On Wed, Feb 20, 2019 at 3:14 PM Joao Morais <l...@joaomorais.com.br> wrote:
> > > > Em 20 de fev de 2019, à(s) 03:30, Baptiste <bed...@gmail.com> escreveu: > > > > Hi Joao, > > > > I do have a question for you about your ingress controller design and > the "chained" frontends, summarized below: > > * The first frontend is on tcp mode binding :443, inspecting sni and > doing a triage; > > There is also a ssl-passthrough config - from the triage frontend > straight to a tcp backend. > > * The second frontend is binding a unix socket with ca-file (tls > authentication); > > * The last frontend is binding another unix socket, doing ssl-offload > but without ca-file. > > > > What feature is missing in HAProxy to allow switching these 3 frontends > into a single one? > > I understand that the ability to do ssl deciphering and ssl passthrough > on a single bind line is one of them. Is there anything else we could > improve? > > I wonder if crt-list would be useful in your case: > https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list > > > Hi Baptiste, I’m changing the approach of the frontend creation - if the > user configuration just need one, this one will listen :443 without need to > chain another one. Regarding switch to more frontends - or at least more > bind lines in the same frontend - and creating the mode-tcp one, here are > the current rules: > > * conflict on timeout client - and perhaps on other frontend configs - > distinct frontends will be created to each one > * if one really want to use a certificate that doesn’t match its domain - > crt-list sounds to solve this > * tls auth (bind with ca-file) and no tls auth - I don’t want to mix then > in the same frontend because of security - tls auth use sni, no tls auth > use host header > * ssl-passthrough as you have mentioned > > ~jm > > Hi Joao, I am not worried about having many frontends in a single HAProxy configuration, I am more worried by "chaining" frontends, for performance reasons. So having one frontend per app because they use different settings is fine, from my point of view, unless you must chain one TCP frontend to route traffic to the application frontend based on SNI. I don't understand the point about TLS auth. crt-list allows you to load multiple certificates and to define custom parameters for each of them, this include ca-file. It's a powerful feature. What I am trying to figure out is what would be a recommendation for a high performance deployment of your ingress controller. Baptiste
