Vai al contenuto principale
BlogLinodeNodeBalancer SSL

NodeBalancer SSL

nbssl

I NodeBalancer hanno sempre supportato i protocolli basati su TCP, compreso SSL, ma siamo lieti di annunciare che ora i NodeBalancer includono il supporto HTTPS nativo.

Ciò significa che un NodeBalancer può terminare le connessioni SSL per voi e avere le funzionalità e i comportamenti che già apprezzate dalla modalità HTTP, tra cui l'impostazione corretta di un X-Fowarded-For con l'indirizzo IP del richiedente e i cookie di sessione per mantenere il nodo di backend.

A tale scopo, creare un nuovo profilo di configurazione utilizzando la porta 443 (in genere), impostare il protocollo su HTTPS e quindi fornire il certificato e la sua chiave privata (senza passphrase). Sono supportati anche i certificati intermedi concatenati. Ecco una schermata che mostra le nuove opzioni:

nbssl

Una nota per i siti SSL ad alto traffico: la negoziazione SSL è un'operazione computazionalmente costosa e la capacità di un NodeBalancer in modalità SSL di tenere il passo potrebbe non essere sufficiente. In queste situazioni si consiglia di utilizzare la modalità TCP e di distribuire il carico di terminazione SSL ai Linode di backend. In alternativa, si possono usare più NodeBalancer in modalità SSL e utilizzare il DNS round-robin.

Ulteriori informazioni:

Buon divertimento!


Commenti (10)

  1. Author Photo

    Does Linode use HAProxy to run this service?

  2. Author Photo

    Hi,

    If not good for high traffic, what’s the advantage ?

    Thanks

  3. Christopher Aker

    @Jan: convenience – it’s very easy to get SSL working using the NodeBalancer user interface. This is also a good first step for us supporting native SSL — we gotta start somewhere.

  4. Author Photo

    How computationally expensive is SSL for you guys?

    From Google: “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead.” (https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html)

  5. Author Photo

    What kind of maximum concurrency are we talking about here for SSL on a nodebalancer?

  6. Author Photo

    What traffic max rate is expected to be handled by these balancers? If a regular balancer handles 10k, what about SSL ones?

  7. Christopher Aker

    NodeBalancers have a 10,000 concurrent connection limit. It’s not a request/sec limit. There is no artificial request/sec limit built into NodeBalancers. A NodeBalancer config in TCP or HTTP mode can accept connections pretty much as fast as packets can be slung to/from the backends. In other words: it’s a lot.

    A NodeBalancer config in HTTPS mode can achieve 10,000 concurrent connections, too – it may just take some time to ramp up to that. While testing very small requests (connections don’t live long) we’ve seen about 150 req/sec via HTTPS mode. Again, it’s a good place to start, and we’ll be working on improving the req/sec throughput of native HTTPS mode.

    Thanks for the comments 🙂

  8. Author Photo

    Hi. I previously asked if Linode uses HAProxy for this service? (And indirectly I guess I was wondering what other software/hardware is being use. My post is still awaiting moderation even though posts made after mine have been approved.

    In the past Linode has been quite open about its architecture, especially about its implementation of Xen. Is there a reason we don’t get much detail about how NodeBalancers work? Is there something offensive or inappropriate about me asking these things?

  9. Author Photo

    Tom, I’d be interested too… Although it’s not out of the realm of possibility that they built their own with something like Golang (esp since 1.1), an accounting proxy would be trivial on such stack.

  10. Author Photo

    Any chance to have TLS renegotiation so we can host more than one domain on HTTPS ?

Lascia una risposta

Il vostro indirizzo e-mail non sarà pubblicato. I campi obbligatori sono contrassegnati da *