Hi everyone, not sure if this is the right place to request help (first time mailing to a mailing list :-)), but I give it a try.
I'm trying to setup a haproxy for SSL offloading for multiple hosts. This works perfect with this config: -------------------------------------------------------------------- -------------------------------------------------------------------- # Example configuration for a possible web application. See the # full configuration options online. # # http://haproxy.1wt.eu/download/1.4/doc/configuration.txt # #--------------------------------------------------------------------- #--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 15000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats #tune.ssl.default-dh-param 2048 #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 11000 #--------------------------------------------------------------------- # main frontends which proxys to the backends #--------------------------------------------------------------------- frontend www-https *:443 bind *:443 ssl crt /etc/ssl/private/starmyhostname.pem no-sslv3 #Define hosts & ACL's acl host_BEADHOSTWWW01 hdr(host) -i wwwtest.myhostname.eu acl host_BEADHOSTKB01 hdr(host) -i kb.myhostname.eu #Define which backend to use for each host use_backend BEADHOSTWWW01 if host_BEADHOSTWWW01 use_backend BEADHOSTKB01 if host_BEADHOSTKB01 #--------------------------------------------------------------------- # Backends #--------------------------------------------------------------------- backend BEADHOSTWWW01 option httpclose cookie JSESSIONID prefix mode http server WWW01 172.26.75.10:80 cookie A check backend BEADHOSTKB01 option httpclose cookie JSESSIONID prefix mode http server KB01 172.26.75.2:80 cookie A check -------------------------------------------------------------------- -------------------------------------------------------------------- However, in some cases (lets say 1 out of 20), I receive a ERR_SSL_PROTOCOL_ERROR (chrome) or ssl_error_rx_record_too_long (firefox). Hitting F5 solves the issue instantly, but it comes back after a while. Anyone knows what could be the reason for this, and how to solve this? I am kind of lost. Thanks a lot for your help! Mitch
