Security Basics mailing list archives
Re: HTTPs web-balancing
From: Patrick Debois <Patrick.Debois () jedi be>
Date: Mon, 13 Aug 2007 16:33:12 +0200
Some thoughts as you requested: Loadbalancers and http/s often relate for *) SSL offloading (decrypt the traffic, and sometime reëncrypt) *) Balancing traffic (used for priorisation, Qos) *)Stickyness *) Failover mechanism There is also a distinction using loadbalancers in http/s for *)only server certificates *)client certificates Solutions exist either from the HW proxy world (bluecoat), SW proxy (apache mod_balance), balance, Network (css) Problems: * I guess the problem you are refering to is that if loadbalancers integrate at the real http/s layer that they work like a sort Man in the middle. When you take the whole chain server AND client certificates this is indeed a problem. Only server certificates does not pose that much of a problem because you can install the same certificate on the loadbalancers. For SSL client certifactes normally termination needs to be done on the http/s webserver itself. Vendors solve this by doing the reading of the client DN in the certificate and passing it via an http-header to the backend . But online checking with CRL's and OCSP are often not integrated. *Stickyness in an SSL session: these loadbalancers can see the SSL sessions but these tend to negotiated differently based on the browser type *Buffering and delays: the introduction of http/s through a loadbalancer can cause some latency problems in case a lot of small packets are encrypted/decrypted. Have a look in google 'nagle algoritm'
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of MARTIN Benoni Sent: Thursday, August 09, 2007 11:55 AM To: security-basics () securityfocus com Subject: HTTPs web-balancing Hi ! Anyone has experiencied load-balancing with https ? Some guys say it's possible, other say no. Some vendors say yes, some friends say no :(. I'm quite lost ! Thx !
Current thread:
- HTTPs web-balancing MARTIN Benoni (Aug 10)
- RE: HTTPs web-balancing Steve Anderson (Aug 10)
- Re: HTTPs web-balancing Hans Peter Smyk (Aug 10)
- Re: HTTPs web-balancing Tremaine Lea (Aug 10)
- RE: HTTPs web-balancing peter.schaub (Aug 10)
- RE: HTTPs web-balancing Depp, Dennis M. (Aug 10)
- Re: HTTPs web-balancing Patrick Debois (Aug 15)
- Re: HTTPs web-balancing silvio.cesar () unigranrio edu br (Aug 13)
- RE: HTTPs web-balancing Gibbs, Jason (Aug 17)