So, I've read the archives and looked at the architecture document, but
I have a question about SSL implementation. From what I understand, the
suggested method of implementing SSL is as follows:
The problem here is that this puts all of the SSL load on the load balancer. Could someone tell me why it's not possible to do the following:
listen web 0.0.0.0:80
balance roundrobin
cookie SERVERID insert nocache indirect
server web_1 [etc.]
server web_2 [etc.]
listen webssl 0.0.0.0:443
mode tcp
balance roundrobin
cookie ServerID insert nocache indirect
server web_1 [etc.]
server web_2 [etc.]
2) Run stunnel on the individual web servers
I actually tried this and I found that haproxy would no longer stick the user to a particular server if they moved between HTTP and HTTPS. We allow users to use either HTTP or HTTPS, but we enforce HTTPS on sensitive pages. Is it possible to get the above working the way I'd like it to, that is, to allow the web servers to do their own SSL work?
Michael Received on 2007/11/17 12:28
This archive was generated by hypermail 2.2.0 : 2007/11/17 13:15 CET