Slashdot Mirror
Efficient Use of Network Load-Balancing w/ SSL?
vw asks: "I was wondering if anyone has setup a webserver farm that uses both SSL and zero-affinity network-load-balancing. (i.e. requests in an SSL channel can be handled by any server in the farm) I have been having a very difficult time locating information on this specific combination of features in a web server product. The closest I found was WLBS, which implies that there must be an affinity toward a particular server for a given client IP. I understand the problem has something to do with sharing SSL certificates between physical machines. Any suggestions?"
you might want to look into F5 www.f5.com . They sell a quality load balancing platform. you can generrally find them on Ebay.
#!/usr/bin/perl
use CGI;
$q = new CGI;
if (rand()<0.5) {
print $q->redirect("https://www1.yourdomain/");
} else {
print $q->redirect("http://www2.yourdomain/");
}
its easy. just use SSL from a main "proxy" server (or better yet a 2-3 server set sharing the certs) that takes the SSL requests and handles em as well as opens standard http connections to the webservers.
the proxy server set will handle your SSL encryption while your web servers in your cluster serve webpages.
ive only done it with apache on linux so i dont know how any other webserver will work.
This is a solved problem, check out the splash project http://anoncvs.aldigital.co.uk/splash/ for details.
Basically, it is an Apache module which uses the spread http://spread.org secure mesaging server to synchronizes ssl conection information.
-- Crutcher --
#include <disclaimer.h>
Splash provides a distributed database using Spread. Apache-SSL has a plugable SSL conection cache layer, and there is a Splash implementation available. So, when a client connects to an Apache-SSL server in the pool, and the server checks the cache for SSL cache information, it is checking a DB it shares with all the other machines in the pool. This is exactly what is being requested for this Ask Slashdot.
-- Crutcher --
#include <disclaimer.h>
Setup an OpenBSD box with a crypto card. Let it do all of the dirty work. That box should proxy requests to the load balancer and other webservers in unencrypted form.
Lets you buy a single cert, and with hardware crypto you should be able to handle enough for a modest load -- more than a few million pages daily.
Rod Taylor
That's a cool idea. I'll have to look into it further. I'm curious tho, does the overhead of hitting the DB for SSL key cause any issues?
I used to use a Cisco LocalDirector for load balancing a few years ago. Great device, but I could never properly achieve what this poster is looking for.
I like the idea (in some other post) of proxying the requests on the front, handles the SSL there, and then passing the requests to the real web servers. You still need to have a decent failover system though. Might be more trouble than its worth.
The CSS 11500 & SCA 11000 will do this.
I addressed an earlier question about load balancing that is very pertinent to your question.
Put simply there is no better solution than a hardware one, for this situation. This Nortel solution does it all in one box. However, if your traffic load is great enough you might want to look at splitting out the functions across multiple boxes like these Nortel/Alteoon 180 Series switches. There is also a separate SSL concentrator/accelerator.
But, for some reason, in my mind, "quality load balancing platform" and eBay just don't go together.
Do they have sthe support contracts on eBay too?
Given the technological design behind SSL (in that it operates immediately above IP, and below TCP/UDP), the summary you provide above is true.
That is, you can set up a cluster of web servers behind a typical redirector. Say Server A, B, and C. Each machine has a different IP address, which is a routable address (let's call it w1.foo.com, w2.foo.com, w3.foo.com). There is a single IP address for the "master" domain (say www.foo.com). All machines are set up to serve www.foo.com, both HTTP and HTTPS. For normal HTTP requests, the redirector does it's thing, with EACH http request coming to www.foo.com being served by the next available machine. Any connection a client makes can potentially be served by any machine.
However, since SSL operates below the TCP/HTTP header, a client making a SSL connection to https://www.foo.com will initially be load-balanced across the machines. However, for the rest of that SSL session, it will continue to communicate ONLY with the machine which initially answered the beginning SSL connection.
This isn't a real big problem for most web apps, since each connection is really just getting a bunch of web pages. If the server goes down, you simply have to push RELOAD on the client, and it re-initiates the HTTPS session, getting another machine to answer. It can be a serious problem with other SSL apps, as the termination of a session by the loss of the answering machine may make it difficult to programatically re-start the session.
Just to make this clear: each time a client initiates an SSL session, it gets bound to a single server. This server may be different for each session, but remember that a "session" may include many data requests.
There is no problem sharing certificates between multiple machines (as the cert is tied to hostname, and it's easy to duplicate across multiple web servers). It's an SSL protocol limitation.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
Check out Novell's iChain product. The client connects to iChain via SSL and iChain can connect to any number of back-end servers. One iChain box can easily handle dual T3's so it'll probably work for you.
.. Here [ps.gz] published in NDSS '02.
I think you're either over-complicating this or I'm not quite following what you're asking.
:)
If you said up a brain dead load balancer, the only real impact you'll have is that it'll have to restablish the SSL connection each time it hops servers. Not wonderful, but not the end of the world.
That's assuming you ARE sharing SSL certificates across machines - and if all the servers are supposed to be serving one secure domain (ie https://www.mydomain.com) then I'm not sure why you wouldn't.
A better solution is to use a load balancer that will support 'sticky' based on the SSL session ID, that way the sessions are kept open, saving both ends from a lot of uneccessary work - but this apparently doesn't suit your needs.
The Linux Virtual Server with ip affinity is a great way to go. Very fast and effecient, stable.
Daniel
Check out the Netscaler 9400 or 9800. The 9800 is a gigabit load balancer that can do up to 4400 RSA handshakes per second and up to 450-500Mb/s of bulk decryption per second on one box. The 9400 is the fast ethernet version, so it is pretty limited to fast ethernet speeds for everything.
Erik