Haproxy SNI与HTTP Host ACL检查性能 [英] Haproxy SNI vs HTTP Host ACL check performance
问题描述
我有一个HAproxy 1.5设置,可以在几个Web服务器之前卸载SSL(这样,它们仅处理HTTP)
I have a HAproxy 1.5 setup which offloads SSL in front of a couple of webservers (this way, they deal only with HTTP)
我的SSL证书是通配符,我们正在根据FQDN平衡到不同的后端.
My SSL certificate is a wildcard and we are balancing to different backends based on the FQDN.
我的前端配置如下:
...
frontend my-frontend
bind ip:443 ssl crt /var/etc/haproxy/wildcard_cert.pem
mode http
log global
option httplog
option forwardfor
use_backend my-backend if { ssl_fc_sni my.domain.org }
use_backend my-backend2 if { ssl_fc_sni my2.domain.org }
acl is-domain hdr(host) -i my.domain.org
acl is-domain2 hdr(host) -i my2.domain.org
use_backend my-backend if is-domain
use_backend my-backend2 if is-domain2
...
特殊选项 ssl_fc_sni 可用于SSL卸载以访问SNI值的情况(其中其他选项 req_ssl_sni 适用于SSL传递的情况)
The special option ssl_fc_sni can be used in case of SSL offloading to access to the SNI value (where the other option req_ssl_sni applies in case of SSL pass-through)
http://cbonte.github.io/haproxy-dconv/配置1.5.html#ssl_fc_sni
我想知道 ssl_fc_sni 的执行速度是否比HTTP标头提取ACL快? HAProxy是否有机会提取SNI值并在读取HTTP内容,提取Host:Header并计算第二个ACL之前使用它?
I wanted to know if ssl_fc_sni perform faster than HTTP Header extraction ACLs? Is there a chance for HAProxy to extract the SNI value and use it before reading the HTTP content, extracting the Host: Header and computing my second ACL?
还是表现都一样?
谢谢
推荐答案
我在haproxy邮件列表中问了同样的问题,并且得到了答案:
I've asked the same question on the haproxy mailing list and I got an answer:
-
ssl_fc_sni
的执行速度比hdr(host)
快,但是这是不可察觉的. - 使用SNI值作为后端选择器是一个坏主意.基本的
hdr(host)
绝对更加标准,清洁和安全.
ssl_fc_sni
performs faster thanhdr(host)
, but it will be imperceptible.- It's a bad idea to use the SNI value as a backend selector. The basic
hdr(host)
is definitely more standard, clean and safe.
邮件列表档案: http://marc.info/?l=haproxy&m=144490809910124&w = 2
这篇关于Haproxy SNI与HTTP Host ACL检查性能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!