|
Wow. Thank you so much for the feedback.
> First of all, cookie persistent is not solving the problem of
> AOL using proxy servers, unless you have SSL termination.
Intel has a SSL termination network appliance for $10,000 that does 200 TPS.
I could either use this for the front end SSL decoding, or I heard that some
HTTP proxies can do that. Does anyone have any information on HTTP proxies
that decode SSL (HTTPS) into clear text (HTTP)? I think that I heard Squid
with some SSL modules loaded has something of that functionality.
Comments?
> Because in the HTTPS phase, no matter who's load balancer
> will not be able to see the cookie (they are encrypted!) unless
> you have SSL termination in front of your load balancer. That
> is actually against the idea load balancing.
So you are saying that it defeats the idea of load balancing because you've
gone back to the single point of failure and single bottleneck because you
have one SSL processor in the front?
What if instead of just one SSL processor in front of the load balancer(s),
you made an entirely new cluster just to do SSL processing? It could be
strickly layer-2, layer-3 where a director just passing all the traffic to a
bunch of Squid+SSL boxes to decode the SSL, then the Squid boxes all pass
the traffic down to the next Director, which then persisently load balanced
the HTTP connections.
Oh wait, but the cluster of SSL boxes probably wouldn't get the correct
client in the first place (sticky-HTTPS problem). I guess that idea is out
(unless Intel SSL decoders were used).
> 2ndly, LVS has already designed the logic to handle situation
> like AOL. By proper setting on the netmask for the farm, it
> is possible to have all the AOL's proxy servers appears like one.
> People may saying that would defeat load balancing, but luckily,
> AOL not just have one Internet connection to the Internet, and
> 20 million AOL users will not all go out from Chicago proxy
> servers, or all from VA proxy servers, or all from San Diego...
> Between them, you will still get pretty good load balancing.
Oh. So basically what you are saying is that IP address-based persistance
is very likely going to be plenty good enough, and will take care of my SSL
problems. I will probably go this route. The neat part is that this way,
if it turns out I do need layer-7 load balancing, I can go out and buy it.
> I do not think $30k load balancer has SSL termination built-in.
> If they do, check the spec, it probably about 100 transaction/s.
> If you think that is all you need for SSL, you could have a
> medium size server and do not need load balancer at all :)
The Intel E-Commerce Director (taken from iPivot, or something) does in fact
have SSL termination built-in. And it's 600 transactions/sec. That's new
transactions. It can handle 3000 transactions/sec of established
connections.
Thanks again guys.
Dan Browning
Network & Database Administrator
Cyclone Computer Systems
>
> Wayne
>
> At 12:51 AM 10/6/00 -0500, Joe Cooper wrote:
> >Dan's not the only one who might be willing to pay for
> implementation of
> >such features... ;-)
> >
> >I'm itching for a few things in LVS. A fast MD5 (or similar hash)
> >destination IP hashing scheduling algorithm that will allow
> several web
> >caches to be used and have no repeated data between them.
> (~$1500-$2000
> >seems fair to me...Anyone who has the skills to do so want
> to fill me in
> >on whether it is the 1-2 week job that I think it is?)
> >
> >Moving LVS into the realm of more full featured L4 and L7
> switches would
> >also be a fun thing, and it's something I'll help fund.
> >
> >There's plenty of money for things to get done in LVS, I think. But
> >where to find the willing (and good) coders to do it?
> >
> >Any takers?
> >
> >Dan Browning wrote:
> >>
> >> > Here's my question: What is the best way to impliment
> >> > "sticky" connections
> >> > > (such as SSL) with free software? If none, I'll go ahead
> >> > and buy that
> >> > > $35,000 load balancer from intel, or arrowpoint.
> Those expensive
> >>
> >> > Oo, oo... <hand goes up>
> >> >
> >> > 3rd suggestion... Could you donate the $30,000 to Wensong et
> >> > al so that they may try out such a project?
> >>
> >> That's certainly not out of the question. Time
> constraints do tend to get
> >> in the way though. October 20-30th or so is when we'll
> need the cluster to
> >> be live. If a large dollar contract were to motivate
> someone to meet that
> >> kind of deadline, that money might be saved from going
> into Intel's pockets.
> >
> > --
> > Joe Cooper <joe@xxxxxxxxxxxxx>
> > Affordable Web Caching Proxy Appliances
> > http://www.swelltech.com
> >
> >-------------------------------------------------------------
> ---------
> >LinuxVirtualServer.org mailing list -
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> >To unsubscribe, e-mail: lvs-users-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
> >For additional commands, e-mail:
> lvs-users-help@xxxxxxxxxxxxxxxxxxxxxx
>
>
|
