Hello, I've been trying to sort out an issue with relayd, and I'm just not having any luck. I am setting up a new load-balancer using net/relayd (5.4.20131122_2) on 10.0-RELEASE. My configuration is pretty simple; a pair of web servers <web>, sitting behind the relayd host. I have a httpd instance running on the relayd host as a backup "sorry" server.
The following configuration snippet from relayd.conf is literally a copy-paste job from the working http (no ssl) check; essentially just s/http/https/ redirect wwws { listen on $web_addr port https interface em0 tag RELAYD forward to <web> check https "/" code 302 forward to <sorry> check https "/favicon.ico" code 200 timeout 100 } With this configuration, my check always fails with the following error: hce_notify_done: 1.2.3.4 (ssl connect failed) host 1.2.3.4, check http code use ssl (5ms), state down -> down, availability 0.00% Looking at tcpdump, I see the beginning of an SSL handshake, then the connection is terminated by relayd. I have verified that the web servers are working correctly. Unfortunately, relayd doesn't seem to offer debugging to explain WHY the check is failing. I don't know how relevant it is, but I also have a relayd instance running on a 9.1-RELEASE host (same version of relayd). The topology and relayd config is virtually identical; the web servers are identical images. This instance has it's own quirks (one problem at a time), but the https check is working. Comparing traffic dumps, I see that relayd sends a different (shorter) list of available ciphers in the ssl client hello, and a different cipher is selected by the apache instance in each case, on 9.1: TLS_RSA_WITH_RC4_128_SHA (0x0005) on 10.0: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) In the latter case, the dump shows the server sending it's certificate, and the relayd client disconnecting immediately thereafter. It looks like a problem with the certificate, except the certificate is valid, and the same as the 9.1 setup. Any thoughts would be much appreciated. Tom _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"