💾 Archived View for tilde.pink › ~maria › log › 2021-08-02_haproxy_the_saviour.gmi captured on 2022-03-01 at 15:31:14. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

➡️ Next capture (2023-01-29)

-=-=-=-=-=-=-

HAProxy, the saviour

Due to sickness (my child and me) I couldn't fix a huge issue that caused my capsule to die last week. I was down for 5 days. The reason is simple: overcommitment.

I brought my new lisp server online, all proud and everything. It being on a vps that was faster than my rpi3 caused the network stream to be empty while openssl was still handshaking and everything. On my pi openssl seemed to receive a lot more cpu love. Somehow all data was always there. In addition to that, I forgot to add the correct keyUsage to my ssl certificates. That lead to more issues on client side, causing me to regenerate dozens and dozens of certs for no reason whatsoever.

I'll still have to recreate my certs once more. Because I need to rethink my authentication scheme.

Right now I have this:


   HAProxy                  backend:
   tcp mode          ---->  LISP server
   terminates ssl           127.0.0.1

This means I don't have to do any SSL handling in my backend anymore, but it also means I'll have issues touching SHA1 of the client cert. And technically HAProxy is fully capable of giving me the SHA1. No problem. It can also verify the client cert against my own self-host certification authority (enough for editing a website). Injecting a SHA1 into a TCP stream is tricky, but even worse is making certain you're not hitting the 2000 character limit for queries.

Additional thoughts on everything interactive

Lately I've been thinking a lot about http and what makes it so bleh for me. I think it's the general development that only half of the stuff you find revolves around distributing media (yes I consider videos and images content, that kinda belongs to into http world). The remaining half (definitely not traffic-wise though) is an interface to something else. Part of these interfaces do make sense, because they have a media content that can be looked at or generated.

And then there is the ridiculous stuff that you find there. Here is an unsorted list that isn't complete, but should give you an idea what I mean:

And with this in mind I keep wondering whether I even _need_ a client cert authentication (apart from verifying it against my authority) per user. What do I want to offer, that makes any sense? A MU*? Why? There's telnet/secure-telnet. A chat? There's irc and others. What I should offer is media content for people to consume, and even there I can avoid comments by allowing people to leave a backlink. Removing all the clutter, all the things that provide a visual layer onto something that doesn't need to be on gemini (you can probably just clone a git repo and browse the files if my index is good enough and I give you instructions how to clone), I don't think per client authentication still has that much use. And those few that find it useful, they can still implement it, right?

Thoughts on interactive content are always welcome!