Hi, Paul.
It's 6:30am and has already been a long day for me, so please forgive any disjointed
thoughts. :-}
Anyway, I'm not very familiar w/ LVS-IP because I haven't used that, but the problem
w/ balancing SSL is when the encrypted transaction hits your load balancer the
balancer is unable to read any of your session information (it's encrypted). So it
just throws you at one of the web servers in question (round robin usually). The web
server decrypts the transaction and is able to do any load balancing at that level
before sending the transaction on to an application server (if applicable). The web
server then encrypts the return data before sending it back out thru the balancer to
the user. At no point does the balancer see unencrypted session information. I'm not
sure if / how LVS-IP might overcome that problem, but I'm going to try putting some
bandwidth into reading up on it this week.
I know this is true for Local Directors. Cisco (and others I'm sure) make "smart" load
balancers which basically handle the SSL first, then do the load balancing, but
functionally those are not much different than putting an SSL box in front of your LD
if you already own them. As far as an SSL transaction between the user and backend,
I'm not 100% sure I am reading the question right. If your environment goes something
like this:
Browser --> net --> firewall --> ssl --> balancer --> webserver --> appserver -->
database
Then that should be just as secure as:
Browser --> net --> firewall --> balancer --> webserver / ssl --> appserver -->
database
Basically, if your first firewall is compromised, then you're open and having the
transaction encrypted for one or two more levels is probably not going to make a big
difference. A good habit, of course, is to put a second firewall between your web and
app server tier or at least in front of your db. If your database is not within your
network and you need to call out to it, then put another dedicated SSL box between
your appserver and db tier (one on each end, actually). And, of course, another
firewall. :-)
If your config is significantly different or if I misread your question, just let me
know.
-Lawrence
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 3:34 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Load Balancing
In a message dated: Wed, 22 May 2002 14:59:07 EDT
[EMAIL PROTECTED] said:
>Just a quick warning if any of your servers are going to run ssl. Load
>balancing in this form cannot really be done against an ssl transaction -
>something I've found from research and experience (unfortunately, the
>experience came before the research) :-o
Can't you have the ssl transaction be carried out between the user
and the backend node though? It seems that this type of thing is
exactly what the LVS-IP Tunneling mode was designed for, no?
--
Seeya,
Paul
----
It may look like I'm just sitting here doing nothing,
but I'm really actively waiting for all my problems to go away.
If you're not having fun, you're not doing it right!
*****************************************************************
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*****************************************************************
