new | ask | show | jobs
geocar 2 days ago  [ - ]

> for setups requiring this behavior?

TLS terminating at your edge (which is presumably where the IP addresses attach) isn't any particular risk in a world of letsencrypt where an attacker (who gained access to that box) could simply request a new SSL certificate, so you might as well do it yourself and move on with life.

Also: I've been unable to reproduce performance and reliability claims of quic. I keep trying a couple times a year to see if anything's gotten better, but I mostly leave it disabled for monetary reasons.

> This approach works well when implementing a failover mechanism: if the default path to a server goes down...

I'm not sure I agree: DNS can take minutes for updates to be reflected, and dumb clients (like web browsers) don't failover.

So I use an onerror handler to load the second path. When my ad tracking that looks something like this:

    <img src=patha.domain1?tracking
      onerror="this.src='pathb.domain2?tracking';this.onerror=function(){}">
but with the more complex APIs, fetch() is wrapped up similarly in the APIs I deliver to users. This works much better than anything else I've tried.
dgl a day ago  [ - ]

> […] isn't any particular risk in a world of letsencrypt where an attacker (who gained access to that box) could simply request a new SSL certificate

You can use CAA records with validationmethods and accounturi to limit issuance, so simply access to the machine isn’t enough. (E.g. using dns and an account stored on a different machine.)