Re: Load Balancing
In a message dated: Thu, 23 May 2002 07:03:16 EDT "Tilly, Lawrence" said: >Hi, Paul. > >It's 6:30am and has already been a long day for me, so please forgive = >any disjointed thoughts. :-} =20 > >Anyway, I'm not very familiar w/ LVS-IP because I haven't used that, but = >the problem w/ balancing SSL is when the encrypted transaction hits your = >load balancer the balancer is unable to read any of your session = >information (it's encrypted). So it just throws you at one of the web = >servers in question (round robin usually). The web server decrypts the = >transaction and is able to do any load balancing at that level before = >sending the transaction on to an application server (if applicable). The = >web server then encrypts the return data before sending it back out thru = >the balancer to the user. At no point does the balancer see unencrypted = >session information. I'm not sure if / how LVS-IP might overcome that = >problem, but I'm going to try putting some bandwidth into reading up on = >it this week. LVS can be used in basically 1 of 3 ways: IP-Tunnelling Direct Routing NAT NAT is what it sounds like; your LVS director node NATs all traffic between the client and the web server. You think you're talking to one particular system, but you may be talking to any of several. Direct Routing allows for the load balancer and the clients to all be connected to the same subnet/segment, i.e. you can use a hub, and your load-balancer acts like a router to direct packets to a specific node on the segment. IP-Tunnelling allows the load balancer to direct the request to one of several different servers, but the return traffic does not go back through the the load-balancer node; instead, the rest of the tranaction is carried out directly between the client and the server designated to that client. Also note, that the load balancing algorithm is separate from the client/server connection method. Whereas the mechanism by which the client and server converse with each other is one of the above 3 methods, the load balancing mechanism can be one of: Round-Robin Scheduling Weighted Round-Robin Scheduling Least-Connection Scheduling Weighted Least-Connection Scheduling Locality-Based Least-Connection Scheduling Locality-Based Least-Connection with Replication scheduling Destination Hashing Scheduling Source Hashing Scheduling Some of these may not be available for use with certain connection schemes mentioned above;i.e. certain combinations of connection scheme and scheduling algorithms may either be impossible, or other-wise negate each other. I'll leave the description/definition of the scheduling algorithms to the LVS web site: http://www.linuxvirtualserver.org/docs/scheduling.html You can find more about LVS at: http://www.linuxvirtualserver.org But anyyway, as I mentioned before, I *think* ssl connections with load-balancing may be possible using the IP-tunneling and a "persistent port" on the director. There's more info about persistent or "sticky" connections (such as http cookie, https, ftp, ssl, etc.) here: http://www.linuxvirtualserver.org/docs/persistence.html So, in short, I *do* think it's possible, and of course, it *can* be done with Linux. However, I don't know how easy, economical, efficient, or scalable such a solution may be. Those decisions are left to the individual implementor :) -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
RE: Load Balancing
This is my question also. Now, I'm not an expert on security in any way shape or form, I would classify myself as a novice at best. I do understand defense in depth and multiple layers but I have the same question that Lawrence does. Unless your webserver sits completely naked outside your firewall (a situation I can't even begin to imagine) then I don't see a really big problem w/ putting the SSL accelerator in front of your load balancer. Can someone please explain so a simple person like myself can understand? > Hi, Paul. > > It's 6:30am and has already been a long day for me, so please forgive any > disjointed thoughts. :-} > > Anyway, I'm not very familiar w/ LVS-IP because I haven't used that, but the > problem w/ balancing SSL is when the encrypted transaction hits your load > balancer the balancer is unable to read any of your session information (it's > encrypted). So it just throws you at one of the web servers in question (round > robin usually). The web server decrypts the transaction and is able to do any > load balancing at that level before sending the transaction on to an application > server (if applicable). The web server then encrypts the return data before > sending it back out thru the balancer to the user. At no point does the balancer > see unencrypted session information. I'm not sure if / how LVS-IP might overcome > that problem, but I'm going to try putting some bandwidth into reading up on it > this week. > > I know this is true for Local Directors. Cisco (and others I'm sure) make > "smart" load balancers which basically handle the SSL first, then do the load > balancing, but functionally those are not much different than putting an SSL box > in front of your LD if you already own them. As far as an SSL transaction > between the user and backend, I'm not 100% sure I am reading the question right. > If your environment goes something like this: > Browser --> net --> firewall --> ssl --> balancer - -> webserver --> > appserver --> database > Then that should be just as secure as: > Browser --> net --> firewall --> balancer --> webserver / ssl --> appserver > --> database > > Basically, if your first firewall is compromised, then you're open and having > the transaction encrypted for one or two more levels is probably not going to > make a big difference. A good habit, of course, is to put a second firewall > between your web and app server tier or at least in front of your db. If your > database is not within your network and you need to call out to it, then put > another dedicated SSL box between your appserver and db tier (one on each end, > actually). And, of course, another firewall. :-) > > If your config is significantly different or if I misread your question, just > let me know. > > -Lawrence * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
