As stated, we need to have the load balancer handle the SSL connection. We'll cover the most typical use case first - SSL Termination. The trade off is more CPU power being used all-around, and a little more complexity in configuration.Īn older article of mine on the consequences and gotchas of using load balancers explains these issues (and more) as well. This may provide the best of both security and ability to send the client's information. There is a combination of the two strategies, where SSL connections are terminated at the load balancer, adjusted as needed, and then proxied off to the backend servers as a new SSL connection. SSL Termination is the most typical I've seen, but pass-thru is likely more secure. Which strategy you choose is up to you and your application needs. This means your application servers will lose the ability to get the X-Forwarded-* headers, which may include the client's IP address, port and scheme used. However, you lose the ability to add or edit HTTP headers, as the connection is simply routed through the load balancer to the proxied servers. With SSL-Pass-Through, the SSL connection is terminated at each proxied server, distributing the CPU load across those servers. This is the opposite of SSL Pass-Through, which sends SSL connections directly to the proxied servers. This means the load balancer is responsible for decrypting an SSL connection - a slow and CPU intensive process relative to accepting non-SSL requests. SSL Termination is the practice of terminating/decrypting an SSL connection at the load balancer, and sending unencrypted connections to the backend servers. Because a load balancer sits between a client and one or more servers, where the SSL connection is decrypted becomes a concern.
#HAPROXY WEB SERVER HOW TO#
If your application makes use of SSL certificates, then some decisions need to be made about how to use them with a load balancer.Ī simple setup of one server usually sees a client's SSL connection being decrypted by the server receiving the request.
0 kommentar(er)
