Sebastien Estienne
On 7 juil. 2011, at 20:10, Willy Tarreau <w...@1wt.eu> wrote: > Hi Sebastien, > > On Thu, Jul 07, 2011 at 06:30:10PM +0200, Sebastien Estienne wrote: >> Hello, >> >> I'd like to use stud https://github.com/bumptech/stud with Haproxy for >> SSL support. >> Stud implement the haproxy proxy protocol, and i'd like to know if >> this will be backported to haproxy 1.4 ? > > We have a patch for haproxy 1.4, but at this point I'd rather avoid > backporting it in mainline, because whatever we add to mainline > presents a risk of regression and mechanically induces new versions > for fixes. It's important that we can provide as much as possible > safe 1.4 versions now, it's deployed at a number of sensible sites > and we have to be careful. I think that as you can understand if > you're a 1.4 user right now. > yes we perfectly understand this, and that is what we like about haproxy. But the demand for SSL is growing, it s even mandatory for some use cases. Stud looks really promising and solid and a good match for haproxy as it was designed to be used with haproxy ( http://devblog.bu.mp/introducing-stud ). Today we have the choice between: - haproxy 1.4 + patched stunnel - haproxy 1.5 dev + stud - patched haproxy 1.4 + stud The last one seems the most stable with the best performance, so as the demand for SSL is growing, i think it would be a big plus that haproxy 1.4 can work with stud without being patched. I don t know if it would make sense but maybe stud could be integrated somehow in haproxy like this: Instead of starting stud then haproxy separately, the main haproxy process could fork some stud-like process (binding 443) as it already forks haproxy childs for multicore and it would discuss using the proxy protocol transparentlyfor the end user with no need to setup the link between both. This would offer a seemless SSL integration without hurting haproxy codebase and stability for clear http content. > However, if we notice there is growing demand before 1.5 is released > and the patch looks totally safe, I'm not opposed to reconsider my > statement. > > Concerning stud, I did not know about it. I think it will be very > appealing to a number of current stunnel users. It looks like strong > guys are contributing to it, and the fact that it adopted the PROXY > protocol could make it easier to integrate than stunnel ! > > Cheers, > Willy >