RE: Load Balancing
Hi, Paul. It's 6:30am and has already been a long day for me, so please forgive any disjointed thoughts. :-} Anyway, I'm not very familiar w/ LVS-IP because I haven't used that, but the problem w/ balancing SSL is when the encrypted transaction hits your load balancer the balancer is unable to read any of your session information (it's encrypted). So it just throws you at one of the web servers in question (round robin usually). The web server decrypts the transaction and is able to do any load balancing at that level before sending the transaction on to an application server (if applicable). The web server then encrypts the return data before sending it back out thru the balancer to the user. At no point does the balancer see unencrypted session information. I'm not sure if / how LVS-IP might overcome that problem, but I'm going to try putting some bandwidth into reading up on it this week. I know this is true for Local Directors. Cisco (and others I'm sure) make "smart" load balancers which basically handle the SSL first, then do the load balancing, but functionally those are not much different than putting an SSL box in front of your LD if you already own them. As far as an SSL transaction between the user and backend, I'm not 100% sure I am reading the question right. If your environment goes something like this: Browser --> net --> firewall --> ssl --> balancer --> webserver --> appserver --> database Then that should be just as secure as: Browser --> net --> firewall --> balancer --> webserver / ssl --> appserver --> database Basically, if your first firewall is compromised, then you're open and having the transaction encrypted for one or two more levels is probably not going to make a big difference. A good habit, of course, is to put a second firewall between your web and app server tier or at least in front of your db. If your database is not within your network and you need to call out to it, then put another dedicated SSL box between your appserver and db tier (one on each end, actually). And, of course, another firewall. :-) If your config is significantly different or if I misread your question, just let me know. -Lawrence -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 3:34 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Load Balancing In a message dated: Wed, 22 May 2002 14:59:07 EDT [EMAIL PROTECTED] said: >Just a quick warning if any of your servers are going to run ssl. Load >balancing in this form cannot really be done against an ssl transaction - >something I've found from research and experience (unfortunately, the >experience came before the research) :-o Can't you have the ssl transaction be carried out between the user and the backend node though? It seems that this type of thing is exactly what the LVS-IP Tunneling mode was designed for, no? -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Load Balancing
To expand the tree of knowledge a little further on this topic: http://www.ultramonkey.org/ [EMAIL PROTECTED] wrote: > In a message dated: 22 May 2002 14:27:40 EDT > "Kenneth E. Lussier" said: > > >>I think that LVS might be what I'm looking for > > > Ayup! That's what you want! > > >>Does anyone have any suggestions (besides beating the hell out of the person >>that wants to run an IIS webserver)? > > > And explain to us again why this isn't a good idea anyway? * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Load Balancing
In a message dated: Wed, 22 May 2002 13:12:42 PDT Richard Soule said: >I see requests for this type of device/functionality all the time from >our customers. Team up with a company that has an application/web >server that currently only does SSL in software. Go after their install >base... Or, hope to get bought out by them and retire to Tahiti! -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Load Balancing
[EMAIL PROTECTED] wrote: > I > actually represent a company that is considering > bringing a low cost hardware SSL accelarator into the US > market, we're just trying to determine how much demand > there might be for the product. It integrates with any > load balancing tool seamlessly. I see requests for this type of device/functionality all the time from our customers. Team up with a company that has an application/web server that currently only does SSL in software. Go after their install base... :) Rich * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
RE: Load Balancing
The best solution is to offload SSL encryption/decryption from the web server to a seperate device. Then you can load balance the web servers independent of the SSL overhead. This is shown in the final example on the page Lawrence sent along. I actually represent a company that is considering bringing a low cost hardware SSL accelarator into the US market, we're just trying to determine how much demand there might be for the product. It integrates with any load balancing tool seamlessly. > Just a quick warning if any of your servers are going to run ssl. Load > balancing in this form cannot really be done against an ssl transaction - > something I've found from research and experience (unfortunately, the > experience came before the research) :-o > > Seriously, though, if you want to properly load balance anything that uses > w/ ssl you should handle the ssl decryption / encryption between the user > and load balancer, NOT between the load balancer and server. Here's a good > link to check out for more info. Maybe not completely appropriate for what > you're asking, but good background anyway: > > http://www.onjava.com/lpt/a//onjava/2001/09/26/load.html > > -Lawrence * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Load Balancing
