On 28 Jul 2014, at 11:54, Apollon Oikonomopoulos <apoi...@debian.org> wrote:

>> If anyone has any comment / question / suggestion, as usual feel free to
>> keep the discussion going on.
> 
> Could I also add shared SSL session cache over multiple boxes (like 
> stud), to aid SSL scalability behind LVS directors? It has been asked 
> for before in the mailing list if I recall correctly.

I believe the best way to go here is to do this with TLS Session Tickets. 
Twitter posted a good post about how they set this up:

https://blog.twitter.com/2013/forward-secrecy-at-twitter

I think HAProxy could add something very similar by allowing key rotation 
through the socket interface, much like how OCSP Stapling can now be done. This 
would allow for the creation of tickets and rotate them around a cluster of 
different loadbalancers without having to build a complicated and error prone 
session cache across multiple machines.

— 
Regards,

Dirkjan Bussink

Reply via email to