|
On Tue, 5 Feb 2008, David Black wrote:
> I have a stable keeplived IPVS-TUN+keepalived setup, am
> looking at whether it's feasible to do SSL offloading, and
> if so, how.
I haven't done SSL off-loading and my knowledge is limited
to what's in the HOWTO. You sound as knowledgeable about the
topic as anyone else who's posted here, so I expect you're
going to have to nut it out yourself. Any experience you
get, I'd be very happy to hear about.
If you move the SSL off-loading to the director, you'll have
to use LVS-NAT so that the return packets go through the SSL
apparatus on the way back to the clients.
> The real servers are currently terminating the SSL
> sessions (as is common) and persistence is enabled in IPVS
> because we don't yet share session state on the backend.
do you know about the -dh scheduler as a replacement for
persistence?
> If we have to do SSL offloading the load balancer boxes
> themselves look like good candidates,
do you have enough cpu power in a single director to handle
the encoding/decoding for the number of realservers you
have?
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|
