Do you guys know whether this system is possible with LVS?
________
| |
| client |<--Client using an SSL web application (port
443)
|________|
|| CIP=eth0 x.x.x.15
SSL Traffic ->||
|| __________
|| | |
||=====+ SSL NIC |<--This SSL NIC is a F5 Big-IP
SSL NIC
|(VIP eth0)|
| |
|------+ 100bt NIC|
| |(DIP eth1)|
| |__________|
cleartext Traffic ->| VIP=eth0 y.y.y.2/26
| DIP=eth1 y.y.y.130/26
|
|
-------------------
| |
| |
______________ ______________
| | | |
| realserver1 | | realserver2 |<--Servers running over just port
80.
|______________| |______________| They don't even see SSL traffic
RIP1=eth0 RIP2=eth0
192.168.1.11 192.168.1.12
all realservers
VIP=lo:110=y.y.y.2 #
I am essentially trying to get around two things with this.
#1. I don't want to have to use persistence with my SSL webservers. (We
are having MAJOR problems with clients that use Tivoli reverse proxies
and are running like 5,000 people through it...all of the traffic looks
like it is coming from one client, so it all ends up on just one of the
two boxes).
#2. I want the traffic to be SSL secure between the client and the
director, but after that, since the realservers are on the same local
segment, I really don't care. I want to offload the SSL decryption from
my webservers and have that handled by just one F5 big-IP SSL NIC).
What do you think? Will it work? Does LVS have the means to do this?
Thank in advance!
Ryan
|