NodeBalancers一直支持基于TCP的协议,包括SSL - 但我们很高兴地宣布,NodeBalancers现在包括本地HTTPS支持。
这意味着NodeBalancer可以为你终止SSL连接,并拥有你已经从HTTP模式中享受到的功能和行为--包括正确设置一个 X-Fowarded-For 头与请求者的IP地址,以及用于后端节点粘性的会话cookies。
为了做到这一点,使用443端口(通常)创建一个新的配置文件,将协议设置为HTTPS,然后提供证书及其私钥(没有口令)。链式中间证书也被支持。下面是一张显示新选项的截图:
对于流量较大的SSL网站,需要注意的是:SSL协商是一个计算成本很高的操作,在SSL模式下NodeBalancer的能力可能不足以跟上。 在这些情况下,我们建议使用TCP模式,并将SSL终端负载分配给后端Linodes。 另外,你可以在SSL模式下使用多个NodeBalancer,并使用轮流DNS。
更多信息:
好好享受吧!
评论 (10)
Does Linode use HAProxy to run this service?
Hi,
If not good for high traffic, what’s the advantage ?
Thanks
@Jan: convenience – it’s very easy to get SSL working using the NodeBalancer user interface. This is also a good first step for us supporting native SSL — we gotta start somewhere.
How computationally expensive is SSL for you guys?
From Google: “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead.” (https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html)
What kind of maximum concurrency are we talking about here for SSL on a nodebalancer?
What traffic max rate is expected to be handled by these balancers? If a regular balancer handles 10k, what about SSL ones?
NodeBalancers have a 10,000 concurrent connection limit. It’s not a request/sec limit. There is no artificial request/sec limit built into NodeBalancers. A NodeBalancer config in TCP or HTTP mode can accept connections pretty much as fast as packets can be slung to/from the backends. In other words: it’s a lot.
A NodeBalancer config in HTTPS mode can achieve 10,000 concurrent connections, too – it may just take some time to ramp up to that. While testing very small requests (connections don’t live long) we’ve seen about 150 req/sec via HTTPS mode. Again, it’s a good place to start, and we’ll be working on improving the req/sec throughput of native HTTPS mode.
Thanks for the comments 🙂
Hi. I previously asked if Linode uses HAProxy for this service? (And indirectly I guess I was wondering what other software/hardware is being use. My post is still awaiting moderation even though posts made after mine have been approved.
In the past Linode has been quite open about its architecture, especially about its implementation of Xen. Is there a reason we don’t get much detail about how NodeBalancers work? Is there something offensive or inappropriate about me asking these things?
Tom, I’d be interested too… Although it’s not out of the realm of possibility that they built their own with something like Golang (esp since 1.1), an accounting proxy would be trivial on such stack.
Any chance to have TLS renegotiation so we can host more than one domain on HTTPS ?