Hey, I investigate a problem were TLS-asselerated machine response is incomplete. I was able to reproduce this on OpenBSD 5.9, 6.0 and 6.1. Test on 5.8 is about to be.
Following env I have: relay1: relayd machine web1: apache 2.2.31 serving the request client1: requester relay1 is configured following way (relevant lines): http protocol http_relay { tcp { nodelay, sack, socket buffer 65536, backlog 1024 } match header append "X-Forwarded-For" value "$REMOTE_ADDR" match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match header set "Keep-Alive" value "$TIMEOUT" match request header remove "Proxy" } http protocol tls_accel { tcp { nodelay, sack, socket buffer 65536, backlog 1024 } match header append "X-Forwarded-For" value "$REMOTE_ADDR" match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match header set "X-Forwarded-Proto" value "https" match header set "X-Forwarded-Port" value "443" match header set "Keep-Alive" value "$TIMEOUT" match request header remove "Proxy" tls { tlsv1, \ ciphers "AES:!AES256:!aNULL" \ } } table <webpool> { 172.16.1.111 } relay int_test_tls { listen on 172.16.1.99 port 443 tls protocol tls_accel forward to <webpool> port 80 mode roundrobin check http "/" code 200 } relay int_test_http { listen on 172.16.1.99 port 80 protocol http_relay forward to <webpool> port 80 mode roundrobin check http "/" code 200 } web1 is a std Apache 2.2.31 with enabled deflate for the following AddOutputFilterByType DEFLATE application/json AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/javascript and serving a JS file. client1 is running PHP code from CLI to reproduce this problem. Following is observed: 1. Client1 requests web1 directly on port 80 and gets full response shell$ php client3.php Expected length: 547204 Received length: 547204 [Response Headers] HTTP/1.1 200 OK Date: Mon, 08 May 2017 11:08:27 GMT Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips Last-Modified: Mon, 08 May 2017 07:22:43 GMT ETag: "60319-85984-54efe1ae42be3" Accept-Ranges: bytes Content-Length: 547204 Vary: Accept-Encoding Connection: close Content-Type: application/javascript 2. Client1 requests web1 directly on port 80 WITH GZIP enabled and gets full response back I see gzipped stream on the screen and then it gets decoded to a complete file. File I get is not cut. Expected length: Content-Length not recieved Received length: 165454 [Response Headers] HTTP/1.1 200 OK Date: Mon, 08 May 2017 11:10:18 GMT Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips Last-Modified: Mon, 08 May 2017 07:22:43 GMT ETag: "60319-85984-54efe1ae42be3" Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Connection: close Content-Type: application/javascript 3. and 4. Clien1 requests relay1 on port 80 (with and without GZIP) and gets complete response 5. Client1 requests relay1 on port 443 without GZIP - response is incomplete Expected length: 547204 Received length: 396424 [Response Headers] HTTP/1.1 200 OK Accept-Ranges: bytes Connection: close Content-Length: 547204 Content-Type: application/javascript Date: Mon, 08 May 2017 11:14:59 GMT ETag: "60319-85984-54efe1ae42be3" Last-Modified: Mon, 08 May 2017 07:22:43 GMT Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips Vary: Accept-Encoding 6. Client1 requests relay1 on port 443 with GZIP - response is complete. So non-gzipped response from behind the relay1 is incomplete while doing TLS termination. Files server.js and client.php can be provided upon request. Any ideas? Br