Hi, I'm thinking about using HAProxy to terminate SSL connections for thousands of domains on a single frontend (using SNI).
Certificates will obviously need to be added/removed/renewed quite regularly. Right now it seems that the usual strategy to manage this is to maintain the list of all certificates in a directory and reload haproxy whenever needed. However, from what I understand, this has the following drawbacks: - whenever haproxy soft-restarts, new connections might be dropped - very slow startup time for many SSL certificates (which also drops traffic during that time?) - loss of state (e.g., SSL session cache, stick tables, non persisted ACLs...) A great feature would be to be able to dynamically add/remove SSL certificates (or reload them all) from a running haproxy instance, through the stat socket - in a way that doesn't drop traffic nor block haproxy. Is there some work planed/in progress on this subject? Is there a way to help here? Or did I miss another way to solve this? Thanks! Kind regards, Cedric
