Load-balancing an SSL-based server farm?

Frank DiPrete fdiprete at comcast.net
Mon Jan 18 16:57:56 EST 2010 

question - how many ip addresses can be assigned to one nic?
(10,000 ?)
That's an upper limit I haven't had to worry about ....



Paul Lussier wrote:
> Jarod Wilson <jarod at wilsonet.com> writes:
> 
>> Yes, but it was 4+ years ago. :)
> 
> Of course it was :)
> 
>> I assume you've found http://www.linuxvirtualserver.org/Documents.html
> 
> I have.
> 
> Frank DiPrete <fdiprete at comcast.net> writes:
> 
>> yes - lvs will forward https / 443 requests just fine. The only tricky
>> bit is the certificate itself has to be identified as "www.foo.com"
>> and the extra Organizational Unit: text field has the name of the
>> actual machine on which the certificate is installed. This is not lvs
>> specific.
> 
> Hmm, okay, I haven't run across this piece of information yet...
> 
>> http://www.austintek.com/LVS/LVS-HOWTO/
> 
> Yes, I was just concerned that it is about 4 years old, and possibly out
> of date.
> 
>>> The basic scope of the project is this:
>>>
>>>  - we have about 10 apache servers handling 10,000 sites over both http
>>>    and https (for a total of ~20K sites)
>>>  
>> This is really about throughput, which is more a function of traffic /
>> bandwidth and ultimately the hardware lvs is running on.
> 
> Right, we've got Dell R610s with 4GBs of RAM, and multiple GigE nics, so
> we shouldn't have a problem there.
> 
>>> My questions at this point are:
>>>
>>> - Is LVS the right tool, or is there something better (OSS) ?
>> or is a commercial load balancer (f5) a better choice ?
> 
> Must be OSS at this point.  f5s are no an option for several reasons.
> 
>>> - How many sites can LVS scale to serving?
>> are these 10,000 IP based virtaual hosts or name based virtual hosts?
>> I'm guessing that you don't really have 10,000 ip address here.
> 
> No, we really have 10,000 ip addresses here, and it's expected to grow
> significantly.
> 
>>> - Can the LVS config be updated dynamically, on-the-fly, without
>>>   restarting ldirectord ?
>> for LVS, yes (see the 3 packages described above) the user space tool
>> ipvsadm can setup new rules, add/delete forward rules without
>> reloading anything. I am not sure about ldirectord. I used mon and had
>> to restart it when I made a change to its config.
> 
> Okay, cool, so we can script around ipvsadm fairly easily, then.
> 
>>> - Is there any recent (w/in the last 2 years) documentation or are there
>>>   any books on building such an environment with LVS ?
>> couldn't find anything myself either ;)
> 
> Okay, as long as it's not only me, I feel better ;)
> 
> And, as I said before:
> 
>>> Many thanks for any information, URLs, pointers, references, etc.
> 
> Thanks guys!
> --
> Paul
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> 
>

More information about the gnhlug-discuss mailing list