I have to use HAProxy to enforce TLS encryption to application flow.
I use following feature
Multiple server certificates
client certificate verify
crl checking
Application flow imply long life tcp connections, which have as consequence that we have to avoid to restart or reload configuration. Indeed as the reload keep current connections attached on original process, it will result in a multiplication of HAProxy instance.
It’s especially true with CRL refresh that I have to do periodically. Is there work in progress to add he hot reload of crl file?
For example using unix socket command, like to set new maxconn , it could allow to use these new data for new connections…
An over approach wil be to deal with long term connection during reload, but I haven’t found relevant resouces, only high availability seems to be handle.
I am also trying to understand the CRL capabilities in HAProxy. Specifically, we are running HAProxy in a container and are refreshing the CRL data source outside of the container several times a day. We support around 30 different certificate issuers, all of whom re-issue their CRLs on various schedules, and with varied frequency.
Some specific questions I have:
has anyone solved the hot-reloading issue?
if reload of HAProxy is required, is there a preferred approach (like a master HAProxy process that does no CRL verification and lives for a long time that offloads to n child processes that can come and go?
Is there a limit to the size of a single CRL file? Apache supports using an entire directory of CRL files (via SSLCARevocationPath), which comes into play for us. Several of the CRL files we support (issued by US Government) are many MB in size. A combined CRL file often reaches 300+MB. nginx has been ruled out for us because of this exact issue (it can’t handle large CRL files and doesn’t support the directory approach)
I would also need to reload my CRL file as it is changing from time to time (client certs are verified). It is not clear that CRL hot reload is supported or not (not documented, not listed in admin interface help etc.). Please help.
Background: I am currently using corosync + pacemaker to maintain a streaming site. Long (actually very long, can last for hours) TCP connections are coming in (RTMP streams for live streaming). When haproxy is reloaded using the crm shell, RTMP connections are torn down, which is causing a big problem. I am using haproxy 2.2.5 with master-worker config.