← Back to context

Comment by slink_vinyl

7 days ago

because the topic keeps coming up, I now wrote the tutorial which we should have had years ago: https://vinyl-cache.org/tutorials/tls_haproxy.html

12 comments

slink_vinyl

Reply
time4tea  6 days ago

Thanks for this. You dont mention hitch though. Is that now deprecated/discouraged?

It hasn't seen much action in a while, but maybe thats cos it works?

  • perbu  5 days ago

    fwiw; Varnish Software still maintains and supports hitch, but we can't say we see a bright future for it. Both the ergonomics and the performance of not being integrated into Varnish are pretty bad. It was the crutch we leaned as it was the best thing we could make available.

    I would recommend migrating off within a year or two.

    • slink_vinyl  5 days ago

      To claim "the ergonomics and the performance of not being integrated into Varnish are pretty bad" you would need to show some numbers. In my view, https://vinyl-cache.org/tutorials/tls_haproxy.html debunks the "ergonomics are bad" argument, because using TLS backends is literally no different than using non-TLS. On performance, the fundamentals have already been laid out in https://vinyl-cache.org/docs/trunk/phk/ssl.html - crypto being so expensive, that the additional I/O to copy in and out another process makes no difference.

      But, again, if you have numbers, show them.

      1 reply →

    • time4tea  5 days ago

      Thanks for the info, but I'm a bit confused, sorry.

      The reason for hitch was that tls and caching are a different concern, and the current recommendation is to use haproxy, which also isnt integrated into varnish/vinyl.

      But you say that the reason to migrate off hitch is that its not integrated?

      But what happend to separation of concerns, then? Is the plan to integrate tls termination into vinyl? Is this a change of policy/outlook?

      Thanks!

      5 replies →

  • slink_vinyl  5 days ago

    haproxy supports both the offload (client) and onload (backend) use case. This is the main reason for why I personally prefer it. I can not comment on how well hitch works in comparison, because I have not used it for years.