mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-10-26 14:10:59 +01:00
Code Issues Projects Releases Wiki Activity

MAJOR: proxy: enable abortonclose by default on TLS listeners

Browse Source 
In the continuity of https://github.com/orgs/haproxy/discussions/3146,
we must also enable abortonclose by default for TLS listeners so as not
to needlessly compute TLS handshakes on dead connections. The change is
very small (just set the default value to 1 in the TLS code when neither
the option nor its opposite were set).

It may possibly cause some TLS handshakes to start failing with 3.3 in
certain legacy environments (e.g. TLS health-checks performed using only
a client hello and closing afterwards), and in this case it is sufficient
to disable the option using "no option abortonclose" in either the
affected frontend or the "defaults" section it derives from.
This commit is contained in:
Willy Tarreau 2025-10-08 10:32:33 +02:00
parent 75103e7701
commit 00b27a993f
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/configuration.txt
View File

@ -9083,6 +9083,7 @@ no option abortonclose
likely that some users will give up, and it's pointless to waste CPU
cycles on their handshakes. Given the CPU cost of TLS handshakes, it is
recommended to leave this option enabled on internet-facing frontends.
This is the default for incoming TLS connections.
- when present in a backend, it will cause half-closed connections to try
to abort a request that was not yet sent to a server (i.e. when it's
@ -9096,7 +9097,10 @@ no option abortonclose
and HTTP services, and to disable it for pure TCP ones as well as unexposed
legacy environments. It is enabled by default in HTTP backends, and may be
forcefully disabled by prepending the "no" keyword before it, either in the
backend section itself, or in the "defaults" section it inherits from.
backend section itself, or in the "defaults" section it inherits from. It is
also enabled by default for TLS listeners and may be forcefully disabled as
well by specifying "no option abortonclose" in the frontend or in the
"defaults" section it inherits from.
If this option has been enabled in a "defaults" section, it can be disabled
in a specific instance by prepending the "no" keyword before it.

2
src/ssl_sock.c
View File

@ -385,7 +385,7 @@ static int ha_ssl_read(BIO *h, char *buf, int size)
if (ctx->conn->flags & CO_FL_SSL_WAIT_HS &&
!conn_is_back(ctx->conn) &&
proxy_abrt_close(((struct session *)ctx->conn->owner)->fe))
proxy_abrt_close_def(((struct session *)ctx->conn->owner)->fe, 1))
detect_shutr = 1;
else
detect_shutr = 0;