Alexander, I just implemented such a setup, with nginx listening on the LB for HTTP requests (port 443), proxying via HTTP to haproxy on the same machine. HTTP requests are coming straight to haproxy and from there to our app servers.
There is a 2nd LB that is a replica of the first, and a keepalived daemon keeping a floating IP on one of them. This way you don't have any SPOF. As for performance, I did a small benchmark for our use case, stud was a bit faster than nginx (900 requests/sec vs 800 requests/sec, no keepalive so this is checking SSL performance). Using 64-bit has MUCH better performance in SSL for some reason. More than x2 requests rate. Please note that this setup doesn't scale on the SSL "tier". We are planning on vertically increasing the LB's capacity by more powerful hardware, if it will be needed. If you need full scaling capabilities on the SSL tier, you're better of using some kind of IP load balancer such as LVS in front, forwarding SSL stuff to a SSL farm which is scalable and regular HTTP traffic to haproxy (scalable as well). Don't take my experiments for granted, I'm new to this game. I hope this helps. P.S. Willy - Putting your help and information to use ! ;) Regards, Bar. On Thu, May 3, 2012 at 9:56 AM, Alexander Kamardash < [email protected]> wrote: > Hi,**** > > ** ** > > I am pretty sure that termination traffic on Pound, Apache or Nginx will > do a work. My question is more about performance of such solution. It will > eb a entrance point and I don't want to create a single point of failure. > In case of splitting it to 2 LB layers HAProxy-> SSL termination->backend > servers - create additional complexity.**** > > ** ** > > ----------------------------**** > > Alexander Kamardash**** > > ** ** > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Vikram > Adukia > *Sent:* Thursday, May 03, 2012 1:38 AM > *To:* Alexander Kamardash > *Cc:* [email protected] > *Subject:* Re: HAProxy and SSL traffic termination**** > > ** ** > > A fairly easy configuration is to have Pound SSL sitting in front of > HAProxy. I don't have benchmark numbers, but the configuration is fairly > simple:**** > > ** ** > > Pound:443 -> Haproxy:80 (or really any tcp port that haproxy is listening > on)**** > > ** ** > > Here's most of my pound.cfg file:**** > > ** ** > > ListenHTTPS**** > > Address 0.0.0.0**** > > Port 443**** > > # Obviously, adjust this to point to wherever your ssl cert is**** > > Cert "/etc/ssl/yourssl.pem"**** > > End**** > > ** ** > > Service**** > > Backend**** > > # in this configuration, haproxy is sitting on the same server as pound > **** > > Address 127.0.0.1**** > > Port 80**** > > End**** > > End**** > > ** ** > > On Wed, May 2, 2012 at 3:00 PM, Baptiste <[email protected]> wrote:**** > > On Wed, May 2, 2012 at 3:46 PM, Alexander Kamardash > <[email protected]> wrote: > > Hi, > > > > > > > > We want to perform LB, SSL termination and L7 on HAProxy. Could you > please > > advise the best approach for it? We are interested in max performance and > > not complicated configuration. > > > > If you are already running such configuration, pls share what is the max > > connection rate you reach. > > > > > > > > ------------- > > > > Alexander > > > >**** > > Hi, > > If you can wait a bit, HAProxy will do SSL endpoint for you. > Waiting that, either nginx or stud looks to perform quite well. > > cheers**** > > ** ** >
