Hi Thomas, It could be related to opened but unused connections from some browsers (chrome). The only way to confirm this behavior, is to capture some traffic using tcpdump and see if you get connections reseted by HAProxy due to client timeout with no client traffic or some real SSL handshake failure.
Do you have an IPS in front of HAProxy? Baptiste On Wed, Oct 16, 2013 at 4:45 AM, Thomas Amsler <tams...@gmail.com> wrote: > Hello, > > We are using HAProxy v1.5-dev19, and are seeing a lot of the following > errors in our haproxy logs: > > <-- snip --> > Oct 16 02:24:22 localhost haproxy[2473]: <some ip>:44950 > [16/Oct/2013:02:24:22.643] https-in/1: SSL handshake failure > Oct 16 02:30:47 localhost haproxy[2473]: <some ip>:37530 > [16/Oct/2013:02:30:47.436] https-in/1: SSL handshake failure > Oct 16 02:32:09 localhost haproxy[2473]: <some ip>:32930 > [16/Oct/2013:02:32:08.709] https-in/1: SSL handshake failure > Oct 16 02:32:28 localhost haproxy[2473]: <some ip>:38069 > [16/Oct/2013:02:32:27.731] https-in/1: SSL handshake failure > <-- snip --> > > This error occurs at a rate of 0.7%. It most often happens via ColdFusion > CFHTTP connections. Could there be any issues with HAProxy or is this a > client connection issue? > > Our server infrastructure handles REST as well as Socket.io (WetSocket) > connections. > > > Our config file: > > > global > nbproc 1 > daemon > maxconn 8192 > log 127.0.0.1 local0 > user ec2-user > group ec2-user > chroot /var/lib/haproxy > > defaults > mode http > option httplog > log global > # Add x-forwarded-for header. > option forwardfor > option http-server-close > timeout connect 5s > timeout client 30s > timeout server 30s > # Long timeout for WebSocket connections. > timeout tunnel 1h > > # Redirect HTTP to HTTPS > frontend http-in > bind *:80 > acl is_aggiefeed hdr_end(host) -i aggiefeed.ucdavis.edu > redirect prefix https://aggiefeed.ucdavis.edu code 301 if is_aggiefeed > > # HTTPS > frontend https-in > bind *:443 ssl crt /home/ec2-user/ssl/aggiefeed.pem > default_backend servers > errorfile 503 /home/ec2-user/errorfiles/503.http > > backend servers > balance roundrobin > cookie SERVERID insert indirect nocache > server server1 10.0.1.100:8080 cookie server1 weight 1 maxconn 4096 > check > server server2 10.0.1.101:8080 cookie server2 weight 1 maxconn 4096 > check > > > > Best, > Thomas Amsler > http://gplus.to/tamsler
