Hi Michael,
On Sam 17.11.2007 03:28, Michael Nguyen wrote:
> So, I've read the archives and looked at the architecture document,
> but I have a question about SSL implementation. From what I
> understand, the suggested method of implementing SSL is as follows:
>
> - Setup an haproxy load balancer
> - Put run stunnel on the haproxy load balancer for SSL
> - Have the web servers themselves run all clear-text HTTP
>
> The problem here is that this puts all of the SSL load on the load
> balancer.
Yep.
You can try to add a HW-Cypto card to reduce the load for the main CPU.
> Could someone tell me why it's not possible to do the following:
>
> 1) Setup haproxy to proxy both 80 and 443
>
> listen web 0.0.0.0:80
> balance roundrobin
> cookie SERVERID insert nocache indirect
^^^^^^^^
> server web_1 [etc.]
> server web_2 [etc.]
>
^^^^^^^^ CASESENSITIVE!
> server web_1 [etc.]
> server web_2 [etc.]
Due the fact that haproxy don't handle the ssl-handshake, at the moment, and he don't see the http-headers.
What you can try is:
balance source
> 2) Run stunnel on the individual web servers
>
> I actually tried this and I found that haproxy would no longer stick
> the user to a particular server if they moved between HTTP and HTTPS.
> We allow users to use either HTTP or HTTPS, but we enforce HTTPS on
> sensitive pages. Is it possible to get the above working the way I'd
> like it to, that is, to allow the web servers to do their own SSL
> work?
Not yet, afaik.
Cheers
Aleks Received on 2007/11/17 15:02
This archive was generated by hypermail 2.2.0 : 2007/11/17 15:45 CET