|
On Tue, 30 May 2006, Chad Morland wrote:
As far as I can tell the following will not work because of the nature of
SSL and the fact that LVS-DR does not modify the packets.
TCP site1.com:443 rr
-> 192.168.14.170:443 Route 1 0 0
TCP site2.com:443 rr
-> 192.168.14.170:443 Route 1 0 0
I have not done SSL with LVS, so am just replying to give
you something to think about until you get a real answer (ie
this may not be right, but it's close enough for a start).
The SSL box (wherever it is in your setup) has to see the
packets in both directions (decrypt on the way in, encrypt
on the way out). So you can have the SSL accelarator in
front of and LVS-NAT director or on each realserver.
The only reason to have an SSL box is to minimise the number
of certificates. Otherwise you'd have each realserver doing
its own SSL and spreading the SSL work over a large number
of machines. This leaves you will the SSL box in front of an
LVS-NAT director.
You seem to think you'll have performance problems with
LVS-NAT, but since the 2.4 kernels written for netfilter,
LVS-NAT has about the same performance as the other
forwarding methods. If you're doing a lot of SSL, the SSL
box will be the rate limiting step.
So, if I am using a LVS-DR setup am I correct in assuming that I need to
have 1 VIP for every certificate in addition to 1 RIP per certificate on
each real server?
You need a certificate for each domainname on each machine
doing SSL. IPs have nothing to do with it. If you have one
SSL accelarator box, it's a certificate for each domainname.
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|
