Hi, > Le 7 févr. 2017 à 16:47, Cedric Maion <[email protected]> a écrit : > > Hi, > > I'm thinking about using HAProxy to terminate SSL connections for > thousands of domains on a single frontend (using SNI). >
I use haproxy for that with live restarts without (seen) the drawbacks you mention. Manu > Certificates will obviously need to be added/removed/renewed quite > regularly. > > Right now it seems that the usual strategy to manage this is to maintain > the list of all certificates in a directory and reload haproxy > whenever needed. > However, from what I understand, this has the following drawbacks: > - whenever haproxy soft-restarts, new connections might be dropped > - very slow startup time for many SSL certificates (which also drops > traffic during that time?) > - loss of state (e.g., SSL session cache, stick tables, non persisted > ACLs...) > > A great feature would be to be able to dynamically add/remove SSL > certificates (or reload them all) from a running haproxy instance, > through the stat socket - in a way that doesn't drop traffic nor block > haproxy. > Is there some work planed/in progress on this subject? > Is there a way to help here? > > Or did I miss another way to solve this? > > Thanks! > Kind regards, > > Cedric > >
