Hi,
Am 04.03.2017 um 15:27 schrieb mlist:
I said I'm using dedicated ip:443 bind as a clean solution because "the current haproxy client certificate management implementation is not optimal nor flexible nor scalable in other configurations" so, in this test we can waste one public IP and an manage an useless additional frontend, having to manage 2 frontend instead of one.
Once the bug is fixed you can manage everything easily and with a single IP, expected when you need per directory client
certificate negotiation, which is what we are discussing here.
One need to use another IP also for only one directory in the some domain if needed... Not so good ! It is simple: if all web server (Apache, IIS, nginx, ...) have such feature, is because it is useful and used ! :D
nginx does not have this feature.
What about if one have many applications each with different client certificate configuration for each directories?
We can imagine theoretical use cases for all kinds of features, that doesn't mean we implement them. Real use-cases matter.
You can leave haproxy implementation as is if you think this is the right way. I found this implementation not at all flexible and far away from haproxy standard mindset.
You are not hearing what I'm saying. When the bug is fix you can manage you real use-case easily.
I think this is an important feature, but the choice is your!
I don't decide, I'm just expressing my opinion about this feature. cheers, lukas
