Re: Feature/config diff between 1.3/1.4, MySQL ACLs?

From: Willy Tarreau <w#1wt.eu>
Date: Sun, 14 Mar 2010 20:50:44 +0100


Hi Mathew,

On Sat, Mar 13, 2010 at 12:10:56PM -0500, Mathew Hennessy wrote:
> Hi,
> I was wondering if there was a link to a 'manager-friendly' list of differences/changes/fixes between 1.3.X stable and 1.4.X stable? Particuarly if there are any new deprecated configs (or outright config breakages, as I've had at various times with OpenLDAP or Samba)..

Yes, I've written one private in french, I must find time to translate it.

> Also, I saw a project in Lua to create a MySQL proxy that will actually pass traffic based on the SQL command (L7), so for example you can have all your SELECT traffic hit only slaves, and UPDATE/INSERT/DELETE traffic hit only masters. I was thinking that could be something doable via ACLs in haproxy.. Is that supported, or any interest in adding that?

it's not supported, but if the protocol can easily be decoded it might be something useful. I'm just doubting because I believe we have to let the authentication pass first, which I don't know how to handle then.

> ps: Are any of the Haproxy 'appliance' vendors working with VIA Padlock-enabled CPUs or other hardware SSL encryption? I'm considering building my own (my current HAProxy instances are on xen VMs) that would hand SSL off to stunnel and use the Padlock code that's in openssl and linux kernel (or, rather, stunnel would listen on 443 and handoff to HAProxy port 80).

For HTTPs, using the CPU features for the symmetric crypto does not bring much more power because what costs *a lot* of CPU is the key processing (asymmetric crypto). Padlock would be extremely efficient on a VPN gateway where keys are exchanged once then a permanent bi-dir ciphered stream is exchanged. On HTTPs (without keep-alive), you can spend 10 times more CPU cycles establishing the session than you spend transfering data.

At Exceliance, we have tested some small hardware crypto cards which revealed to be *slower* than the software openssl implementation running on a Geode 500 MHz because of that !

Some high-end very expensive cards will perform very well but will somewhat offset the advantage of a cheap machine with cheap software !

Regards,
Willy Received on 2010/03/14 20:50

This archive was generated by hypermail 2.2.0 : 2010/03/14 21:00 CET