💾 Archived View for tilde.pink › ~maria › log › 2021-08-02_haproxy_the_saviour.gmi captured on 2022-04-28 at 17:45:51. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

➡️ Next capture (2023-01-29)

-=-=-=-=-=-=-

HAProxy, the saviour

Due to sickness (my child and me) I couldn't fix a huge issue that caused my capsule to die last week. I was down for 5 days. The reason is simple: overcommitment.

I brought my new lisp server online, all proud and everything. It being on a vps that was faster than my rpi3 caused the network stream to be empty while openssl was still handshaking and everything. On my pi openssl seemed to receive a lot more cpu love. Somehow all data was always there. In addition to that, I forgot to add the correct keyUsage to my ssl certificates. That lead to more issues on client side, causing me to regenerate dozens and dozens of certs for no reason whatsoever.

I'll still have to recreate my certs once more. Because I need to rethink my authentication scheme.

Right now I have this:

   HAProxy                  backend:
   tcp mode          ---->  LISP server
   terminates ssl           127.0.0.1

This means I don't have to do any SSL handling in my backend anymore, but it also means I'll have issues touching SHA1 of the client cert. And technically HAProxy is fully capable of giving me the SHA1. No problem. It can also verify the client cert against my own self-host certification authority (enough for editing a website). Injecting a SHA1 into a TCP stream is tricky, but even worse is making certain you're not hitting the 2000 character limit for queries.

Additional thoughts on everything interactive

Lately I've been thinking a lot about http and what makes it so bleh for me. I think it's the general development that only half of the stuff you find revolves around distributing media (yes I consider videos and images content, that kinda belongs to into http world). The remaining half (definitely not traffic-wise though) is an interface to something else. Part of these interfaces do make sense, because they have a media content that can be looked at or generated.

• forms for generating media content
• e-mails
• bbs

And then there is the ridiculous stuff that you find there. Here is an unsorted list that isn't complete, but should give you an idea what I mean:

• Figma: an in-browser graphics tool to view vector content (really? can't you share a file or upload an svg?)
• Github: a browser for a flatfile, versioned file-database (somehow I do get it because the things around the git repo, issues and such, are media content, but then again, I really don't get it)
• In-line chats: why does every company build their own e-mail/chat system on their website, which also updates you via e-mail and that you can also use via e-mail
• Gated Social Media: Sometimes I think the same cat picture is being uploaded to every single whatsapp/facebook group there is. Just share a damn link! In general this is not content generation, just use a chat protocol for this

And with this in mind I keep wondering whether I even _need_ a client cert authentication (apart from verifying it against my authority) per user. What do I want to offer, that makes any sense? A MU*? Why? There's telnet/secure-telnet. A chat? There's irc and others. What I should offer is media content for people to consume, and even there I can avoid comments by allowing people to leave a backlink. Removing all the clutter, all the things that provide a visual layer onto something that doesn't need to be on gemini (you can probably just clone a git repo and browse the files if my index is good enough and I give you instructions how to clone), I don't think per client authentication still has that much use. And those few that find it useful, they can still implement it, right?

Thoughts on interactive content are always welcome!