Op 23 jul. 2013, om 11:36 heeft Willy Tarreau <[email protected]> het volgende geschreven:
> Hi guys, > > On Mon, Jul 22, 2013 at 03:42:11PM +0200, Lukas Tribus wrote: >> Hi Mark, >> >> >>> Yes, I should have listed this as alternative 3. Altough we're willing to >>> adopt HAProxy 1.5 in production for it's implementation of the proxy >>> protocol, I'm a bit more conservative as for the new embedded SSL offloader >>> in HAProxy. >> >> Let me throw in a few thoughts here: >> - HAProxy with native SSL/TLS already has a decent (and increasing) amount of >> users and it does work very well, in my opinion >> - by doing it with HAProxy your deployment stack is significantly simplified >> - HAProxy in native SSL/TLS mode is aware of things like SNI, so you can do >> layer 7 content switching based on SSL/TLS variables >> - as you can see from Cyril's mail, users already start thinking about >> the migrating from stunnel/HAProxy to native SSL/TLS in HAproxy >> >> Personally, I would go the native HAProxy way. > > There is also an intermediary solution : have haproxy 1.5 do the SSL on > the front side and forward to 1.4 which does the HTTP stuff. For this you > can decide to use x-forwarded-for or the proxy protocol with Cyril's patch > for 1.4. That way you significantly limit your risks and at the same time > you can progressively start putting some stuff in the front 1.5 and remove > the 1.4 when 1.5 final is released. For now I've decided to bite the bullet and switched to 1.5-dev19. Might we get stability issues, I'll report here and split http and https in 1.4-patched and 1.5-dev (clever idea, btw). > >>> Also I would expect that stunnel/HAProxy scales better than HAProxy+SSL. >> >> I don't think thats the case. stud/HAProxy [1] already scales better than >> stunnel/HAProxy [2], and native SSL/TLS in HAProxy will scale even better. > > I can confirm that we got an impressive boost in our ALOHA by replacing > stunnel with native haproxy (about 2.5x). Impressive!!! Thank you all for sharing your thoughts. It really helped me to get a nice loadbalancer setup. Mark > > Regards, > Willy > --- Oudenhof 4c, 4191NW Geldermalsen, The Netherlands Web site and travel directions: www.peercode.nl Phone +31.88.0084124 :: Mobile +31.6.51298623
