I have question about Nginx “features”. Is it possible to run Nginx as
a transparent load balancer (which works on TCP layer, not HTTP)??
My case is that I have 5 of backends (strong, 4 core machines) which
communicates with users over HTTPS (it’s some kind of authentication
service - user sends short https requests, get response, and does not
keep connection any more; so user spends only few seconds on this
service, but there are many users). Till today I was using simple dns
balancing between those machines, but now I need something more
powerful.
So, I have another 2 machines (this time, they have only single core)
which I want to be load balancers. But they cannot work on HTTP layer,
as a standard load balancer, because of SSL - they simply does not
have resources to do this SSL stuff. My idea is to use some kind of
transparent load balancer on those machines - they should only forward
requests to backends and all resource consuming work should be done on
backends (SSL handshake, etc.).
Can Nginx do that? If not, do you know any tools which can work as TCP
balancers (I found HAProxy, but haven’t tested it)?
balancing between those machines, but now I need something more
Can Nginx do that? If not, do you know any tools which can work as TCP
balancers (I found HAProxy, but haven’t tested it)?
No nginx can’t do this, but it can be a excellent ssl-backend
listen http_proxy
bind :80,:443
mode http
balance source
server web1 192.168.1.1
server web2 192.168.1.2
3.1) Server monitoring
.
.
.
Since the demand for HTTPS checks is high, it has been implemented in
1.2.15 based on SSLv3 Client Hello packets. To enable it, use ‘option
ssl-hello-chk’. It will send SSL CLIENT HELLO packets to the servers,
announcing support for most common cipher suites. If the server responds
what looks like a SERVER HELLO or an ALERT (refuses the ciphers) then
the response is considered as valid. Note that Apache does not generate
a log when it receives only an HELLO message, which makes this type of
message perfectly suit this need.
.
.
It is a swiss amry knife ;-))
Do you have any experience in similar situations?
Not in this setup but with stunnel => haproxy => apache …
balancing between those machines, but now I need something more
Can Nginx do that? If not, do you know any tools which can work as TCP
balancers (I found HAProxy, but haven’t tested it)?
Do you have any experience in similar situations?
Best regards,
Kamil
We run a setup similar to this where we have hundreds of VM’s running
nginx and doing ssl and we run a pair of boxes in front of these with
LVS(linux virtual server) and heartbeat/keepalived to do the raw tcp
load balancing. This scales very well, in each cluster we have 500 or
so VM’s running nginx fronted by a pair of LVS machines balancing all
traffic to all the slices.
Haproxy is good for this as well and may be a bit simpler to setup,
but LVS outperforms haproxy in this situation and scales very well.
On Wed, Jun 11, 2008 at 9:22 PM, Aleksandar L. [email protected]
wrote:
communicates with users over HTTPS (it’s some kind of authentication
transparent load balancer on those machines - they should only forward
requests to backends and all resource consuming work should be done on
backends (SSL handshake, etc.).
Can Nginx do that? If not, do you know any tools which can work as TCP
balancers (I found HAProxy, but haven’t tested it)?
No nginx can’t do this, but it can be a excellent ssl-backend
On Wed, Jun 11, 2008 at 10:21:24PM +0200, Renaud Allard wrote:
backends (SSL handshake, etc.).
Can Nginx do that? If not, do you know any tools which can work as TCP
balancers (I found HAProxy, but haven’t tested it)?
Do you have any experience in similar situations?
And significant work is being done on it as we speak, so expect better
performance and more features. Look for highlights of the new work to
appear some time soon at http://undeadly.org/
