Hi guys, On Mon, Jul 22, 2013 at 03:42:11PM +0200, Lukas Tribus wrote: > Hi Mark, > > > > Yes, I should have listed this as alternative 3. Altough we're willing to > > adopt HAProxy 1.5 in production for it's implementation of the proxy > > protocol, I'm a bit more conservative as for the new embedded SSL offloader > > in HAProxy. > > Let me throw in a few thoughts here: > - HAProxy with native SSL/TLS already has a decent (and increasing) amount of > users and it does work very well, in my opinion > - by doing it with HAProxy your deployment stack is significantly simplified > - HAProxy in native SSL/TLS mode is aware of things like SNI, so you can do > layer 7 content switching based on SSL/TLS variables > - as you can see from Cyril's mail, users already start thinking about > the migrating from stunnel/HAProxy to native SSL/TLS in HAproxy > > Personally, I would go the native HAProxy way.
There is also an intermediary solution : have haproxy 1.5 do the SSL on the front side and forward to 1.4 which does the HTTP stuff. For this you can decide to use x-forwarded-for or the proxy protocol with Cyril's patch for 1.4. That way you significantly limit your risks and at the same time you can progressively start putting some stuff in the front 1.5 and remove the 1.4 when 1.5 final is released. > > Also I would expect that stunnel/HAProxy scales better than HAProxy+SSL. > > I don't think thats the case. stud/HAProxy [1] already scales better than > stunnel/HAProxy [2], and native SSL/TLS in HAProxy will scale even better. I can confirm that we got an impressive boost in our ALOHA by replacing stunnel with native haproxy (about 2.5x). Regards, Willy