<[EMAIL PROTECTED]> uttered: >>> RH acquiring the DEC^H^H^HCOMPAQ^H^H^H^H^H^HMCLX clustering group :) Ahem... No, Red Hat hired a couple of engineers who used to work for the now moribund Mission Critical Linux, who also happened to work for Compaq's Tru64 UNIX engineering group before that. The rest of the latter organization is still very much in business, thank you, and are now part of Hewlett-Packard. It's an announced goal of HP to have the Compaq Tru64 UNIX TruCluster Software ported to HP-UX. Bayard * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Load Balancing
In a message dated: Wed, 22 May 2002 14:59:07 EDT [EMAIL PROTECTED] said: >Just a quick warning if any of your servers are going to run ssl. Load >balancing in this form cannot really be done against an ssl transaction - >something I've found from research and experience (unfortunately, the >experience came before the research) :-o Can't you have the ssl transaction be carried out between the user and the backend node though? It seems that this type of thing is exactly what the LVS-IP Tunneling mode was designed for, no? -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Load Balancing
In a message dated: Wed, 22 May 2002 14:45:25 EDT "Henry L. Hall" said: >To expand the tree of knowledge a little further on this topic: > >http://www.ultramonkey.org/ I wouldn't call that an expansion of knowledge :) Ultramonkey seems to be nothing more than another poorly wrapped version of LVS being pushed as a "Good Thing" from a defunt Linux company :( I also lump Pirahna in this category as well. Neither did the job overly well. Of course, the last time I really looked at either was close to 2 years ago, so things may have changed since then, what with VA not being a linux company any longer and RH acquiring the DEC^H^H^HCOMPAQ^H^H^H^H^H^HMCLX clustering group :) -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
RE: Load Balancing
Just a quick warning if any of your servers are going to run ssl. Load balancing in this form cannot really be done against an ssl transaction - something I've found from research and experience (unfortunately, the experience came before the research) :-o Seriously, though, if you want to properly load balance anything that uses w/ ssl you should handle the ssl decryption / encryption between the user and load balancer, NOT between the load balancer and server. Here's a good link to check out for more info. Maybe not completely appropriate for what you're asking, but good background anyway: http://www.onjava.com/lpt/a//onjava/2001/09/26/load.html -Lawrence -Original Message- From: Kenneth E. Lussier [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 2:47 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Load Balancing On Wed, 2002-05-22 at 14:41, [EMAIL PROTECTED] wrote: > > >Does anyone have any suggestions (besides beating the hell out of the person > >that wants to run an IIS webserver)? > > And explain to us again why this isn't a good idea anyway? I didn't say it wasn't a god idea. As a matter of fact, it is a great idea, and it' already on my "ToDo" list. I just didn't want everyone suggesting the same thing ;-) C-Ya, Kenny -- "Tact is just *not* saying true stuff" -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB254DD0 * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. * * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Load Balancing
On Wed, 2002-05-22 at 14:41, [EMAIL PROTECTED] wrote: > > >Does anyone have any suggestions (besides beating the hell out of the person > >that wants to run an IIS webserver)? > > And explain to us again why this isn't a good idea anyway? I didn't say it wasn't a god idea. As a matter of fact, it is a great idea, and it' already on my "ToDo" list. I just didn't want everyone suggesting the same thing ;-) C-Ya, Kenny -- "Tact is just *not* saying true stuff" -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB254DD0 * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Load Balancing
In a message dated: 22 May 2002 14:27:40 EDT "Kenneth E. Lussier" said: >I think that LVS might be what I'm looking for Ayup! That's what you want! >Does anyone have any suggestions (besides beating the hell out of the person >that wants to run an IIS webserver)? And explain to us again why this isn't a good idea anyway? -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Load Balancing
Hi All, I'm looking for information on load balancing (as the subject line may have suggested ;-). Specifically, I'm looking for something that acts in a similar manor to Cisco's Local Director, or ArrowPoint. I want to have a single box sitting in front of a bunch of web servers that distributes the load as evenly as possible, and can detect when one of the systems is down. Now for the catch: not all of the servers are the same OS. There could be some Linux, some Solaris, and some (insert large amounts of screaming here) Windows. I think that LVS might be what I'm looking for, but I haven't finished reading the linuxvirtualserver.org website, so I'm not really sure. Does anyone have any suggestions (besides beating the hell out of the person that wants to run an IIS webserver)? TIA, Kenny -- "Tact is just *not* saying true stuff" -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB254DD0 * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *