Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL and Load Balancing

Tags:

ssl

load-balancing

What affect does SSL have on the way load balancing works? I know that you need to use sticky sessions if you have chosen to not store you session info in the DB or Out of Process but how does that effect SSL?

like image 425
jquery auth Avatar asked Oct 06 '10 11:10

jquery auth

People also ask

Should you terminate SSL at load balancer?

SSL termination at load balancer is desired because decryption is resource and CPU intensive. Putting the decryption burden on the load balancer enables the server to spend processing power on application tasks, which helps improve performance. It also simplifies the management of SSL certificates.

Does each server behind a load balancer need their own SSL certificate?

If you do your load balancing on the TCP or IP layer (OSI layer 4/3, a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL certificate installed.

What is SSL termination in load balancer?

SSL termination refers to the process of decrypting encrypted traffic before passing it along to a web server.

Does Network Load Balancer support SSL?

TLS termination on Network Load Balancers also offers centralized deployment of SSL certificates by integrating with AWS Certificate Manager (ACM) and Identity Access Manager (IAM). You can also optionally configure encryption to the targets.

1 Answers

Just to clarify, the SSL/TLS sessions have nothing to do with the HTTP sessions. (Some implementations may use the SSL/TLS session ID as a basis for maintaining HTTP sessions, but this is a bad design, as SSL/TLS may change sessions completely independently what HTTP is doing).

In terms of load balancing, you get a couple of options:

  • Use a load-balancer that is your SSL/TLS endpoint. In this case, the load-balancing will be done at the HTTP level: the client connects to the load-balancer and the load-balancer unwraps the SSL/TLS connection to pass on the HTTP content (then in clear) to its workers.

  • Use a load-balancer at the TCP/IP level, which redirects entire the TCP connection directly to a worker node. In this case, each worker node would have to have the certificate and private key (which isn't necessarily a problem if they're administered consistently). Using this technique, the load balancer doesn't do any HTTP processing at all (since it doesn't look within the SSL/TLS connection): on the one hand this reduces the processing done by the load-balancer itself, on the other hand it would prevent you from dispatching to a particular worker node based on the URL structure for example. Both methods have their advantages and disadvantages.

like image 187
Bruno Avatar answered Oct 07 '22 01:10

Bruno
Sign in to Comment

Related questions

Transfer files over FTPS (SSL/TLS) using C#.Net
How I can tell alias of the wanted key-entry to SSLSocket before connecting?
Same server, both SSL and non-SSL
No certificate matches private key while generating .p12 file
Configuring WEBrick to use SSL in Rails 4
how to reduce ssl time of website
httpclient jar conflicts.How to fix it?
Using SSL and SslStream for peer to peer authentication?
Securing Socket.io
Azure Key Vault Certificates does not have the Private Key when retrieved via IKeyVaultClient.GetCertificateAsync
HTTPS, URL path, and query string
Why does android get the wrong ssl certificate? (two domains, one server)
How to use .key and .crt file in java that generated by openssl?
Passwords in SSL with Jetty tutorial
Setup secured Jenkins master with docker
How to config PlayFramework2 to support SSL?
Forcing a specific page to use HTTPS with angularjs
Windows 7 - How to generate CSR when IIS is not installed
Android HttpClient - hostname in certificate didn't match <example.com> != <*.example.com>
Load X509 certificate from disk .Net Core

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!