问题
I have a HAproxy 1.5 setup which offloads SSL in front of a couple of webservers (this way, they deal only with HTTP)
My SSL certificate is a wildcard and we are balancing to different backends based on the FQDN.
My frontend config look like this :
...
frontend my-frontend
bind ip:443 ssl crt /var/etc/haproxy/wildcard_cert.pem
mode http
log global
option httplog
option forwardfor
use_backend my-backend if { ssl_fc_sni my.domain.org }
use_backend my-backend2 if { ssl_fc_sni my2.domain.org }
acl is-domain hdr(host) -i my.domain.org
acl is-domain2 hdr(host) -i my2.domain.org
use_backend my-backend if is-domain
use_backend my-backend2 if is-domain2
...
The special option ssl_fc_sni can be used in case of SSL offloading to access to the SNI value (where the other option req_ssl_sni applies in case of SSL pass-through)
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#ssl_fc_sni
I wanted to know if ssl_fc_sni perform faster than HTTP Header extraction ACLs? Is there a chance for HAProxy to extract the SNI value and use it before reading the HTTP content, extracting the Host: Header and computing my second ACL?
Or the performance are just the same?
Thanks,
回答1:
I've asked the same question on the haproxy mailing list and I got an answer:
ssl_fc_sniperforms faster thanhdr(host), but it will be imperceptible.- It's a bad idea to use the SNI value as a backend selector. The basic
hdr(host)is definitely more standard, clean and safe.
Mailing list archive : http://marc.info/?l=haproxy&m=144490809910124&w=2
来源:https://stackoverflow.com/questions/33085240/haproxy-sni-vs-http-host-acl-check-performance