|
Kenton,
Where I work we use Piranha (Red Hat's spin of LVS)
and regarding SSL, we let the real servers do the SSL
work.
No sense busying the LB with processing the SSL, and
even if you wanted to, you would look to SSL
Accelerators, which we have not implemented, though we
looked at the technology theoretically speaking - but
you also get into what service(s) you are using SSL
for, webmail, web sites, etc.
Better to let the real servers handle the SSL... you
can always add more real servers if SSL processing
bogs them down by some fraction.
Peter
--- Joseph Mack <mack.joseph@xxxxxxx> wrote:
> Kenton Smith wrote:
> >
>
> > Do I terminate the SSL traffic at the LB or the
> real server?
> > How do I handle the certs? If the traffic is
> terminated at the real
> > server do I need a certificate for each real
> server? Can I use a
> > name-based cert using the domain name that goes
> with the virtual IP on
> > the LB, thus only requiring one certificate?
>
> (caveat: I haven't done SSL with LVS).
>
> Some rules about LVS:
>
> o each realserver thinks it is being connected
> directly by the client.
>
> o each client thinks it is directly connected to a
> single box (the realserver).
>
> o Neither the client or the realserver knows the
> director exists.
>
> So....
>
> Setup each realserver as if the client was directly
> connecting to it.
> Put the name based cert on it (and for all
> realservers) and
> let the realserver handle the SSL de/encoding.
>
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
|
