Hi,
I'm thinking about using HAProxy to terminate SSL connections for
thousands of domains on a single frontend (using SNI).
Certificates will obviously need to be added/removed/renewed quite
regularly.
Right now it seems that the usual strategy to manage this is to maintain
the list of all certificates in a directory and reload haproxy
whenever needed.
However, from what I understand, this has the following drawbacks:
- whenever haproxy soft-restarts, new connections might be dropped
- very slow startup time for many SSL certificates (which also drops
traffic during that time?)
- loss of state (e.g., SSL session cache, stick tables, non persisted
ACLs...)
A great feature would be to be able to dynamically add/remove SSL
certificates (or reload them all) from a running haproxy instance,
through the stat socket - in a way that doesn't drop traffic nor block
haproxy.
Is there some work planed/in progress on this subject?
Is there a way to help here?
Or did I miss another way to solve this?
Thanks!
Kind regards,
Cedric
I'm thinking about using HAProxy to terminate SSL connections for
thousands of domains on a single frontend (using SNI).
Certificates will obviously need to be added/removed/renewed quite
regularly.
Right now it seems that the usual strategy to manage this is to maintain
the list of all certificates in a directory and reload haproxy
whenever needed.
However, from what I understand, this has the following drawbacks:
- whenever haproxy soft-restarts, new connections might be dropped
- very slow startup time for many SSL certificates (which also drops
traffic during that time?)
- loss of state (e.g., SSL session cache, stick tables, non persisted
ACLs...)
A great feature would be to be able to dynamically add/remove SSL
certificates (or reload them all) from a running haproxy instance,
through the stat socket - in a way that doesn't drop traffic nor block
haproxy.
Is there some work planed/in progress on this subject?
Is there a way to help here?
Or did I miss another way to solve this?
Thanks!
Kind regards,
Cedric