|
I have a stable keeplived IPVS-TUN+keepalived setup, am looking at
whether it's feasible to do SSL offloading, and if so, how.
The real servers are currently terminating the SSL sessions (as is
common) and persistence is enabled in IPVS because we don't yet share
session state on the backend. Now we're looking at adding clustering
on the Glassfish app servers and maintaining session state across the
lot, getting us a step closer to a session-preserving failover
capability. However, so far it appears they cannot also share *SSL*
session state, making it necessary for me to look at ways to move the
SSL session handling up the stack.
If we have to do SSL offloading the load balancer boxes themselves look
like good candidates, in part because they already run Apache and are
well positioned in the network. Whether Apache can be useful in this
situation I don't yet know for certain, e.g. using mod_proxy to relay
plain HTTP connections inward - but that would seem to lead me in a
direction to bypass IPVS+keepalived altogether, and also use Apache's
load balancing facility. I don't mind so much possibly using Apache (in
parallel with IPVS) to do load balancing for long-lived SSL sessions,
but would prefer to keep the traffic flow through IPVS since there are
several other services they will continue to handle solely using IPVS.
Can anyone point me to work already done in this area of SSL session
persistence and IPVS-TUN and/or share ideas and experiences?
Dave
|
