Hi Mathew, On Sat, Mar 13, 2010 at 12:10:56PM -0500, Mathew Hennessy wrote: > Hi, > I was wondering if there was a link to a 'manager-friendly' list of > differences/changes/fixes between 1.3.X stable and 1.4.X stable? Particuarly > if there are any new deprecated configs (or outright config breakages, as > I've had at various times with OpenLDAP or Samba)..
Yes, I've written one private in french, I must find time to translate it. > Also, I saw a project in Lua to create a MySQL proxy that will actually > pass traffic based on the SQL command (L7), so for example you can have all > your SELECT traffic hit only slaves, and UPDATE/INSERT/DELETE traffic hit > only masters. I was thinking that could be something doable via ACLs in > haproxy.. Is that supported, or any interest in adding that? it's not supported, but if the protocol can easily be decoded it might be something useful. I'm just doubting because I believe we have to let the authentication pass first, which I don't know how to handle then. > ps: Are any of the Haproxy 'appliance' vendors working with VIA > Padlock-enabled CPUs or other hardware SSL encryption? I'm considering > building my own (my current HAProxy instances are on xen VMs) that would hand > SSL off to stunnel and use the Padlock code that's in openssl and linux > kernel (or, rather, stunnel would listen on 443 and handoff to HAProxy port > 80). For HTTPs, using the CPU features for the symmetric crypto does not bring much more power because what costs *a lot* of CPU is the key processing (asymmetric crypto). Padlock would be extremely efficient on a VPN gateway where keys are exchanged once then a permanent bi-dir ciphered stream is exchanged. On HTTPs (without keep-alive), you can spend 10 times more CPU cycles establishing the session than you spend transfering data. At Exceliance, we have tested some small hardware crypto cards which revealed to be *slower* than the software openssl implementation running on a Geode 500 MHz because of that ! Some high-end very expensive cards will perform very well but will somewhat offset the advantage of a cheap machine with cheap software ! Regards, Willy
