From 00b27a993fef425e523c1f92a8cb3193aaaa2ab2 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 8 Oct 2025 10:32:33 +0200 Subject: [PATCH] MAJOR: proxy: enable abortonclose by default on TLS listeners In the continuity of https://github.com/orgs/haproxy/discussions/3146, we must also enable abortonclose by default for TLS listeners so as not to needlessly compute TLS handshakes on dead connections. The change is very small (just set the default value to 1 in the TLS code when neither the option nor its opposite were set). It may possibly cause some TLS handshakes to start failing with 3.3 in certain legacy environments (e.g. TLS health-checks performed using only a client hello and closing afterwards), and in this case it is sufficient to disable the option using "no option abortonclose" in either the affected frontend or the "defaults" section it derives from. --- doc/configuration.txt | 6 +++++- src/ssl_sock.c | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 632268f94..754e4395c 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -9083,6 +9083,7 @@ no option abortonclose likely that some users will give up, and it's pointless to waste CPU cycles on their handshakes. Given the CPU cost of TLS handshakes, it is recommended to leave this option enabled on internet-facing frontends. + This is the default for incoming TLS connections. - when present in a backend, it will cause half-closed connections to try to abort a request that was not yet sent to a server (i.e. when it's @@ -9096,7 +9097,10 @@ no option abortonclose and HTTP services, and to disable it for pure TCP ones as well as unexposed legacy environments. It is enabled by default in HTTP backends, and may be forcefully disabled by prepending the "no" keyword before it, either in the - backend section itself, or in the "defaults" section it inherits from. + backend section itself, or in the "defaults" section it inherits from. It is + also enabled by default for TLS listeners and may be forcefully disabled as + well by specifying "no option abortonclose" in the frontend or in the + "defaults" section it inherits from. If this option has been enabled in a "defaults" section, it can be disabled in a specific instance by prepending the "no" keyword before it. diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 6fa65952f..d997775cc 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -385,7 +385,7 @@ static int ha_ssl_read(BIO *h, char *buf, int size) if (ctx->conn->flags & CO_FL_SSL_WAIT_HS && !conn_is_back(ctx->conn) && - proxy_abrt_close(((struct session *)ctx->conn->owner)->fe)) + proxy_abrt_close_def(((struct session *)ctx->conn->owner)->fe, 1)) detect_shutr = 1; else detect_shutr = 0;