HAProxy for MultTenant application


#1

In a MultiTenanat application I would like to have the possibility to configure HAProxy at run time adding (and removing) HTTPS Frontend ports (one per Tenant) with different IPAddrress and URL/Domain .
Each front end port will communicate with two backend ports with two Httpd/Apache internal instances (for load balancing) shared among all Tenants.
I should give (dynamically adn automatically from an internal PKI system) a different X.509 certificate to each front end port, so each front end port will use its own certificate for HTTPS. Of course, in order to manage dynamic creation/deletion of Tenants, I need to reconfigure HAProxy (creating new port and providing new certificates for each ) in hitless way.
What do you think about this configuration.? Do you see it as feasible? Any impediment or limitation? Problems to manage tens of Tenants (frontend) ?


#2

Should work.

You can gracefully reload haproxy, that works pretty well and in haproxy 1.8 there will even be real hitless reloading:


#3

Thanks a lot.
Do you think that te patched HAproxy will be able to manage properly (hitless) the creation of new frontendTLS connections using an automatically issued and distributed (by a service in the application )certificate? and the automatic renewal of a certificate for an existing TLS connection (Frontend and backend)?


#4

Well the configuration can change completely between reloads and yes, the reload in 1.8 can be completely hitless, still the reload in 1.7 and earlier is mostly hitless as well, expect for some race conditions in the linux kernel (meaning some failed connetions while reloading - if the site is very busy).

I’m not sure what you mean by “the creation of new frontendTLS connections using an automatically issued and distributed (by a service in the application )certificate”. If your application or provisioning stack updates the haproxy configuration file and then reloads haproxy, then I would say it is possible.