Maintain affinity based on SSL session ID

Synopsis

When load balancing HTTPS, we can’t have access to HTTP protocol since everything is encrypted. So it’s hard to maintain connection persistence in such condition.

Aloha load balancer allows you to maintain HTTPS sessions based on SSL connection ID.
That way, even if you can’t see the protocol, you can maintain affinity between a user and a backend

This is much better than doing affinity by IP source, since a lot of users could share the same IP address and generate an extra load on one backend.
Furthermore, we can follow on session even if the client change its IP address.

Configuration

The configuration below explains how you can maintain session on SSL ID and store it in a stick-table.
We take advantage of HAProxy ACLs to do protocol validation.

# Learn SSL session ID from both request and response and create affinity.
backend https
	mode tcp
	balance roundrobin

	# maximum SSL session ID length is 32 bytes.
	stick-table type binary len 32 size 30k expire 30m

	acl clienthello req_ssl_hello_type 1
	acl serverhello rep_ssl_hello_type 2

	# use tcp content accepts to detects ssl client and server hello.
	tcp-request inspect-delay 5s
	tcp-request content accept if clienthello

	# no timeout on response inspect delay by default.
	tcp-response content accept if serverhello

	# SSL session ID (SSLID) may be present on a client or server hello.
	# Its length is coded on 1 byte at offset 43 and its value starts
	# at offset 44.
	# Match and learn on request if client hello.
	stick on payload_lv(43,1) if clienthello

	# Learn on response if server hello.
	stick store-response payload_lv(43,1) if serverhello

	server s1 192.168.1.1:443
	server s2 192.168.1.2:443

Links

About Baptiste Assmann

Aloha Product Manager HAProxy consultant
This entry was posted in Aloha and tagged , . Bookmark the permalink.

12 Responses to Maintain affinity based on SSL session ID

  1. Pingback: Benchmarking SSL performance | HAProxy Technologies – Aloha Load Balancer

  2. Pingback: Scaling out SSL | HAProxy Technologies – Aloha Load Balancer

  3. Pingback: Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension | HAProxy Technologies – Aloha Load Balancer

  4. Pingback: HOWTO SSL native in HAProxy | HAProxy Technologies – Aloha Load Balancer

  5. Pingback: How to get SSL with HAProxy getting rid of stunnel, stud, nginx or pound | HAProxy Technologies – Aloha Load Balancer

  6. Pingback: SSL Client certificate management at application level | HAProxy Technologies – Aloha Load Balancer

  7. Pingback: SSL Client certificate management at application level | HAProxy Technologies – Aloha Load Balancer

  8. Pingback: How to get SSL with HAProxy getting rid of stunnel, stud, nginx or pound | HAProxy Technologies – Aloha Load Balancer

  9. Pingback: HOWTO SSL native in HAProxy | HAProxy Technologies – Aloha Load Balancer

  10. Pingback: Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension | HAProxy Technologies – Aloha Load Balancer

  11. Pingback: Scaling out SSL | HAProxy Technologies – Aloha Load Balancer

  12. Pingback: Benchmarking SSL performance | HAProxy Technologies – Aloha Load Balancer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s