproxy 1.5-dev6 . After that I tried to create HAproxy configuration

that uses sticky SSL sessions and try to start Haproxy i had following terror message  

root#haproxy:# /usr/local/sbin/haproxy -f /etc/haproxy/haproxy.conf

[ALERT] 101/163223 (1993) : Proxy 'https': type of pattern not usable with type of stick-table 'https'.

[ALERT] 101/163223 (1993) : Proxy 'https': type of pattern not usable with type of stick-table 'https'.

[ALERT] 101/163223 (1993) : Fatal errors found in configuration.  

and haproxy demon do not start.  

If understand correctly I do not need to use tunnel to use SSL sticky sessioon configurations. My SSL sticky sessioon configuration originates

form HAproxy 1.5-dev documention folder file configuration.txt example # Learn SSL session ID from both request and response and create affinity  

I would be pleased if any one could explain is it a bug of the HAproxy development version or is it my configuration problem !  

Lauri Adamson

AS Andmevara  

My haproxy.config content is following :  

global

        user haproxy

        group haproxy

        stats socket /tmp/haproxy  

daemon  

defaults

contimeout 500

clitimeout 500

srvtimeout 500  

listen stats :1936

                mode http

                stats enable

                stats hide-version

                stats scope .

                stats realm Haproxy\ Statistics

                stats uri / stats

                stats auth Username:Password

 

listen http 10.1.0.44:80

        mode tcp

        balance leastconn

                maxconn 10000

        server web1 10.244.129.1:80 check

        server web2 10.244.129.2:80 check 

 

listen https 10.1.0.44:443

        mode tcp

        balance leastconn

       maxconn 10000

       # maximum SSL session ID length is 32 bytes.

        stick-table type binary len 32 size 30k expire 30m

        acl clienthello req_ssl_hello_type 1

        acl serverhello rep_ssl_hello_type 2  

# use tcp content accepts to detects ssl client and server
hello.

        tcp-request inspect-delay 5s

        tcp-request content accept if clienthello  

       # no timeout on response inspect delay by default.

        tcp-response content accept if serverhello  

# SSL session ID (SSLID) may be present on a client or server
hello.

# Its length is coded on 1 byte at offset 43 and its value
starts

# at offset 44.
 

# Match and learn on request if client hello.

        stick on payload_lv(43,1) if clienthello  

# Learn on response if server hello.

        stick store-response payload_lv(43,1) if serverhello  

        server web1 10.244.129.1:443 check

        server web2 10.244.129.2:443 check Received on 2011/05/09 07:41

This archive was generated by hypermail 2.2.0 : 2011/05/09 07:45 CEST