Load-balancing an SSL-based server farm?

Bill McGonigle bill at bfccomputing.com
Thu Jan 21 21:14:44 EST 2010


On 01/18/2010 02:29 PM, Paul Lussier wrote:

> Has anyone here set up LVS (or something equivalent) to load balance
> across a set of apache servers serving up SSL-protected sites?

I have a client using it for their e-commerce application.  It's 
sustained 70-90Mbps days, so it's only medium-sized in that regard.

> I've googled around, and all the docs I've come up with are at least 4+
> years old, and somewhat incomplete.  Interestingly, I can't even find a
> single book about the topic!

Yes, don't use the popular web doc, it's terrible.  The Redhat guide is 
good, but not exactly right in some ways (e.g. assigning addresses to 
server interfaces).

> The examples I've found tend to be concerned with a basic apache config
> without SSL being involved, and don't address the scalability of the LVS
> configuration.  The things I'm most concerned with :)

You want to use Direct Routing which does clever Layer2 things to make 
things fast.  It's just a packet redirector, it doesn't care what's in 
them (HTTP/HTTPS).  It uses IP affinity, so this can be a problem for 
apps which require Layer 7 routing.  If you have outside customers 
you'll have AOL clients which come in from multiple un-predictable IP 
addresses for subsequent requests, even in the same page.

Also, DR is broken in RHEL 5.4, and has been since release (I reported 
it when an update broke said client).  There's a fix in dev.

> - Is LVS the right tool, or is there something better (OSS) ?

I haven't found something tougher.  Some would recommend Cisco solutions 
- they start at $40K for something decent.  Very not OSS.

> - Can LVS handle this size of a load ?
> - How many sites can LVS scale to serving?

Good questions - I don't know how big it's been pushed.  You might need 
some kernel mods to get that big.  Do they all have to go through the 
same pair (normal + failover) of directors?

> - Can the LVS config be updated dynamically, on-the-fly, without
>    restarting ldirectord ?

Yes, if you get low enough.  The higher level tools, like RHEL's flush 
and reload, so there's a blip.  Otherwise you're manipulating kernel 
states with userland tools.

> - Is there any recent (w/in the last 2 years) documentation or are there
>    any books on building such an environment with LVS ?

The Redhat guide is the best I've found.  I don't think I ever published 
my deltas from it, though.

-Bill

-- 
Bill McGonigle, Owner
BFC Computing, LLC
http://bfccomputing.com/
Telephone: +1.603.448.4440
Email, IM, VOIP: bill at bfccomputing.com
VCard: http://bfccomputing.com/vcard/bill.vcf
Social networks: bill_mcgonigle/bill.mcgonigle


More information about the gnhlug-discuss mailing list