Hi Brane,
On Fri, Jul 08, 2011 at 09:34:21AM +0200, Brane F. Gra??nar wrote:
> I'm using accept-proxy patch with haproxy 1.4.15 in production for two months
> without any problems on moderate loaded instance (cca 3k concurrent
> connections, 700-800 reqs/sec)...
thanks for your report.
> Patch was written by Cyril Bonte, i'm just providing patch file.
>
> Willy, i've been thinking about extending proxy protocol - it would be very
> useful if protocol would allow additional, optional fields like tls_cipher,
> tls_client_cert info etc... What is your opinion?
I think the protocol can be extended, it was designed to do so.
However, we should be careful. Right now it's designed so that
low level client information is sent (I mean layer4). If upper
layer protocol information are to be added, we should ensure to
respect layering so that parsers don't have to read everything
and that they can easily ignore what they don't care about.
> I'm also missing ability in haproxy (some kind of built-in acl) if connection
> was accepted from listener with accept-proxy flag set.
In fact you can already do this. The ACLs support the "so_id" match which
matches on the ID of the accepting socket. You can simply force your socket's
ID using the "id" parameter (in order no to have to guess it) and use that in
your rules :
frontend pub
bind :80
bind 127.0.0.1:81 accept-proxy id 10
...
acl from-proxy so_id 10
Cheers,
Willy
