|
At 08:22 AM 10/5/2001 -0400, Matthew S. Crocker wrote:
>> All that you are discribing place the use of loadbalancing to layer7.
>> In fact if you want that the traffic between your loadbalancer & realserver
>> still uncrypted, you need act on the flow. By using SSL Accelerator card,
>> this impact that a piece of software drive crypt/decrypt over SSL stream
>> and forward clear stream to final realserver. This mean that you need a
>> layer7 piece of software that deal with loadbalancing decision because this
>> piece of software is the connections acceptor.
>>
>> The biggest problem with that kind of architecture is that you have to deal
>> with layer7 overhead.... so the piece of software need to be kernel space
>> implemented.
>>
>> There is work here on layer7 switching (ktcpvs), but currently only onto
>> clear stream. If you want active decrypt/crypt soft you need to wait
>> a little :) or start the devel your side :)
>
>Actually no, by having the SSL sessions terminated in front of the LVS
>director and
>only clear HTTP sessions going through the director you can remove the
>peristence requirements of the SSL sessions on the director. You will
>lose the fault tolerance because you only have on F5 BIG-IP SSL NIC and if
People keep saying F5 Big-IP SSL NIC, that is actually Rainbow Technology
SSL accelerator card, not make by F5, Rainbow technology sells that card and
some more capable cards to open public. The problem with using SSL termination
and cookie persistence is that you have to have all the browser accept cookie --
that is one of the security hole that virus uses. LVS so far provided the
persistence
that does not require users to change thir browser settings, that is the best.
A load balancer's job is to balance load. Not reduce load on the servers. By
assuming all the responsibilities, a load balancer becomes the single point of
failure. Even you have two load balancers backing each other, you still made
the
weakest point for your network.
>that goes down your cluster is down. You should be able to setup the LVS
>director like any normal HTTP director and everything will work fine.
>
>
>
>--
>----------------------------------------------------------------------
>Matthew S. Crocker
>Vice President / Internet Division Email: matthew@xxxxxxxxxxx
>Crocker Communications Phone: (413) 587-3350
>PO BOX 710 Fax: (413) 587-3352
>Greenfield, MA 01302-0710 http://www.crocker.com
>----------------------------------------------------------------------
>
>
>_______________________________________________
>LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|
