Hi Pieter, On Mon, Apr 11, 2016 at 09:14:56PM +0200, PiBa-NL wrote: > Hi Willy, Emeric, > Op 11-3-2016 om 16:25 schreef Christopher Faulet: > >Hi, > > > >I've slightly updated my patch to improve it and to fix some > >inconsistencies. > > > >First of all, now "ssl-upgrade" and "no-ssl-upgrade" actions can be used > >on "tcp-request content" rules _AND_ "tcp-request connection" rules, in > >a frontend _OR_ a backend definition. > > > >Then, these actions are now custom actions. I think this is cleaner this > >way. > > > >And finally, by default, no SSL upgrade is done when "defer-ssl-upgrade" > >option is used. So you need to use explicitly a "ssl-upgrade" rule to > >perform it. For a lack of finding the right place to do SSL upgrades > >when no "tcp-request" rule is defined, I've decided to change the > >default behavior. I've kept the "defer-ssl-upgrade" keyword, but now, > >"skip-ssl-upgrade" could be more appropriate. If you prefer, i can do > >the change. > > > > The patch from Christopher looks to provide a nice additional feature. > Allowing offloading and sni passthrough on a single ip:port. > And with my limited testing it looks to work properly. > > What do guys think about his latest patch?
I used to have an issue with it that I couldn't describe but was just feeling. I've recently found what it was, it's that with the action in the TCP rules it will break HTTP/2 if executed in the backend. I briefly discussed it with Christopher last friday but we have to discuss it more. I agree that it's useful, we just need to be sure how to properly place it in the code to ensure it perfectly matches everyone's needs without adding trouble. Cheers, Willy
