haproxy.md

\o/ ... for HAProxy. Recent patches to make TLS faster:

• MINOR: ssl: add DEFAULT_SSL_MAX_RECORD to set the record size at build time
• MINOR: config: make the stream interface idle timer user-configurable
• MEDIUM: stream-int: automatically disable CF_STREAMER flags after idle
• MINOR: channel: add the date of last read in the channel
• OPTIM: ssl: implement dynamic record size adjustment
• MINOR: ssl: handshake optim for long certificate chains.

Last patch is for 4KB+ certs. Remaining patches implement dynamic record sizing.

• Default size is still 16K, but HAProxy can be built with DEFAULT_SSL_MAX_RECORD to reset that at build time.
• Record size can be changed via a config flag: tune.ssl.maxrecord
• Idle timeout controls how long the connection must be idle before record size is reset - defaults to 1000ms, can be controlled via tune.idletimer.

TL;DR: Checkout latest code, build it, and set your tune.ssl.maxrecord and tune.idletimer config flags.

tls.conf

defaults
  log 127.0.0.1 local0

global
  # lower your record size to improve Time to First Byte (TTFB)
  tune.ssl.maxrecord 1400

  # set inactivity timeout to reset record size (in ms)
  tune.idletimer 1000

# terminate TLS connections & forward connections to http_cluster
frontend secure
  mode tcp

  # advertise http/1.1 over NPN to enable TLS False Start!
  bind :443 ssl crt /path/to/cert.pem npn http/1.1,spdy/3.1

  use_backend spdy_cluster if { ssl_fc_npn -i spdy/3.1 }
  default_backend http_cluster

backend spdy_cluster
  server srv01 127.0.0.1:449

backend http_cluster
  mode http
  server srv01 127.0.0.1:81

I something very similar to this working with haproxy 1.5.4, but if I encloded the http/1.1 part in the bind line at #16, all connections get sent to the http_cluster. If I take it out, SPDY capable browsers get sent through to spdy_cluster without any problems.

I've got an example vagrant config at https://github.com/beezly/vagrant-haproxy-model/tree/npn-http11 that reproduces the problem. You can see the stats page at localhost:8999 and all connections will end up at the http backend.

@beezly see http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-npn - should work. May be worth opening a bug on the HAProxy list to confirm that something hasn't gone awry in the routing.

hello, i'm running apache with haproxy 1.5.5, but it only works with spdy/2, when i try to change npn to spdy/3.1 i got -1/-1/-1/-1/199 400 187 - - PR-- 0/0/0/0/0 0/0 "" is that a problem with apache or my haproxy version?

@vitaoloureiro by changing your config to spdy/2 you might not have been using spdy at all if you were using Chrome. Chrome (version 38.0.2125.111) seems to pass the ALPN and NPN string of http/1.1,spdy/3,spdy/3.1. If HA-Proxy advertised spdy/2 then the connection probably negotiated http/1.1 This chrome plugin has helped me when working on this.

It is also worth noting that my version of chrome will negotiate spdy over alpn.

@igrigorik @beezly
npn and alpn work my selecting the first matching protocol in common.
If Chrome sends http/1.1,spdy/3,spdy/3.1 and HAProxy sends http/1.1,spdy/3.1, the winner will be http/1.1.

Another solution is to have HAProxy send spdy/3.1,http/1.1.

Customer questionnaire came through today enquiring about "TLS record framing optimization for low latency"
I'm responding with default size of 16kb currently, but any thoughts about this moving forward?