Commit a87e1c1
fix(ingress): eliminate 5s latency from HAProxy evidence routing
The evidence-server routing used payload(0,0) to inspect request bytes.
Per HAProxy docs, length=0 means "extract to end of buffer", which in
TCP mode defers rule evaluation until the full inspect-delay (5s)
expires — HAProxy cannot know when a raw TCP stream ends.
This added a 5-second latency to every TLS connection, making the
service appear broken for users.
Fix: use payload(0,16) with a concrete byte count (16 = len of
"HEAD /evidences", the longest prefix matched) and accept once
req.len >= 16. After SSL termination a full TLS record is decrypted
atomically, so these 16 bytes arrive instantly.
Before: ~5.2s per request (TLS 0.2s + inspect-delay 5.0s)
After: ~0.28s per request (TLS 0.2s + routing ~0.04s)
Tested on a live Phala CVM with Route53 DNS — both normal requests and
/evidences endpoint verified working.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>1 parent 43da63b commit a87e1c1
1 file changed
Lines changed: 9 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
156 | 156 | | |
157 | 157 | | |
158 | 158 | | |
159 | | - | |
160 | | - | |
161 | | - | |
162 | | - | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
163 | 165 | | |
164 | | - | |
165 | | - | |
166 | | - | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
167 | 169 | | |
168 | 170 | | |
169 | 171 | | |
| |||
0 commit comments