Re: HTTPs web-balancing
- From: Patrick Debois <Patrick.Debois@xxxxxxx>
- Date: Mon, 13 Aug 2007 16:33:12 +0200
Some thoughts as you requested:
Loadbalancers and http/s often relate for
*) SSL offloading (decrypt the traffic, and sometime reëncrypt)
*) Balancing traffic (used for priorisation, Qos)
*) Failover mechanism
There is also a distinction using loadbalancers in http/s for
*)only server certificates
Solutions exist either from the HW proxy world (bluecoat), SW proxy
(apache mod_balance), balance, Network (css)
* I guess the problem you are refering to is that if loadbalancers
integrate at the real http/s layer that they work like a sort Man in the
When you take the whole chain server AND client certificates this is
indeed a problem. Only server certificates does not pose that much of a
you can install the same certificate on the loadbalancers. For SSL
client certifactes normally termination needs to be done on the http/s
Vendors solve this by doing the reading of the client DN in the
certificate and passing it via an http-header to the backend . But
online checking with CRL's and OCSP are often not integrated.
*Stickyness in an SSL session: these loadbalancers can see the SSL
sessions but these tend to negotiated differently based on the browser type
*Buffering and delays: the introduction of http/s through a
loadbalancer can cause some latency problems in case a lot of small
packets are encrypted/decrypted. Have a look in google 'nagle algoritm'
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of MARTIN Benoni
Sent: Thursday, August 09, 2007 11:55 AM
Subject: HTTPs web-balancing
Anyone has experiencied load-balancing with https ? Some guys say it's
possible, other say no. Some vendors say yes, some friends say no :(.
I'm quite lost !