3

I need to share ssl termination task among server farm or multiple processes. In this architecture, there should be a load balancer before this ssl termination task. After looking for an appropriate software load balancer a while, it turn out that only layer 4 (TCP) load balancers (haproxy) are suitable for this job rather than layer 7 (HTTP/HTTPS) ones.

My question is, why layer 7 load balancers like nginx, perlbal cannot just pass through ssl termination? Client IP addresses should be available in layer 7 load balancer. They can just forward requests, right?

The architecture is like:

HTTPS balancer (L4/TCP balancer) / | \ <--- HTTPS traffic SSL server farm/processes \ | / <--- HTTP traffic HTTP balancer (L7/HTTP balancer) / | \ HTTP server farm/processes

Reference: http://1wt.eu/articles/2006_lb/index_09.html

Improve this question
1
  • 1
    HAProxy 1.5 can do this. Commented Nov 7, 2014 at 3:48

1 Answer 1

Reset to default
3

TCP layer just route traffic with added headers/control over network packets from the underlying layer. It has no knowledge of what it transports, thus does not need to deal with its content, and whether it is HTTP(S). HTTP/HTTPS does not matter.

When dealing with the application layer, you are deep down within content, since you deal with an application. In case of HTTPS, you will need SSL termination. HTTP/HTTPS does matter.

Thus, if you want to load-balance at application level, you will then need to do SSL termination on the same load-balancers. nginx allows you to do that.

If you wish to separate those tasks, you will need a network/routing-level load-balancer.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.