Info - HAProxy vulnerability

We are still using haproxy 1.5.X in some older setups/stacks, because I never found an easy guide or wanted to spend the hours on how to reconfigure the completely changed sticky session support in haproxy 1.6 and later.

This vulnerability is only patched in 2.x versions of haproxy, is that because it isn't present in haproxy 1.X?

For newer (Plone 5>) projects we exclusively use the load balancing features of Varnish as it will also enable reliable functioning of Varnish backend health probes, which is again very helpfull for grace/saint mode support in Varnish. (i.e. serving stale pages from cache when the backend is down temporarily).

At the end of my backlog is still a task to look at implemting sticky sessions in Varnish by some documentation on the varnish-cache.org website blog from 4-5 years ago. But I do wonder if sticky sessions still bring any measurable benefits.

In my experience, older Plones (<5) benefit. With an All-Dexterity 5.2 or 6 (like with RelStorage - but probably ZEO too) I do not see many benefits.

For large clusters (like 20 instances or more) segmentation in a two parts (i.e. by domain), a big one for anon access and a smaller for editors, still makes sense. OTOH there are many better segmentation dividers dependent on use-case, like by country/ by organisational division/ by role, ...

2 Likes

Plone Foundation Code of Conduct