> On 13 Apr 2017, at 12:28, Willy Tarreau <w...@1wt.eu> wrote: > > On Thu, Apr 13, 2017 at 12:21:20PM +0200, Thierry Fournier wrote: >>> .) the patches apply only on haproxy 1.8 because some files does not exists >>> on 1.7 ( e. g. include/proto/spoe.h ) >> >> >> Ok. I think that SPOE was introduced in 1.7, obviously I'm wrong. > > No, it was introduced in 1.7 but there were some improvements later > (like pipelining etc). > > (...) >>> .) How can the rule-set be reloaded? stop & start || gracefully? >> >> >> I do not process this part. Today, you must stop and start the process. The >> graceful doesn't exists. >> I guess than the graceful can be implemented easily. You can ensure the >> availability of the >> SPOA Modsec using the properties of the HAProxy backend. > > Actually that's a very good point. I think it would even be possible to > ensure a graceful shutdown using disable-on-404 or using an agent so > that you can roll the restart over multiple WAF nodes.
Interesting. I think about a system which (on SPOA side) stop listeners and wait for the end of processing current requests. By this way, the SPOA doesn’t accept requests, and HAProxy send requests on the other process. Another way is using the CLI and set one spoa/modsec in graceful mode. Adding a special check is the best way, but the daemon speaks SPOP and not HTTP. Maybe a thread which listen on specific port dedicated to this function ? Or improving the SPOP for asking graceful mode in the agent-hello response message ? (it seems that haproxy send periodically haproxy-hello messages, but maybe I’m wrong) Thierry > Willy
