Re[2]: haproxy without balancing

2018-01-06 Thread Aleksandar Lazic 

Hi Angelo.

-- Originalnachricht --
Von: "Angelo Hongens" 
An: "Aleksandar Lazic" ; haproxy@formilux.org
Gesendet: 06.01.2018 18:20:47
Betreff: Re: haproxy without balancing


Hey Aleksandar,

On 05-01-2018 22:05, Aleksandar Lazic wrote:
We run a lot of balancers with varnish+hitch+haproxy+corosync for 
high-available loadbalancing. Perhaps high-availability is not a 
requirement, but it's also nice to be able to do maintenance during 
the day and have your standby node take over..
Just for my curiosity why hitch and not only haproxy for ssl 
termination?


I use varnish as a single point of entry for requests and for caching. 
I guess because it's a really good product, and we've been using it for 
a long time. It has some custom business logic built in our vcl as 
well, and allows for a lot of http magic. I got training on varnish 
tuning and monitoring, and all of our scripts revolve around varnish 
and its logs. And they have very cool real-time analysis tools like 
varnishlog, varnishhist, varnishstat, etc.


Varnish passes all requests to a local haproxy instance, which passes 
requests to the right backends based on hostname. So we use haproxy for 
balancing to backends.


When the time came we needed ssl termination, I wanted a simple 
solution that does that one thing well, and I still wanted varnish as 
entry point. We played around with different products (squid, nginx), 
but then the varnish team forked stud and called it hitch. And the nice 
thing is almost all varnish users use hitch for ssl termination, and 
the varnish team is willing to offer commercial support for both.


I've been thinking about different setups as well, such as running one 
haproxy instance for ssl termination, passing requests to varnish and 
then pass it to another instance of haproxy that sends requests to the 
backends, but I think my current setup serves us best and we use the 
best tool for the jobs at hand. I think hitch is a great ssl 
terminator, varnish is a great cache/spoonfeeder, and haproxy is the 
best balancer.


--
met vriendelijke groet,
Angelo Höngens

Thank you very much for your detailed answer.
I fully agree with you, a specially as you have a working and supported 
set-up.


It would be interesting if hitch can be replaced with haproxy without 
any issues.


I plan to use haproxy in front of varnish and I would be very 
appreciative for any hints, maybe off-list so that we don't upset the 
haproxy list members.


Best regards
Aleks

Re[2]: haproxy without balancing

2018-01-05 Thread Aleksandar Lazic 

Hi Angelo.

-- Originalnachricht --
Von: "Angelo Hongens" 
An: haproxy@formilux.org
Gesendet: 05.01.2018 11:49:55
Betreff: Re: haproxy without balancing


On 05-01-2018 11:28, Johan Hendriks wrote:

Secondly we could use a single ip and use ACL to route the traffic to
the right backend server.
The problem with the second option is that we have around 2000 
different

subdomains and this number is still growing. So my haproxy config will
then consists over 4000 lines of acl rules.
and I do not know if haproxy can deal with that or if it will slowdown
request to much.

Maybe there are other options I did not think about?
For me the second config is the best option because of the single IP,
but i do not know if haproxy can handle 2000 acl rules.


I would choose the second option. I don't think the 2000 acls is a 
problem. I've been running with more than that without any problems.


A single point of entry is easiest.

We run a lot of balancers with varnish+hitch+haproxy+corosync for 
high-available loadbalancing. Perhaps high-availability is not a 
requirement, but it's also nice to be able to do maintenance during the 
day and have your standby node take over..
Just for my curiosity why hitch and not only haproxy for ssl 
termination?



--

met vriendelijke groet,
Angelo Höngens


Regards
Aleks