Haproxy is one of the candidates to replace ats-tls as the TLS terminator used in the WMF caching infrastructure. To fully validate its performance and stability a real traffic test is needed.
To be able to perform this test several requirements need to be fulfilled:
[x] Provide haproxy as TLS terminator puppet support
- [x] Add systemd::service support for current HAProxy basic puppetization - https://gerrit.wikimedia.org/r/c/operations/puppet/+/715742 https://gerrit.wikimedia.org/r/c/operations/puppet/+/719044
- [x] Basic TLS termination (RSA+ECDSA) support for a UDS backend service - https://gerrit.wikimedia.org/r/c/operations/puppet/+/715932/
- [x] TLS configuration: protocol versions, ciphersuites and ECDH curves used - https://gerrit.wikimedia.org/r/c/operations/puppet/+/716000/
- [x] TLS session cache https://gerrit.wikimedia.org/r/c/operations/puppet/+/716224
- [x] OCSP stapling from prefetched OCSP responses - https://gerrit.wikimedia.org/r/c/operations/software/acme-chief/+/717167/ https://gerrit.wikimedia.org/r/c/operations/puppet/+/719471/2
- [x] Timeout configuration support: TLS handshake timeout, connect timeout (frontend and backend), TTFB timeout, idle timeout https://gerrit.wikimedia.org/r/c/operations/puppet/+/719479
- [x] HTTP/2 tuning support https://gerrit.wikimedia.org/r/c/operations/puppet/+/719974
- [x] PROXY protocol support - https://gerrit.wikimedia.org/r/c/operations/puppet/+/720021/
- [x] Report X-Client-IP, X-Client-Port, X-Forwarded-For, X-Connection-Properties and X-Analytics-TLS headers to varnish https://gerrit.wikimedia.org/r/c/operations/puppet/+/720274
- [x] Websockets support
[x] Test haproxy in Traffic WCMS environment
[x] Test haproxy in ulsfo
- Currently running on:
- cp4026 (upload)
- cp4032 (text)
[x] Test haproxy in eqsin
- Currently running on:
- cp5006 (upload)
- cp5012 (text)
[] Test haproxy in esams
- Currently running on cp3065 (upload)
[] Test haproxy in codfw
- Currently running on cp2042 (upload)
[] test haproxy in eqiad
- Currently running on cp1090 (upload)