[AusNOG] Experiences with web load balancers

Michael Richardson lists at mikerichardson.com.au
Mon Feb 22 19:38:57 EST 2010 

As the original person who specced out an SSL offloading appliance (and who
sadly has still not been able to purchase an LB, although F5 is a front
runner), I thought I might comment on why I originally listed the
requirement.

Some of the sites we host deal with secured data, like credit card
transactions, financial records, etc. Indeed, PCI DSS would be well and
truly broken if we unencrypted the transaction at any point between server
and client, no matter how much we trusted our own network or the people
running it. We would never use SSL offloading for this type of site.

Many of the applications we host use SSL only for member authentication,
such a sites that allow members to log in before posting on message boards
and so on. That transaction doesn't strictly need to be secure inside our
network (users who can sniff that would find it much easier to just go
straight to the server/db). But the thing we get most out of SSL offloading
is that we can achieve seamless failover between servers. If a server
handling 1000 SSL connections dies, then those encrypted streams are dead
and the user experience interrupted. If they're handled by the LB, however,
then they can be passed off to another server (hopefully) without
interruption.

Performance gains by SSL offloading were never really a factor. If I hosted
sites so popular that I couldn't get enough processor cycles for
cryptography, well, I'd already have a load balancer :)

On Mon, Feb 22, 2010 at 6:35 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:

>
> On Feb 22, 2010, at 2:05 PM, Ian Henderson wrote:
>
> > if you can't trust your own network between the accelerator/load balancer
> and the content
> > hosts, what can you trust?
>
> I trust any network infrastructure elements under my direct span of control
> just fine, it's *people* I don't trust - nor should you, nor your customers.
>
> > Do any of these work in an ESX or similar virtualised environment?
>
> It's my understanding they do, though I've no hands-on experience using
> them in such an environment.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>    Injustice is relatively easy to bear; what stings is justice.
>
>                        -- H.L. Mencken
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100222/a9ba8d6a/attachment.html>

More information about the AusNOG mailing list