Re: SSL farm

Without SSL resume, the client will make the server to generate a new asymetric key. Which takes much more resources than a simple SSL transaction. So it's better to be able to resume if your clients move from one LB to an other one very often ;) cheers

Re: SSL farm

On 2012-05-23 16:37:53, Hervé COMMOWICK wrote: > just use HAProxy to load balance to multiple stud, with send-proxy > on HAProxy side, and --read-proxy on stud side. Thanks for the pointers, Hervé. stud is not in debian stable, and both haproxy and stunnel are too old to have this feature. mo

RE: SSL farm

Jens Dueholm Christensen From: Hervé COMMOWICK [herve.commow...@lizeo-group.com] Sent: 23 May 2012 16:37 To: haproxy@formilux.org Subject: Re: SSL farm just use HAProxy to load balance to multiple stud, with send-proxy on HAProxy side, and --read-proxy on

Re: SSL farm

just use HAProxy to load balance to multiple stud, with send-proxy on HAProxy side, and --read-proxy on stud side. Hervé. On 05/23/2012 04:27 PM, Allan Wind wrote: On 2012-05-23 16:21:35, Hervé COMMOWICK wrote: No, you may have multiple stud. And how do you load balance between them? DNS r

Re: SSL farm

On Wed, May 23, 2012 at 4:27 PM, Allan Wind wrote: > On 2012-05-23 16:21:35, Hervé COMMOWICK wrote: >> No, you may have multiple stud. > > And how do you load balance between them?  DNS round robin is not > good enough. > > layer4 load-balancers (LVS).

Re: SSL farm

On 2012-05-23 16:21:35, Hervé COMMOWICK wrote: > No, you may have multiple stud. And how do you load balance between them? DNS round robin is not good enough. /Allan -- Allan Wind Life Integrity, LLC

Re: SSL farm

No, you may have multiple stud. On 05/23/2012 04:12 PM, Allan Wind wrote: On 2012-05-23 11:42:24, Hervé COMMOWICK wrote: Or you may use PROXY protocol and set send-proxy in your haproxy configuration and ask stud to merge this : https://github.com/bumptech/stud/pull/81 This is the single ssl

Re: SSL farm

On 2012-05-23 11:42:24, Hervé COMMOWICK wrote: > Or you may use PROXY protocol and set send-proxy in your haproxy > configuration and ask stud to merge this : > https://github.com/bumptech/stud/pull/81 This is the single ssl server configuration that I explicitly wanted to avoid. Right? /Allan

Re: SSL farm

Or you may use PROXY protocol and set send-proxy in your haproxy configuration and ask stud to merge this : https://github.com/bumptech/stud/pull/81 Hervé. On 05/22/2012 05:48 PM, Allan Wind wrote: I read through the last 6 months of archive and the usual answer for SSL support is put nginx/s

Re: SSL farm

if a SSL server dies, LVS can direct the traffic to another server. Alternatively you can save SSL sessions in memcached for example, to share between SSL servers in the SSL farm. I once stumbled upon a patch for nginx that can do that. Regards, Bar. On Tue, May 22, 2012 at 9:16 PM, Allan Wind

Re: SSL farm

On 2012-05-22 19:46:45, Vincent Bernat wrote: > Yes. And solve session problem by using some kind of persistence, for > example source hashing load balancing algorithm. Persistence here meaning ssl packets for a given session goes to the same ssl server? If so what happens if that ssl server

Re: SSL farm

OoO Lors de la soirée naissante du mardi 22 mai 2012, vers 17:52, Bar Ziony disait : > You need to place a packet load balancer such as LVS in front of > haproxy, which directs SSL traffic to an SSL farm (which saves the > client IP), and regular HTTP access to haproxy. >

Re: SSL farm

Allan, You need to place a packet load balancer such as LVS in front of haproxy, which directs SSL traffic to an SSL farm (which saves the client IP), and regular HTTP access to haproxy. That's how I understand it at least. Thanks, Bar. On Tue, May 22, 2012 at 6:48 PM, Allan Wind wrote:

SSL farm

I read through the last 6 months of archive and the usual answer for SSL support is put nginx/stunnel/stud in front. This, as far as I can tell, means a single server handling SSL, and this is the what suggest is a non-scalable solution. You can obviously configu