Skip to content

Instantly share code, notes, and snippets.

Last active June 7, 2020 02:42
Show Gist options
  • Save igrigorik/8960971 to your computer and use it in GitHub Desktop.
Save igrigorik/8960971 to your computer and use it in GitHub Desktop.

\o/ ... for HAProxy. Recent patches to make TLS faster:

Last patch is for 4KB+ certs. Remaining patches implement dynamic record sizing.

  • Default size is still 16K, but HAProxy can be built with DEFAULT_SSL_MAX_RECORD to reset that at build time.
  • Record size can be changed via a config flag: tune.ssl.maxrecord
  • Idle timeout controls how long the connection must be idle before record size is reset - defaults to 1000ms, can be controlled via tune.idletimer.

TL;DR: Checkout latest code, build it, and set your tune.ssl.maxrecord and tune.idletimer config flags.

log local0
# lower your record size to improve Time to First Byte (TTFB)
tune.ssl.maxrecord 1400
# set inactivity timeout to reset record size (in ms)
tune.idletimer 1000
# terminate TLS connections & forward connections to http_cluster
frontend secure
mode tcp
# advertise http/1.1 over NPN to enable TLS False Start!
bind :443 ssl crt /path/to/cert.pem npn http/1.1,spdy/3.1
use_backend spdy_cluster if { ssl_fc_npn -i spdy/3.1 }
default_backend http_cluster
backend spdy_cluster
server srv01
backend http_cluster
mode http
server srv01
Copy link

blissdev commented Jul 1, 2014

@igrigorik Since the release of stable haproxy 1.5, is this still up to date? Or would there be any changes?

Copy link

beezly commented Sep 29, 2014

I something very similar to this working with haproxy 1.5.4, but if I encloded the http/1.1 part in the bind line at #16, all connections get sent to the http_cluster. If I take it out, SPDY capable browsers get sent through to spdy_cluster without any problems.

I've got an example vagrant config at that reproduces the problem. You can see the stats page at localhost:8999 and all connections will end up at the http backend.

Copy link

@beezly see - should work. May be worth opening a bug on the HAProxy list to confirm that something hasn't gone awry in the routing.

Copy link

hello, i'm running apache with haproxy 1.5.5, but it only works with spdy/2, when i try to change npn to spdy/3.1 i got -1/-1/-1/-1/199 400 187 - - PR-- 0/0/0/0/0 0/0 "" is that a problem with apache or my haproxy version?

Copy link

@vitaoloureiro by changing your config to spdy/2 you might not have been using spdy at all if you were using Chrome. Chrome (version 38.0.2125.111) seems to pass the ALPN and NPN string of http/1.1,spdy/3,spdy/3.1. If HA-Proxy advertised spdy/2 then the connection probably negotiated http/1.1 This chrome plugin has helped me when working on this.

It is also worth noting that my version of chrome will negotiate spdy over alpn.

@igrigorik @beezly
npn and alpn work my selecting the first matching protocol in common.
If Chrome sends http/1.1,spdy/3,spdy/3.1 and HAProxy sends http/1.1,spdy/3.1, the winner will be http/1.1.

Another solution is to have HAProxy send spdy/3.1,http/1.1.

Copy link

Customer questionnaire came through today enquiring about "TLS record framing optimization for low latency"
I'm responding with default size of 16kb currently, but any thoughts about this moving forward?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment