Should I use an ssl terminator or just haproxy?

Question

I'm trying to figure out how to set up my architecture for a socket.io app that will require both https and wss connections. I've found many tutorials on the web suggesting that you use something like stud or stunnel in front of haproxy, which then routes your unencrypted traffic to your app. If I were to go this route, is it suggested that haproxy and the ssl terminator be on separate instances, or is it fine if they are on the same EC2 server instance?

If I do not want to use a separate ssl terminator, could I use haproxy to terminate the ssl? Or instead would it be possible to proxy these https and wss connections to my application and have the node app terminate the ssl itself?

Answer 1

Give a try to haproxy-1.5-dev12, it supports SSL offloading and will make your life easier :-)

Answer 2

The last I checked, haproxy still didn't have SSL termination as a feature. This is why you're seeing recommendations to put stunnel in front of it as a way to provide just that feature.

In my opinion, it's generally OK to host both stunnel and haproxy on the same system. Even EC2 micro instances can drive a good chunk of SSL traffic, and the larger instances are even better at it. You might run into some problems at high scale where the number of sockets that need to get opened to forward all this traffic around might run into limits, but that's kind of a nice problem to have.

I do know of one SSL-enabled load-balancer, and that's Pound. Not nearly as featured as HAproxy, but if all you need is SSL-termination and some back-end servers it's good enough. Chances are you'll have to build your own packages though, so that might rule it out.