Hi Mark,
> Yes, I should have listed this as alternative 3. Altough we're willing to > adopt HAProxy 1.5 in production for it's implementation of the proxy > protocol, I'm a bit more conservative as for the new embedded SSL offloader > in HAProxy. Let me throw in a few thoughts here: - HAProxy with native SSL/TLS already has a decent (and increasing) amount of users and it does work very well, in my opinion - by doing it with HAProxy your deployment stack is significantly simplified - HAProxy in native SSL/TLS mode is aware of things like SNI, so you can do layer 7 content switching based on SSL/TLS variables - as you can see from Cyril's mail, users already start thinking about the migrating from stunnel/HAProxy to native SSL/TLS in HAproxy Personally, I would go the native HAProxy way. > Also I would expect that stunnel/HAProxy scales better than HAProxy+SSL. I don't think thats the case. stud/HAProxy [1] already scales better than stunnel/HAProxy [2], and native SSL/TLS in HAProxy will scale even better. Regards, Lukas [1] https://github.com/bumptech/stud [2] http://vincent.bernat.im/en/blog/2011-ssl-benchmark-round2.html#conclusion
