Hi Gaël, On Wed, Dec 09, 2009 at 04:47:17PM +0000, Gaël Reignier wrote: > Hi everybody, > > I have installed and configured HAProxy with pound in order to have SSL > termination at the SLB level and it worked OK until today and we discovered > a problem that does not make sense to me, I will try to explain it here: > > So we have a website that does cross domain authentication with SSL: From > www.site.com you are authentication against my.site.com > > Number of server: > When I have only 1 web server behind the SLB, everything is working > perfectly fine. > When I have 2 or more web servers behind the SLB, I am experiencing the > problem. > > > Cookies activation: > Here is how I activated the cookies: > cookie HAPROXYID insert indirect > server gr-web04 10.10.5.14 weight 10 check port 80 fastinter 1000 cookie > gr-web04 > > When the cookies are turned off, I notice the problem from time to time: > roughly once every 20 clicks > When the cookies are turned on, the problem happens once every 2 clicks (so > in 50% of the cases). > > > Explanation of what I am seeing: > > The first request are going to the first web (http://www.site.com) site in > clear (HTTP) then they are going to another part of the site ( > https://www.first.com) through SSL. > When it works you are then redirected to http://my.site.com and you carry > on... > > As I understand the problem happens as the result of the script ran during > the SSL connection (I am sure the script works as when there is only 1 > webserver for http and https, it works perfectly fine). > But I believe that when it is load balanced to another server in order to do > the SSL connection, then it is not happy... > I have noticed as well that the communication on www.site.com are done on > server A whereas communication on my.site.com are done on server B when it > is successful... > > I have now spent a couple of days on the problem and I do not understand why > I am having is really random behaviour ... That does not make sense to me at > all. > > If you want more information about the problem please let me know and I will > be happy to give you all the information you need!
I can give you some hints because I've been facing comparable issues recently. Basically, by default, a browser will only send a cookie to a server if it has the exact same host name as the one it learned the cookie from. RFC 2109 allows a cookie to have domain attributes to extend the validity of the cookie to other hosts. You could very well say that your persistence cookie is valid for ".site.com", which means that a browser which will receive it will present it on both "www.site.com" and "my.site.com". But it will also present it on any "xxx.site.com" host, which may or may not be desirable. Now the RFC is slightly more precise. It says that a browser must not present the cookie for "yyy.xxx.site.com" if it was set for ".site.com". But both MSIE and FF don't apply this restriction which would probably break a number of sites. The RFC also forces a domain to start with a dot (which also prevents any IP address to be used). Both browsers don't care about this. Furthermore, the RFC says that a browser should ignore a cookie set for a domain different from the one that returns it. That means that you can't expect a cookie for ".site.com" to be set by "www.first.com". FF applies this restriction, but MSIE does not care, which is sometimes very helpful. Last, the RFC does not forbid the setting of multiple domains with a cookie. FF only accepts a cookie if the last domain is OK. MSIE happily learns all the domains at once (tested with up to 10). So with all that in mind, you should try to write down all the path between the moment a browser connects to the first page of your site and the moment it reaches the final page, and check where the set-cookie are performed, so that you can ensure that this correctly works in your case. And try with FF more than with MSIE, that last one caught me, making me think that my first solution was OK :-/ Regards, Willy
