

HAProxy 1.5 supports SSL offloading and downstream encryption - bastichelaar
http://blog.exceliance.fr/2012/09/04/howto-ssl-native-in-haproxy/

======
deweller
I'm so glad to see that haproxy is finally adding native SSL support.

I have used stunnel (<http://www.stunnel.org/>) in front of HAProxy up to now.
That setup works. But I'm happy that in the future I can remove one of the
moving parts from my machine and just use haproxy.

------
bastichelaar
What I would like to see is a way to change the HAProxy configuration on the
fly, or something like a configuration backend. That would avoid reloading
HAProxy after each config change, and allow a much more flexible
configuration.

~~~
cdavid
Why is haproxy reloading an issue ? It works pretty well in my experience
(although I am not in the web business anymore, so things may have changed in
the last two years).

~~~
bastichelaar
Reloading is no issue when you have few frontends or backends. But when you
have a lot of front- or backends, the configuration file will be huge, and
reloading will take some time. If you need to reload every few seconds, this
might even cause downtime. But I guess our workload is not the usual
implementation of HAProxy...

~~~
mcguire
" _But when you have a lot of front- or backends, the configuration file will
be huge, and reloading will take some time. If you need to reload every few
seconds..._ "

Uh, yeah, I suspect your workload is unusual.

------
wensheng
I can not build it in Fedora (both 12 and 16). Ubuntu is fine.

"include/proto/proto_http.h" defined "error_message", this is in conflict with
the "error_message" already defined in "et/com_err.h", which is included by
"krb5/krb5.h", which itself is included by "openssl/kssl.h", which included by
"openssl/ssl.h"

Where do I submit a bug report? Couldn't find the link on haproxy site.

~~~
ibotty
just use the software-engineering 2.0 way (vc but not github) and send a mail
to their mailing list: haproxy@formilux.org

------
kennu
I wonder if it supports SNI for virtual SSL hosts?

~~~
erichocean
+1 If it did, that'd be really, really helpful.

The spec is pretty simple, I don't know why SSL implementations leave it off.
:(

~~~
daniellockard
Because Windows XP doesn't support SNI, so not many people use it. That's my
theory.

------
StavrosK
Can anyone tell me how HAProxy compares to Varnish? I've used the latter and
swear by it, but I've never used HAProxy. Is it as amazingly fast at caching
as Varnish is?

Right now I do nginx (for SSL) -> Varnish (caching) -> nginx (static
media/proxying) -> gunicorn (Django). I'd love to remove many of those parts.

~~~
wmf
Last I heard, HAProxy does not perform any caching. I agree that fewer
components in the stack would be an improvement, but we seem to be in the
minority.

~~~
ibotty
you are part of a vocal minority. there is a reason though for the unixy model
of operation with more (well-defined as proxys usually are) smaller
components.

------
bsenftner
This is great, exactly when I need it.

------
skyebook
Great to see another hole in secure connections being plugged.

