haproxy.md

\o/ ... for HAProxy. Recent patches to make TLS faster:

• MINOR: ssl: add DEFAULT_SSL_MAX_RECORD to set the record size at build time
• MINOR: config: make the stream interface idle timer user-configurable
• MEDIUM: stream-int: automatically disable CF_STREAMER flags after idle
• MINOR: channel: add the date of last read in the channel
• OPTIM: ssl: implement dynamic record size adjustment
• MINOR: ssl: handshake optim for long certificate chains.

Last patch is for 4KB+ certs. Remaining patches implement dynamic record sizing.

• Default size is still 16K, but HAProxy can be built with DEFAULT_SSL_MAX_RECORD to reset that at build time.
• Record size can be changed via a config flag: tune.ssl.maxrecord
• Idle timeout controls how long the connection must be idle before record size is reset - defaults to 1000ms, can be controlled via tune.idletimer.

TL;DR: Checkout latest code, build it, and set your tune.ssl.maxrecord and tune.idletimer config flags.

tls.conf

defaults
  log 127.0.0.1 local0

global
  # lower your record size to improve Time to First Byte (TTFB)
  tune.ssl.maxrecord 1400

  # set inactivity timeout to reset record size (in ms)
  tune.idletimer 1000

# terminate TLS connections & forward connections to http_cluster
frontend secure
  mode tcp

  # advertise http/1.1 over NPN to enable TLS False Start!
  bind :443 ssl crt /path/to/cert.pem npn http/1.1,spdy/3.1

  use_backend spdy_cluster if { ssl_fc_npn -i spdy/3.1 }
  default_backend http_cluster

backend spdy_cluster
  server srv01 127.0.0.1:449

backend http_cluster
  mode http
  server srv01 127.0.0.1:81

Customer questionnaire came through today enquiring about "TLS record framing optimization for low latency"
I'm responding with default size of 16kb currently, but any thoughts about this moving forward?