undefined | Better HN

0 pointstime4tea2mo ago0 comments

Thanks for this. You dont mention hitch though. Is that now deprecated/discouraged?

It hasn't seen much action in a while, but maybe thats cos it works?

0 comments

8 comments · 2 top-level

perbu2mo ago· 6 in thread

fwiw; Varnish Software still maintains and supports hitch, but we can't say we see a bright future for it. Both the ergonomics and the performance of not being integrated into Varnish are pretty bad. It was the crutch we leaned as it was the best thing we could make available.

I would recommend migrating off within a year or two.

slink_vinyl2mo ago

To claim "the ergonomics and the performance of not being integrated into Varnish are pretty bad" you would need to show some numbers. In my view, https://vinyl-cache.org/tutorials/tls_haproxy.html debunks the "ergonomics are bad" argument, because using TLS backends is literally no different than using non-TLS. On performance, the fundamentals have already been laid out in https://vinyl-cache.org/docs/trunk/phk/ssl.html - crypto being so expensive, that the additional I/O to copy in and out another process makes no difference.

But, again, if you have numbers, show them.

perbu2mo ago

We've been pushing 1.5Tbps with TLS in lab settings. I've yet to see any other HTTP product being able to saturate these kind of networking. There is lots to be said about threading, but it is able to push a lot bandwidth.

And yes, I think the ergonomics are bad. Having varnish lose visibility into the transport means ACLs are gone, JA3 and similar are gone and the opportunity to defend from DoS are much more limited.

Crypto used to be expensive in 2010. It is no longer that expensive. All the serialization, on the other hand, that is expensive and latency is adding up.

Every single HTTP server in use out there has TLS support. The users expectation is that the HTTP server can deal with TLS.

time4teaOP2mo ago

Thanks for the info, but I'm a bit confused, sorry.

The reason for hitch was that tls and caching are a different concern, and the current recommendation is to use haproxy, which also isnt integrated into varnish/vinyl.

But you say that the reason to migrate off hitch is that its not integrated?

But what happend to separation of concerns, then? Is the plan to integrate tls termination into vinyl? Is this a change of policy/outlook?

Thanks!

perbu2mo ago

Varnish Software released hitch to facilitate TLS for varnish-cache.

Now that Varnish has been renamed, Varnish Software will keep what has been referred to as a downstream version or a fork, which has TLS built in, basically taking the TLS support from Varnish Enterprise.

This makes Hitch a moot point. So, I assume it'll receive security updates, but not much more.

Wrt. separation of concerns. Varnish with in-core TLS can push terabits per second (synthetic load, but still). Sure, for my blog, that isn't gonna matter, but having a single component to run/update is still valuable.

In particular using hitch/haproxy/nginx for backend is cumbersome.

TLS is a primary concern on the internet today.

1 more reply

slink_vinyl2mo ago

So because perbu was clearly talking with his varnish software hat on, here's the perspective from someone working on Vinyl Cache FOSS only:

I already commented on the separation of concerns in the tutorial, and the unpublished project which one person from uplex is working on full time will have the key store in a separate process. You might want to read the intro of the tutorial if you have not done so.

But the main reason for why the new project will be integrating TLS more deeply has not been mentioned: It is HTTP/3, or rather QUIC. More on that later this year.

time4teaOP2mo ago

I initially read this as "we" being "Varnish Software", but maybe that was wrong.

slink_vinyl2mo ago

haproxy supports both the offload (client) and onload (backend) use case. This is the main reason for why I personally prefer it. I can not comment on how well hitch works in comparison, because I have not used it for years.

j / k navigate · click thread line to collapse

0 comments

8 comments · 2 top-level

perbu2mo ago· 6 in thread

I would recommend migrating off within a year or two.

slink_vinyl2mo ago

But, again, if you have numbers, show them.

perbu2mo ago

And yes, I think the ergonomics are bad. Having varnish lose visibility into the transport means ACLs are gone, JA3 and similar are gone and the opportunity to defend from DoS are much more limited.

Crypto used to be expensive in 2010. It is no longer that expensive. All the serialization, on the other hand, that is expensive and latency is adding up.

Every single HTTP server in use out there has TLS support. The users expectation is that the HTTP server can deal with TLS.

time4teaOP2mo ago

Thanks for the info, but I'm a bit confused, sorry.

The reason for hitch was that tls and caching are a different concern, and the current recommendation is to use haproxy, which also isnt integrated into varnish/vinyl.

But you say that the reason to migrate off hitch is that its not integrated?

But what happend to separation of concerns, then? Is the plan to integrate tls termination into vinyl? Is this a change of policy/outlook?

Thanks!

perbu2mo ago

Varnish Software released hitch to facilitate TLS for varnish-cache.

This makes Hitch a moot point. So, I assume it'll receive security updates, but not much more.

In particular using hitch/haproxy/nginx for backend is cumbersome.

TLS is a primary concern on the internet today.

1 more reply

slink_vinyl2mo ago

So because perbu was clearly talking with his varnish software hat on, here's the perspective from someone working on Vinyl Cache FOSS only:

But the main reason for why the new project will be integrating TLS more deeply has not been mentioned: It is HTTP/3, or rather QUIC. More on that later this year.

time4teaOP2mo ago

I initially read this as "we" being "Varnish Software", but maybe that was wrong.

slink_vinyl2mo ago

j / k navigate · click thread line to collapse