Re: SSL questions

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: SSL questions
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Tue, 30 May 2006 13:45:46 -0700 (PDT)
On Tue, 30 May 2006, Chad Morland wrote:

As far as I can tell the following will not work because of the nature of
SSL and the fact that LVS-DR does not modify the packets.

TCP rr
->           Route   1      0          0
TCP rr
->           Route   1      0          0

I have not done SSL with LVS, so am just replying to give you something to think about until you get a real answer (ie this may not be right, but it's close enough for a start).

The SSL box (wherever it is in your setup) has to see the packets in both directions (decrypt on the way in, encrypt on the way out). So you can have the SSL accelarator in front of and LVS-NAT director or on each realserver.

The only reason to have an SSL box is to minimise the number of certificates. Otherwise you'd have each realserver doing its own SSL and spreading the SSL work over a large number of machines. This leaves you will the SSL box in front of an LVS-NAT director.

You seem to think you'll have performance problems with LVS-NAT, but since the 2.4 kernels written for netfilter, LVS-NAT has about the same performance as the other forwarding methods. If you're doing a lot of SSL, the SSL box will be the rate limiting step.

So, if I am using a LVS-DR setup am I correct in assuming that I need to
have 1 VIP for every certificate in addition to 1 RIP per certificate on
each real server?

You need a certificate for each domainname on each machine doing SSL. IPs have nothing to do with it. If you have one SSL accelarator box, it's a certificate for each domainname.

Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at Homepage It's GNU/Linux!

<Prev in Thread] Current Thread [Next in Thread>