You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am not sure where this report belongs but this started happening after I upgraded hitch from version 1.4.8 to 1.5.2.
With this upgrade I turned off TLS 1.0 and TLS 1.1; turned on TLS 1.3 and TCP Fast Open and selected TLS 1.2 recommended ciphers.
I am using hitch as TLS terminator for Varnish 6 using TCP (localhost) and PROXY v2 (write-proxy-v2 = on) protocol connection.
Just after the upgrade I noticed that long haul (Dublin to Singapore or California) HTTPS connection requests started getting "Empty reply from server" errors - this are done using curl (but have same issues with wget) to test HTTPS connectivity. Same requests with lower latency (in same AWS region) are finishing successfully. I can also see this errors in real live traffic on this upgraded hosts but not on the host which has not yet been upgraded.
After some investigation I found out that Varnish will be closing this connections with SessCloseOVERLOAD and always exactly 0.049 real time value:
Looks like this session close is called in bin/varnishd/cache/cache_session.c in ses_handle function. The 0.049 is related to default value of timeout_linger which is 0.05.
After I increased the timeout_linger I was getting different value that was the value of timeout_linger - 1. After increasing it high enough (0.4 in my case) the issue went away.
So it looks like latest hitch upgrade (or possibly something else as some other system packages were upgraded (kernel, libc, opnessl (just patch version))) resulted in triggering this timeout_linger before first request is even processed by Varnish resulting in drop of session without sending any data back to client and leaving no trace in access logs.
The text was updated successfully, but these errors were encountered:
You need to increase workspace_session, Hitch is now passing the SNI entry in PROXY v2 preambles and as obscurely indicated you might "overload" the workspace.
I am not sure where this report belongs but this started happening after I upgraded hitch from version
1.4.8
to1.5.2
.With this upgrade I turned off TLS 1.0 and TLS 1.1; turned on TLS 1.3 and TCP Fast Open and selected TLS 1.2 recommended ciphers.
I am using hitch as TLS terminator for Varnish 6 using TCP (localhost) and PROXY v2 (
write-proxy-v2 = on
) protocol connection.Just after the upgrade I noticed that long haul (Dublin to Singapore or California) HTTPS connection requests started getting "Empty reply from server" errors - this are done using
curl
(but have same issues withwget
) to test HTTPS connectivity. Same requests with lower latency (in same AWS region) are finishing successfully. I can also see this errors in real live traffic on this upgraded hosts but not on the host which has not yet been upgraded.After some investigation I found out that Varnish will be closing this connections with
SessClose
OVERLOAD
and always exactly0.049
real time value:Looks like this session close is called in
bin/varnishd/cache/cache_session.c
inses_handle
function. The0.049
is related to default value oftimeout_linger
which is0.05
.After I increased the
timeout_linger
I was getting different value that was the value oftimeout_linger
- 1. After increasing it high enough (0.4 in my case) the issue went away.So it looks like latest hitch upgrade (or possibly something else as some other system packages were upgraded (kernel, libc, opnessl (just patch version))) resulted in triggering this
timeout_linger
before first request is even processed by Varnish resulting in drop of session without sending any data back to client and leaving no trace in access logs.The text was updated successfully, but these errors were encountered: