1. はじめに
IBM Cloud Internet Services(CIS)では、GLBのバックエンドとして任意のポート番号を指定することができない。本家のCloudflareでも以下のように記載されている。
https://developers.cloudflare.com/fundamentals/reference/network-ports/
HTTPS ports supported by Cloudflare
443
2053
2083
2087
2096
8443
この記述では一見Port 8443であればサポートしているかのように見えるが、OriginがPort 8443の場合はクライアントからもGLBにPort 8443でアクセスする必要があり必要があり、「クライアントはPort 443でアクセスするが、OriginはPort 8443で待ち受けをする」、、、みたいなことができるという意味での記述ではない。
しかし、GLBの前段にCIS Range(Cloudflare Spectrumに相当)を配置することで、クライアントがPort 443でアクセスしていても、Origin Portが443/8443/9443/100443の場合でもうまく構成することができたので、本稿で紹介する。
なお、Cloudflare本家のドキュメントはこちらのAdd load balancing to Spectrum applicationsであり、この構成の制限事項として以下が存在すると書いてあったが、実際に試してみるとSession Affinityもpage ruleも使えた。GLBのSession AffinityにはCookie(__cflb)が利用されるし、CIS RangeではTCPではなく今回のようにHTTPSも指定できたので、この制約は取り払われているのかもしれない。
Limitations
- Load Balancing session affinity, failover across pools, and custom rules are not supported by Spectrum.
- UDP health checks are only available with public monitoring. TCP can be used with both public and private monitoring.
2. Port 443/8443/9443/10443でListenするHTTPSサーバー(Originサーバー)を作成する。
ステップ by ステップの作業は省略。ポイントは以下の通り。
yum install httpd mod_ssl
- それぞれのポート用のindex.htmlを作成。
/var/www/html/index.html
/var/www/html_8443/index.html
/var/www/html_9443/index.html
/var/www/html_10443/index.html
-
/etc/httpd/conf.d/ssl.conf
を編集して、- Listenポート
- 443,8443,9443,10443を設定
- VirtualHostディレクティブ
- ポート番号443,8443,9443,10443を設定
- それぞれのDocumentRootにて"/var/www/html","/var/www/html_8443", "/var/www/html_9443", "/var/www/html_10443"などを設定。
-
SSLCertificateFile
およびSSLCertificateKeyFile
にて、サーバーの証明書および秘密鍵を設定。これはCISのOrigin証明書・秘密鍵をダウンロードしてくればよい。
- Listenポート
$ cat /etc/httpd/conf.d/ssl.conf | grep -v "^#" | grep -v "^$"
Listen 443 https
Listen 8443 https
Listen 9443 https
Listen 10443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:8443>
DocumentRoot "/var/www/html_8443"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:9443>
DocumentRoot "/var/www/html_9443"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:10443>
DocumentRoot "/var/www/html_10443"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
$ openssl x509 -text -noout -in /etc/pki/tls/certs/server.crt
(途中省略)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=CloudFlare, Inc., OU=CloudFlare Origin SSL Certificate Authority, L=San Francisco, ST=California
Validity
Not Before: Sep 25 06:54:00 2023 GMT
Not After : Sep 21 06:54:00 2038 GMT
Subject: O=CloudFlare, Inc., OU=CloudFlare Origin CA, CN=CloudFlare Origin Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
(途中省略)
$ curl -k https://localhost:443
Hello World: Port443
$ curl -k https://localhost:8443
Hello World: Port8443
$ curl -k https://localhost:9443
Hello World: Port9443
$ curl -k https://localhost:10443
Hello World: Port10443
3. CIS でGLB用のOrigin Poolを作成する
上記で作成したWebサーバーをOriginサーバーとして登録する。具体的な作業は省略。
4. CIS でGLBを作成する。
上記で作成したOrigin Poolを使ってGLBを作成する。
5. CIS でRangeを作成する
Type: HTTPS
Name: 適切なものを設定する
Edge Port: クライアントからは443でアクセスする
Origin: IPアドレスではなく、Load Balancerを選択し、先ほど作成したGLBを指定する
Port: Load Balancer/Originに8443でアクセスする。
同様に、以下を作成する(Origin Load BalancerとしてGLBは同じものを利用する)
6. テスト
syasuda@MacBook ~ % curl https://syasuda-glb01.xxxxxxxxxxx.com
Hello World: Port443
syasuda@MacBook ~ % curl https://syasuda-glb01.xxxxxxxxxxx.com:8443
Hello World: Port8443
syasuda@MacBook ~ % curl https://syasuda-glb01.xxxxxxxxxxx.com:9443
(応答なし)
syasuda@MacBook ~ % curl https://syasuda-glb01.xxxxxxxxxxx.com:10443
(応答なし)
syasuda@MacBook ~ % curl https://syasuda-range-443.xxxxxxxxxxx.com
Hello World: Port443
syasuda@MacBook ~ % curl https://syasuda-range-8443.xxxxxxxxxxx.com
Hello World: Port8443
syasuda@MacBook ~ % curl https://syasuda-range-9443.xxxxxxxxxxx.com
Hello World: Port9443
syasuda@MacBook ~ % curl https://syasuda-range-10443.xxxxxxxxxxx.com
Hello World: Port10443
$ tcpdump -i any port 443 or port 8443 or port 9443 or port 10443 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
18:18:11.357782 IP 172.70.xxx.xx.55072 > 162.133.xx.xx.443: Flags [S], seq 3550416429, win 64240, options [mss 1460,sackOK,TS val 452572632 ecr 0,nop,wscale 13], length 0
18:18:11.357830 IP 162.133.xx.xx.443 > 172.70.xxx.xx.55072: Flags [S.], seq 3015740296, ack 3550416430, win 28960, options [mss 1460,sackOK,TS val 1515505720 ecr 452572632,nop,wscale 7], length 0
18:18:11.359145 IP 172.70.xxx.xx.55072 > 162.133.xx.xx.443: Flags [.], ack 1, win 8, options [nop,nop,TS val 452572634 ecr 1515505720], length 0
18:18:11.359303 IP 172.70.xxx.xx.55072 > 162.133.xx.xx.443: Flags [P.], seq 1:518, ack 1, win 8, options [nop,nop,TS val 452572634 ecr 1515505720], length 517
18:18:11.359350 IP 162.133.xx.xx.443 > 172.70.xxx.xx.55072: Flags [.], ack 518, win 235, options [nop,nop,TS val 1515505721 ecr 452572634], length 0
18:18:11.364573 IP 162.133.xx.xx.443 > 172.70.xxx.xx.55072: Flags [P.], seq 1:1627, ack 518, win 235, options [nop,nop,TS val 1515505727 ecr 452572634], length 1626
18:18:11.365652 IP 172.70.xxx.xx.55072 > 162.133.xx.xx.443: Flags [.], ack 1627, win 7, options [nop,nop,TS val 452572641 ecr 1515505727], length 0
18:18:11.366142 IP 172.70.xxx.xx.55072 > 162.133.xx.xx.443: Flags [P.], seq 518:644, ack 1627, win 8, options [nop,nop,TS val 452572641 ecr 1515505727], length 126
18:18:11.366896 IP 162.133.xx.xx.443 > 172.70.xxx.xx.55072: Flags [P.], seq 1627:1917, ack 644, win 235, options [nop,nop,TS val 1515505729 ecr 452572641], length 290
18:18:11.368424 IP 172.70.xxx.xx.55072 > 162.133.xx.xx.443: Flags [P.], seq 644:1009, ack 1917, win 8, options [nop,nop,TS val 452572644 ecr 1515505729], length 365
18:18:11.368868 IP 162.133.xx.xx.443 > 172.70.xxx.xx.55072: Flags [P.], seq 1917:2324, ack 1009, win 243, options [nop,nop,TS val 1515505731 ecr 452572644], length 407
18:18:11.410429 IP 172.70.xxx.xx.55072 > 162.133.xx.xx.443: Flags [.], ack 2324, win 8, options [nop,nop,TS val 452572686 ecr 1515505731], length 0
18:18:16.374222 IP 162.133.xx.xx.443 > 172.70.xxx.xx.55072: Flags [P.], seq 2324:2355, ack 1009, win 243, options [nop,nop,TS val 1515510736 ecr 452572686], length 31
18:18:16.374306 IP 162.133.xx.xx.443 > 172.70.xxx.xx.55072: Flags [F.], seq 2355, ack 1009, win 243, options [nop,nop,TS val 1515510736 ecr 452572686], length 0
18:18:16.375286 IP 172.70.xxx.xx.55072 > 162.133.xx.xx.443: Flags [.], ack 2355, win 7, options [nop,nop,TS val 452577650 ecr 1515510736], length 0
18:18:16.375373 IP 172.70.xxx.xx.55072 > 162.133.xx.xx.443: Flags [F.], seq 1009, ack 2356, win 8, options [nop,nop,TS val 452577651 ecr 1515510736], length 0
18:18:16.375385 IP 162.133.xx.xx.443 > 172.70.xxx.xx.55072: Flags [.], ack 1010, win 243, options [nop,nop,TS val 1515510737 ecr 452577651], length 0
18:18:25.477195 IP 172.70.yyy.yy.44564 > 162.133.xx.xx.8443: Flags [S], seq 2405083754, win 64240, options [mss 1460,sackOK,TS val 705764260 ecr 0,nop,wscale 13], length 0
18:18:25.477238 IP 162.133.xx.xx.8443 > 172.70.yyy.yy.44564: Flags [S.], seq 2124469857, ack 2405083755, win 28960, options [mss 1460,sackOK,TS val 1515519839 ecr 705764260,nop,wscale 7], length 0
18:18:25.478543 IP 172.70.yyy.yy.44564 > 162.133.xx.xx.8443: Flags [.], ack 1, win 8, options [nop,nop,TS val 705764262 ecr 1515519839], length 0
18:18:25.478852 IP 172.70.yyy.yy.44564 > 162.133.xx.xx.8443: Flags [P.], seq 1:518, ack 1, win 8, options [nop,nop,TS val 705764262 ecr 1515519839], length 517
18:18:25.478883 IP 162.133.xx.xx.8443 > 172.70.yyy.yy.44564: Flags [.], ack 518, win 235, options [nop,nop,TS val 1515519841 ecr 705764262], length 0
18:18:25.482519 IP 162.133.xx.xx.8443 > 172.70.yyy.yy.44564: Flags [P.], seq 1:1627, ack 518, win 235, options [nop,nop,TS val 1515519845 ecr 705764262], length 1626
18:18:25.483592 IP 172.70.yyy.yy.44564 > 162.133.xx.xx.8443: Flags [.], ack 1627, win 7, options [nop,nop,TS val 705764267 ecr 1515519845], length 0
18:18:25.484032 IP 172.70.yyy.yy.44564 > 162.133.xx.xx.8443: Flags [P.], seq 518:644, ack 1627, win 8, options [nop,nop,TS val 705764267 ecr 1515519845], length 126
18:18:25.484718 IP 162.133.xx.xx.8443 > 172.70.yyy.yy.44564: Flags [P.], seq 1627:1917, ack 644, win 235, options [nop,nop,TS val 1515519847 ecr 705764267], length 290
18:18:25.486051 IP 172.70.yyy.yy.44564 > 162.133.xx.xx.8443: Flags [P.], seq 644:1010, ack 1917, win 8, options [nop,nop,TS val 705764269 ecr 1515519847], length 366
18:18:25.486617 IP 162.133.xx.xx.8443 > 172.70.yyy.yy.44564: Flags [P.], seq 1917:2325, ack 1010, win 243, options [nop,nop,TS val 1515519849 ecr 705764269], length 408
18:18:25.529534 IP 172.70.yyy.yy.44564 > 162.133.xx.xx.8443: Flags [.], ack 2325, win 8, options [nop,nop,TS val 705764313 ecr 1515519849], length 0
18:18:30.492002 IP 162.133.xx.xx.8443 > 172.70.yyy.yy.44564: Flags [P.], seq 2325:2356, ack 1010, win 243, options [nop,nop,TS val 1515524854 ecr 705764313], length 31
18:18:30.492091 IP 162.133.xx.xx.8443 > 172.70.yyy.yy.44564: Flags [F.], seq 2356, ack 1010, win 243, options [nop,nop,TS val 1515524854 ecr 705764313], length 0
18:18:30.493117 IP 172.70.yyy.yy.44564 > 162.133.xx.xx.8443: Flags [.], ack 2356, win 7, options [nop,nop,TS val 705769276 ecr 1515524854], length 0
18:18:30.493223 IP 172.70.yyy.yy.44564 > 162.133.xx.xx.8443: Flags [F.], seq 1010, ack 2357, win 8, options [nop,nop,TS val 705769276 ecr 1515524854], length 0
18:18:30.493242 IP 162.133.xx.xx.8443 > 172.70.yyy.yy.44564: Flags [.], ack 1011, win 243, options [nop,nop,TS val 1515524855 ecr 705769276], length 0
18:18:37.584897 IP 172.70.zzz.zzz.15204 > 162.133.xx.xx.9443: Flags [S], seq 3473893602, win 64240, options [mss 1460,sackOK,TS val 1827040878 ecr 0,nop,wscale 13], length 0
18:18:37.584928 IP 162.133.xx.xx.9443 > 172.70.zzz.zzz.15204: Flags [S.], seq 3975739026, ack 3473893603, win 28960, options [mss 1460,sackOK,TS val 1515531947 ecr 1827040878,nop,wscale 7], length 0
18:18:37.586384 IP 172.70.zzz.zzz.15204 > 162.133.xx.xx.9443: Flags [.], ack 1, win 8, options [nop,nop,TS val 1827040880 ecr 1515531947], length 0
18:18:37.586694 IP 172.70.zzz.zzz.15204 > 162.133.xx.xx.9443: Flags [P.], seq 1:518, ack 1, win 8, options [nop,nop,TS val 1827040880 ecr 1515531947], length 517
18:18:37.586725 IP 162.133.xx.xx.9443 > 172.70.zzz.zzz.15204: Flags [.], ack 518, win 235, options [nop,nop,TS val 1515531949 ecr 1827040880], length 0
18:18:37.590311 IP 162.133.xx.xx.9443 > 172.70.zzz.zzz.15204: Flags [P.], seq 1:1627, ack 518, win 235, options [nop,nop,TS val 1515531952 ecr 1827040880], length 1626
18:18:37.591511 IP 172.70.zzz.zzz.15204 > 162.133.xx.xx.9443: Flags [.], ack 1627, win 7, options [nop,nop,TS val 1827040885 ecr 1515531952], length 0
18:18:37.592141 IP 172.70.zzz.zzz.15204 > 162.133.xx.xx.9443: Flags [P.], seq 518:644, ack 1627, win 8, options [nop,nop,TS val 1827040885 ecr 1515531952], length 126
18:18:37.593305 IP 162.133.xx.xx.9443 > 172.70.zzz.zzz.15204: Flags [P.], seq 1627:1917, ack 644, win 235, options [nop,nop,TS val 1515531955 ecr 1827040885], length 290
18:18:37.595043 IP 172.70.zzz.zzz.15204 > 162.133.xx.xx.9443: Flags [P.], seq 644:1010, ack 1917, win 8, options [nop,nop,TS val 1827040888 ecr 1515531955], length 366
18:18:37.595694 IP 162.133.xx.xx.9443 > 172.70.zzz.zzz.15204: Flags [P.], seq 1917:2325, ack 1010, win 243, options [nop,nop,TS val 1515531958 ecr 1827040888], length 408
18:18:37.638281 IP 172.70.zzz.zzz.15204 > 162.133.xx.xx.9443: Flags [.], ack 2325, win 8, options [nop,nop,TS val 1827040932 ecr 1515531958], length 0
18:18:42.601081 IP 162.133.xx.xx.9443 > 172.70.zzz.zzz.15204: Flags [P.], seq 2325:2356, ack 1010, win 243, options [nop,nop,TS val 1515536963 ecr 1827040932], length 31
18:18:42.601170 IP 162.133.xx.xx.9443 > 172.70.zzz.zzz.15204: Flags [F.], seq 2356, ack 1010, win 243, options [nop,nop,TS val 1515536963 ecr 1827040932], length 0
18:18:42.602321 IP 172.70.zzz.zzz.15204 > 162.133.xx.xx.9443: Flags [.], ack 2356, win 7, options [nop,nop,TS val 1827045896 ecr 1515536963], length 0
18:18:42.602385 IP 172.70.zzz.zzz.15204 > 162.133.xx.xx.9443: Flags [F.], seq 1010, ack 2357, win 8, options [nop,nop,TS val 1827045896 ecr 1515536963], length 0
18:18:42.602403 IP 162.133.xx.xx.9443 > 172.70.zzz.zzz.15204: Flags [.], ack 1011, win 243, options [nop,nop,TS val 1515536964 ecr 1827045896], length 0
18:18:51.157742 IP 172.68.vvv.vvv.13328 > 162.133.xx.xx.10443: Flags [S], seq 855401311, win 64240, options [mss 1460,sackOK,TS val 2382592595 ecr 0,nop,wscale 13], length 0
18:18:51.157771 IP 162.133.xx.xx.10443 > 172.68.vvv.vvv.13328: Flags [S.], seq 719724733, ack 855401312, win 28960, options [mss 1460,sackOK,TS val 1515545520 ecr 2382592595,nop,wscale 7], length 0
18:18:51.159181 IP 172.68.vvv.vvv.13328 > 162.133.xx.xx.10443: Flags [.], ack 1, win 8, options [nop,nop,TS val 2382592597 ecr 1515545520], length 0
18:18:51.159255 IP 172.68.vvv.vvv.13328 > 162.133.xx.xx.10443: Flags [P.], seq 1:518, ack 1, win 8, options [nop,nop,TS val 2382592597 ecr 1515545520], length 517
18:18:51.159282 IP 162.133.xx.xx.10443 > 172.68.vvv.vvv.13328: Flags [.], ack 518, win 235, options [nop,nop,TS val 1515545521 ecr 2382592597], length 0
18:18:51.162689 IP 162.133.xx.xx.10443 > 172.68.vvv.vvv.13328: Flags [P.], seq 1:1627, ack 518, win 235, options [nop,nop,TS val 1515545525 ecr 2382592597], length 1626
18:18:51.163891 IP 172.68.vvv.vvv.13328 > 162.133.xx.xx.10443: Flags [.], ack 1627, win 7, options [nop,nop,TS val 2382592601 ecr 1515545525], length 0
18:18:51.164432 IP 172.68.vvv.vvv.13328 > 162.133.xx.xx.10443: Flags [P.], seq 518:644, ack 1627, win 8, options [nop,nop,TS val 2382592602 ecr 1515545525], length 126
18:18:51.165198 IP 162.133.xx.xx.10443 > 172.68.vvv.vvv.13328: Flags [P.], seq 1627:1917, ack 644, win 235, options [nop,nop,TS val 1515545527 ecr 2382592602], length 290
18:18:51.166729 IP 172.68.vvv.vvv.13328 > 162.133.xx.xx.10443: Flags [P.], seq 644:1011, ack 1917, win 8, options [nop,nop,TS val 2382592604 ecr 1515545527], length 367
18:18:51.167306 IP 162.133.xx.xx.10443 > 172.68.vvv.vvv.13328: Flags [P.], seq 1917:2326, ack 1011, win 243, options [nop,nop,TS val 1515545529 ecr 2382592604], length 409
18:18:51.210082 IP 172.68.vvv.vvv.13328 > 162.133.xx.xx.10443: Flags [.], ack 2326, win 8, options [nop,nop,TS val 2382592648 ecr 1515545529], length 0
18:18:56.172731 IP 162.133.xx.xx.10443 > 172.68.vvv.vvv.13328: Flags [P.], seq 2326:2357, ack 1011, win 243, options [nop,nop,TS val 1515550535 ecr 2382592648], length 31
18:18:56.172809 IP 162.133.xx.xx.10443 > 172.68.vvv.vvv.13328: Flags [F.], seq 2357, ack 1011, win 243, options [nop,nop,TS val 1515550535 ecr 2382592648], length 0
18:18:56.173946 IP 172.68.vvv.vvv.13328 > 162.133.xx.xx.10443: Flags [.], ack 2357, win 7, options [nop,nop,TS val 2382597611 ecr 1515550535], length 0
18:18:56.174138 IP 172.68.vvv.vvv.13328 > 162.133.xx.xx.10443: Flags [F.], seq 1011, ack 2358, win 8, options [nop,nop,TS val 2382597611 ecr 1515550535], length 0
18:18:56.174166 IP 162.133.xx.xx.10443 > 172.68.vvv.vvv.13328: Flags [.], ack 1012, win 243, options [nop,nop,TS val 1515550536 ecr 2382597611], length 0