I've been tasked with making our websites more responsive, particularly with TLS. I was given this video to watch:
https://www.youtube.com/watch?v=0EB7zh_7UE4 This video specifically mentions haproxy, and I can see conversations including Ilya on my mailing list history, which is really awesome. Thank you to everyone who has made possible all the technologies mentioned in the video. I have some questions. I started out with haproxy 1.5.8 from source on CentOS 5. It quickly became apparent that this system would not accommodate any of the cool technologies that Ilya talked about. I have upgraded one of our load balancer machines to Ubuntu 14, so I would have a modern kernel and openssl version. If I should have started with a different distribution for additional capability, please let me know. By building a cronjob to download the ocsp response once an hour and using NPN, I was able to greatly reduce the initial SSL negotiation time - from over 600 milliseconds to less than 150 milliseconds. My certificates are typically StartSSL Class 2, 2048 bit. The video talks about SPDY/HTTP2. What I was hoping to find was that I could enable spdy/2 on haproxy and have it use HTTP to the backend, but it appears that this doesn't work ... I'm guessing that it must also be SPDY on the back end. Is this arrangement possible with HTTP2? What's the timeframe for HTTP2 support in haproxy? Is it still required to build a script and a cronjob to update the ocsp response for stapling, or is there a way to get haproxy itself to do this? I'm seeing fairly long "time to first byte", even with the new software stack. Ilya's video talks about dynamic TLS record sizes as a way to reduce that time. What do I need to implement that? Can it be set in haproxy, or do I need to make changes to the apache->tomcat backends? The openssl version I'm using is 1.0.1f-1ubuntu2.7 ... which apparently does not support ALPN. What is the minimum version required for ALPN? What would the procedure be if I want to compile another version of openssl or boringssl in addition to the packaged version, and then use it to compile haproxy? In order to ensure the links are correct, I also use SSL on the backends, and I force RC4-MD5 so that is efficient as possible. What changes should I make to Apache and/or Tomcat to help with the speed seen by the end user talking to haproxy? Thanks, Shawn
