Hi Willy.
Am 10-11-2016 00:18, schrieb Willy Tarreau:
Hi,
HAProxy 1.7-dev6 was released on 2016/11/09. It added 61 new commits
after version 1.7-dev5.
Great ;-)
[snip]
- and the new stream processing offload engine (SPOE). Yes, we had to
give
it a name. And the protocol is called SPOP. This is what allows
haproxy
to offload some of its processing to external processes which can
apply
some actions and set variables. There are a few things that really
please me here. The first one obviously is that it was completed in
time. Kudos to Christopher on this one! The next one is that I
personally find the design quite clean and we left some room to
improve
the protocol later if needed, and to improve our first
implementation of
the protocol without breaking backwards compatibility. The next
one is
that the code lies in its own file without affecting the code at
all, it
solely relies on the new filters infrastructure, which at the same
time
starts to proves its maturity, and this is great. The last one is
that
there's quite an extensive doc and even an example of external
agent to
be used as a starting point to move your processing outside. Most
likely
the first use cases will be to implement various forms of
authentication
or content inspection. We're obviously interested in feedback here.
Those not using it don't have to fear any side effect. More info
here :
http://www.haproxy.org/download/1.7/doc/SPOE.txt
I have read the doc. very interesting.
When I understand this sentence right currently it is only possible to
check some headers right?
###
Actually, for now, the SPOE can offload the processing before
"tcp-request content",
"tcp-response content", "http-request" and "http-response" rules.
###
So a header only WAF is now "easily" possible instead of the full stack
with mod_security.
http://blog.haproxy.com/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/
Some attacks are also in the post body, I assume this will come in the
future after some good tests.
Finally some minor performance improvements were brought to the HTTP
parser
for large requests or responses (eg: long URLs, huge cookies). I've
observed
up to 10% increase in request rate with 1kB cookies and 100-char URIs.
For me very impressive, wow respect.
The goal now really is to test this version and to release it with
minimal
changes in 1-2 weeks depending on feedback and bug reports. Yes that's
short,
so if you have a few minor pending patches that you'd like to get
merged in
1.7, send them NOW. There are still a number of things I'd like to see
better
arranged, so cleanups and code moves may still happen, and still are
welcome,
but we must not perform other important changes now. Please if you want
to
touch anything in dumpstats.c, notify William who is trying to tidy all
this
horrible mess by moving all non-stats parts to their relevant files (no
code
change, just functions being reshuffled around).
As I interpret this right the HTTP/2 will be on the roadmap of 1.8 or
2.0?
Some of our customers want to use http2_push.
I think this requires that also the HTTP/2 client (Backend) need to be
implemented right?
BR Aleks
