RE: AW: AW: SSL accelarators and LVS by Peter Baitz

[Matthias Krauss <MKrauss@xxxxxxxxxxxxxx>]

Joe wrote:

>(just getting this straight)
>You had a LVS-DR director, but with apache listening on VIP:443 on the
director.
>I assume then that the director was not forwarding 443 to the realservers.
>According to PB's write up, you'd then also need something listening on 80
>on the director to handle the decrypted packets. Did you have this?

i have a running LVS with a simple config (direct routing) to a few
realservers
forwarding http fine (productive and very very stable ... ) and I didnt had
443 
forwarded because i didnt want it, my intention was to have ssl acclerating
on LVS
directly and forwarding http (decrypted) traffic to the VIP to save cpu
times on 
realservers so i havent tried it forwarding 443, however, i can retry it if
you 
like ... I made this all because of checking what "would" be possible
without 
having it realy needed.

But in general - as i saw apache's cpu time climbing up to 30% cpu time wile
having
only 10 concurent ssl stress users i skipped the idea .....

thanks
Matthias






-----Original Message-----
From: Joseph Mack [mailto:mack.joseph@xxxxxxx]
Sent: Monday, March 10, 2003 8:58 PM
To: LinuxVirtualServer.org users mailing list.; MKrauss@xxxxxxxxxxxxxx;
Julian Anastasov
Subject: Re: AW: AW: SSL accelarators and LVS by Peter Baitz


Matthias Krauss wrote:
> 
> Joe wrote:
> 
> >what was your setup? accelarator box in front of the LVS (as below)?
> 
> I had 2 different test scenarios, 1st was apache directly on the director
> (running DR), were only the director answered the ssl request and nothing
> gots passed to the realservers,

(just getting this straight)
You had a LVS-DR director, but with apache listening on VIP:443 on the
director.
I assume then that the director was not forwarding 443 to the realservers.
According to PB's write up, you'd then also need something listening on 80
on the director to handle the decrypted packets. Did you have this?

> I hoped to decrypt the packets on the director and then pass the decrypted
> packets to the realserver via the LVS

Julian,
        Can packets from an SSL accelerator listening on VIP:443 (but which
the LVS is not forwarding) and presumably outputting to VIP:80, be routed to

ip_vs code? Presumably this would have to be LVS-NAT to get the packets on 
the way back.

Thanks JOe

-- 
Joseph Mack PhD, Senior Systems Engineer, SAIC contractor 
to the National Environmental Supercomputer Center, 
ph# 919-541-0007, RTP, NC, USA. mailto:mack.joseph@xxxxxxx
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users