Hacker News new | past | comments | ask | show | jobs | submit login

Nginx is primary for SSL termination and static assets. At the time we set up our infrastructure, I don't believe HAProxy supported SSL termination. According to Willy Tarreau's comment to the first answer of this question (http://serverfault.com/questions/426919/should-i-use-an-ssl-...) it was added in the same release as the patch I mentioned, coincidentally.



Why not let ELB handle SSL termination and load balancing (ignoring the fact that HAproxy can delay connections by 15 seconds)?


Due to the fact that we process credit card payments and thus fall under PCI scope, we have to adhere to the PCI DSS (data security standard). There's a "quick" summary of it here https://www.pcisecuritystandards.org/documents/pci_ssc_quick... , and section 4.1 in particular specifies that we have to secure cardholder data all they way to our servers -- Amazon's ELB doesn't quite count.


I believe Amazon is PCI compliant now? Would that change things?


Amazon being PCI-compliant was a requirement for us using them in the first place :) We could have possibly made a case for their PCI-compliance obviating the need for us to do our own SSL termination, but that could have gone either way, depending on our PCI audits.

Using Nginx also lets us do fun stuff with routing using Nginx's Lua integration, which we may end up writing about in the future as well.


OK then why HAProxy? Why not just let nginx do the load balancing? (Obviously you have a reason now if you plan to use the method in the blog post again, but what about before?)


I use nginx + haproxy and use haproxy for the load balancing piece, too. haproxy simply has much more visibility into the queue. I'm not aware of anything built into nginx that is as robust as the logging and stats page from haproxy. This makes horizontal scaling decisions infinitely easier.


I see... Do you run nginx and haproxy on the same box?


Yes.


The 1.5 branch of Haproxy supports SSL termination, and it works quite well.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: