|
> All that you are discribing place the use of loadbalancing to layer7.
> In fact if you want that the traffic between your loadbalancer & realserver
> still uncrypted, you need act on the flow. By using SSL Accelerator card,
> this impact that a piece of software drive crypt/decrypt over SSL stream
> and forward clear stream to final realserver. This mean that you need a
> layer7 piece of software that deal with loadbalancing decision because this
> piece of software is the connections acceptor.
>
> The biggest problem with that kind of architecture is that you have to deal
> with layer7 overhead.... so the piece of software need to be kernel space
> implemented.
>
> There is work here on layer7 switching (ktcpvs), but currently only onto
> clear stream. If you want active decrypt/crypt soft you need to wait
> a little :) or start the devel your side :)
Actually no,
By having the SSL sessions terminated in front of the LVS director and
only clear HTTP sessions going through the director you can remove the
peristence requirements of the SSL sessions on the director. You will
lose the fault tolerance because you only have on F5 BIG-IP SSL NIC and if
that goes down your cluster is down. You should be able to setup the LVS
director like any normal HTTP director and everything will work fine.
--
----------------------------------------------------------------------
Matthew S. Crocker
Vice President / Internet Division Email: matthew@xxxxxxxxxxx
Crocker Communications Phone: (413) 587-3350
PO BOX 710 Fax: (413) 587-3352
Greenfield, MA 01302-0710 http://www.crocker.com
----------------------------------------------------------------------
|
