One deep dive with haproxy and I have handed it complete control of all my certificates.

* One bind statement with every single cert file I own, and haproxy is instantly handling every host’s SSL handshaking using SNI
* It is handling dynamic conversion of http requests to https
* It has removed the need for https on any webserver on the secured LAN
* It allows incredibly flexible load balancing via host, port, url, etc etc
* It is easy to set up to use ssl best practices, so every one of your websites instantly gets A+ ratings on ssl labs

Unbelievable, I’m stunned.

Here’s all I needed to get ssl labs A+ ratings:


    # MDM NO SSLv3!  Good ciphers!
    ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
    ssl-default-bind-ciphers AES128+EECDH:AES128+EDH

frontend ....

  # MDM We need to provide an HSTS header to get A+ at ssllabs!
  http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
  reqadd X-Forwarded-Proto:\ https

Also needed this in wordpress wp-config.php:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)

Update: add these awesome ones!

Goal: find the fastest possible C++ https library that can score an A on the SSLLabs test. Ties broken by ease of use, then by support for websockets.

Initial results (see wiki for latest…):





apache A 3 N need to write a module, apache remains in charge of message loop (unacceptable)
libwebsockets 7 Y
proxygen 7 only easy to build on ubuntu so hasn’t been stood up on my gentoo server yet; huge kitchen sink of helpers
Simple-Web-Server  B 10 Y websockets in a seperate compatible project; may be able to leverage asio to improve score (capped by RC4); no forward secrecy
websocketpp  uses asio, specifies a “modern” mode that only allows TSL1.2
mongoose 3 messy ton of hand-crafted portability C code scared me off
onion looks like a strong C lib
libmicrohttpd GNU c lib, not sure it supports modern algos, check score…