undefined | Better HN

0 pointstime4tea29d ago0 comments

just use the tool that does the job.

TLS in -> hitch or caddy Cache -> varnish/vinyl TLS out -> haproxy

Connect them up with Unix sockets, if you like.

0 comments

because the topic keeps coming up, I now wrote the tutorial which we should have had years ago: https://vinyl-cache.org/tutorials/tls_haproxy.html

time4teaOP28d ago

Thanks for this. You dont mention hitch though. Is that now deprecated/discouraged?

It hasn't seen much action in a while, but maybe thats cos it works?

perbu28d ago

fwiw; Varnish Software still maintains and supports hitch, but we can't say we see a bright future for it. Both the ergonomics and the performance of not being integrated into Varnish are pretty bad. It was the crutch we leaned as it was the best thing we could make available.

I would recommend migrating off within a year or two.

slink_vinyl27d ago

To claim "the ergonomics and the performance of not being integrated into Varnish are pretty bad" you would need to show some numbers. In my view, https://vinyl-cache.org/tutorials/tls_haproxy.html debunks the "ergonomics are bad" argument, because using TLS backends is literally no different than using non-TLS. On performance, the fundamentals have already been laid out in https://vinyl-cache.org/docs/trunk/phk/ssl.html - crypto being so expensive, that the additional I/O to copy in and out another process makes no difference.

But, again, if you have numbers, show them.

1 more reply

time4teaOP28d ago

Thanks for the info, but I'm a bit confused, sorry.

The reason for hitch was that tls and caching are a different concern, and the current recommendation is to use haproxy, which also isnt integrated into varnish/vinyl.

But you say that the reason to migrate off hitch is that its not integrated?

But what happend to separation of concerns, then? Is the plan to integrate tls termination into vinyl? Is this a change of policy/outlook?

Thanks!

2 more replies

time4teaOP27d ago

I initially read this as "we" being "Varnish Software", but maybe that was wrong.

slink_vinyl27d ago

haproxy supports both the offload (client) and onload (backend) use case. This is the main reason for why I personally prefer it. I can not comment on how well hitch works in comparison, because I have not used it for years.

perbu28d ago

in my experience this has a lot more moving parts than it should.

j / k navigate · click thread line to collapse

0 comments

slink_vinyl29d ago

because the topic keeps coming up, I now wrote the tutorial which we should have had years ago: https://vinyl-cache.org/tutorials/tls_haproxy.html

time4teaOP28d ago

Thanks for this. You dont mention hitch though. Is that now deprecated/discouraged?

It hasn't seen much action in a while, but maybe thats cos it works?

perbu28d ago

I would recommend migrating off within a year or two.

slink_vinyl27d ago

But, again, if you have numbers, show them.

1 more reply

time4teaOP28d ago

Thanks for the info, but I'm a bit confused, sorry.

The reason for hitch was that tls and caching are a different concern, and the current recommendation is to use haproxy, which also isnt integrated into varnish/vinyl.

But you say that the reason to migrate off hitch is that its not integrated?

But what happend to separation of concerns, then? Is the plan to integrate tls termination into vinyl? Is this a change of policy/outlook?

Thanks!

2 more replies

time4teaOP27d ago

I initially read this as "we" being "Varnish Software", but maybe that was wrong.

slink_vinyl27d ago

perbu28d ago

in my experience this has a lot more moving parts than it should.

j / k navigate · click thread line to collapse