Hi Jan,
On Thu, Nov 01, 2007 at 10:39:46AM +0100, Jan Miczaika wrote:
> Hi Willy,
>
> thanks for your feedback. Terminating the SSL connection on the load
> balancer puts all of the SSL decoding work on the load balancer. This
> can take up CPU time very quickly.
Oh yes I'm well aware of this problem. It's a setup that I really recommend against when people are seeking scalability. The worst solution being the hardware load balancer since when it's saturated, you cannot even upgrade its CPU.
> And since only one SSL termination
> point can be running at any time, we can't scale it linearly by adding
> pizza boxes. As you described, distributing the work doesn't work.
>
> It seems like we're stuck between a rock, a hard place, and a dedicated
> SSL decrypter ;-)
If you're free to patch your kernel, then you can apply the cttproxy patch (found on balabit.com), and build haproxy with CTTPROXY support. Haproxy will then be able to connect to your SSL servers from the client's IP address by asking the kernel to perform the required address translation. The two downsides are :
For both reasons, some people prefer to set it up on their firewall because it already does the conntrack and already is the default gateway. Warning if you do this, the only supported cttproxy version right now is 2.x (2.0.6 IIRC). There is a new branch on the site, which I've not tried yet.
Good luck,
Willy
Received on 2007/11/01 11:32
This archive was generated by hypermail 2.2.0 : 2007/11/04 19:21 CET