We sometimes proxy to another DC across the Internet and haven't vetted HAProxy's SSL support thoroughly. So we're running Nginx to terminate SSL, then to HAProxy, then to an stunnel instance per backend server. To get keepalives working and increase the throughput of the solution we've worked a bit on the Nginx config and put HAProxy into tunnel mode. We don't rewrite any headers or anything of that nature at the HAProxy link of this chain, so we don't need anything more. With proxying through all that, our page load times are basically indistinguishable from hitting a server directly unless it goes to the far data center. All the coordination is handled by a Puppet module so the complexity isn't that scary.
If Linkerd-tcp can top that or even come close with all the automation and integration in its ecosystem, though, it's a definite reason to take a hard look at it. Getting the Prometheus and Graphana output really simply is a great benefit.
If Linkerd-tcp can top that or even come close with all the automation and integration in its ecosystem, though, it's a definite reason to take a hard look at it. Getting the Prometheus and Graphana output really simply is a great benefit.