Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL and Load Balancing

What affect does SSL have on the way load balancing works? I know that you need to use sticky sessions if you have chosen to not store you session info in the DB or Out of Process but how does that effect SSL?

like image 425
jquery auth Avatar asked Oct 06 '10 11:10

jquery auth


People also ask

Should you terminate SSL at load balancer?

SSL termination at load balancer is desired because decryption is resource and CPU intensive. Putting the decryption burden on the load balancer enables the server to spend processing power on application tasks, which helps improve performance. It also simplifies the management of SSL certificates.

Does each server behind a load balancer need their own SSL certificate?

If you do your load balancing on the TCP or IP layer (OSI layer 4/3, a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL certificate installed.

What is SSL termination in load balancer?

SSL termination refers to the process of decrypting encrypted traffic before passing it along to a web server.

Does Network Load Balancer support SSL?

TLS termination on Network Load Balancers also offers centralized deployment of SSL certificates by integrating with AWS Certificate Manager (ACM) and Identity Access Manager (IAM). You can also optionally configure encryption to the targets.


1 Answers

Just to clarify, the SSL/TLS sessions have nothing to do with the HTTP sessions. (Some implementations may use the SSL/TLS session ID as a basis for maintaining HTTP sessions, but this is a bad design, as SSL/TLS may change sessions completely independently what HTTP is doing).

In terms of load balancing, you get a couple of options:

  • Use a load-balancer that is your SSL/TLS endpoint. In this case, the load-balancing will be done at the HTTP level: the client connects to the load-balancer and the load-balancer unwraps the SSL/TLS connection to pass on the HTTP content (then in clear) to its workers.

  • Use a load-balancer at the TCP/IP level, which redirects entire the TCP connection directly to a worker node. In this case, each worker node would have to have the certificate and private key (which isn't necessarily a problem if they're administered consistently). Using this technique, the load balancer doesn't do any HTTP processing at all (since it doesn't look within the SSL/TLS connection): on the one hand this reduces the processing done by the load-balancer itself, on the other hand it would prevent you from dispatching to a particular worker node based on the URL structure for example. Both methods have their advantages and disadvantages.

like image 187
Bruno Avatar answered Oct 07 '22 01:10

Bruno