Re: SSL on director versus real server

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: SSL on director versus real server
From: Matthew Crocker <matthew@xxxxxxxxxxx>
Date: 27 Jan 2003 11:29:48 -0500

 It can be done,  in fact just about anything can be done these days. 
If it is a smart thing to do is another matter...  What you are trying
to do isn't really a function of LVS.  You can setup Apache+SSL running
in a reverse proxy configuration.  That apache and be running on or in
front of the LVS director.  The apache can then make normal web
connections to the internal machines which can be run through the LVS
director and load balanced.

You can use keepalived or hearbeat to manage the high availability
functions of your Apache/SSL proxy.  You can use hardware based SSL
engines to handle the encryption/decryption.  This is all transparent to
the functions of LVS.

LVS is 'just' a smart IP packet router,  you give it a packet and tell
it how you want it handled.  It can be configured to do a bunch of

The ideal solution for the highest performance and greatest availability
is to have 2 groups of directors, each group having N+1 machines running
LVS.  Have 1 group of Apache/SSL servers configured and 1 group of
internal web servers.

LVS group 1 load balances the inbound SSL traffic to one of the
Apache/SSL servers.  The apache servers make connections to the internal
servers though LVS group 2.  LVS group 2 load balances the internel HTTP
traffic into the real servers.

To save money you could move Apache/SSL onto the LVS directors but that
could hurt performance.


On Mon, 2003-01-27 at 10:46, pb wrote:
> Hello Joe and all,
> Is it possible for SSL to be supported on the LVS
> directory rather than on the real server(s) ???
> I mean, I think there is a routing ability of LVS to
> the directory itself, besides the normal routing to
> real servers, right?
> So, would this work... Apache+SSL running on port N on
> the LVS director, with a seperate PUBLIC or PRIVATE IP
> ADDRESS (which one???) such that SSL is handeled
> locally, then finally you get passed along to a real
> server.  I reading the J.M. HOWTO I saw something on
> local routing on the LVS directory itself, but how to
> do this whole SSL setup ... anyone have some good doc
> on it???
> Right now, the powers that be have brought up the
> question of placing a purchased Mirapoint email system
> behind a "free" load balancer (neglecting to consider
> that Mirapoint runs on FreeBSD, and that Piranha is a
> purchasable LVS product as well).  See what I mean? 
> Thanks
> Peter
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> _______________________________________________
> mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to
Matthew S. Crocker
Crocker Communications, Inc.  / Vice President
PO BOX 710
Greenfield, MA 01302-0710

Voice: 413-746-2760
Fax: 413-746-3704
E-mail: matthew@xxxxxxxxxxx
GPG Public Key:

<Prev in Thread] Current Thread [Next in Thread>