Some time ago one of our clients requested SSL support in application. This would be nothing special, but some part of the application is using Websockets (Socket.IO to be precise). Due to fact that Nginx doesn’t support websockets in standard installation, we had to find another way to proxy SSL requests.
There were three main proposals:
- Patch and compile Nginx with tcp module
- Add STunnel to the configuration
- Use Development version of HAProxy with SSL
First two solutions were making our infrastructure more complex:
First required maintaing new package, and was obsoleting the HAProxy configuration, which we didn’t want to get rid of due to high availability (and yes we’re aware of Nginx http proxy capabilities).
Second one was adding another layer to the infrastructure which is one more to debug in case of problems.
The third one, using HAProxy, was simple and clean:
bind 0.0.0.0:443 /path/to/ssl.pem
acl is_websocket path_reg ^/socket.io/.*$
use_backend nginx if !is_websocket
use_backend socket_io if is_websocket
UPDATE (2013.03.01) There’s a 4th option available as NGINX from version 1.3.13 supports Websockets natively
Today I’ve noticed that HAProxy starting with 1.5dev12 (2013.01.11 UPDATE:currently dev17) supports SSL protocol.
There are two most important reasons why I’m so happy with that:
1. It will simplify most of my infrastructures, getting rid of nginx acting as a SSL proxy.
2. I will get rid of stunnel proxying SSL traffic to websockets.
When HAProxy is deployed on VM (such as linode.com) the performance can be decreased even more than 50%. The story behind such behavior is that the packet must be forwarded from HV to VM. Such operations are always heavy (packet is copied into memory, NIC send the interupt, which interrupts VM to HV kernel…) Worst case scenario is when one is using NAT instead of bridged interfaces.
What can you do to get better performance?
First of all understand the kernel parameters and tune them. Below you can find 2 which can have serious impact on number of processed requests:
/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait (as Willy Tarreau sugests set it to 30secs)
Then go to HAProxy configuration and add
and restart your instance.
Note that both options are available from HAProxy 1.4
Here you can find more comments on the issue.
A very simple fix for
(drive) got wrong page
error on Ubuntu (in my case 10.04 but works also on 11.10+) running on Dell M610 blade is to add
to /etc/default/grub, and reload configuration with update-grub.
I’ve run into the problem with disconnecting vpnc (version 0.5.3) from Cisco VPN Concentrator 3000. The connection was dropped and vpnc process was dying with message:
— cut here —
Oct 12 20:04:52 server vpnc: connection terminated by dead peer detection
— cut here —
The solution is very simple and took me a while to Google it.
To prevent VPN tunnel from disconnection one must add
DPD idle timeout (our side) 0
to vpn configuration file e.g /etc/vpnc/example.conf
or run vpnc client with
vpnc –dpd-idle 0 example.conf