load balancers general SSL
Load balancers are ubiquitous. Most of us encounter them as the internet facing part of a server farm (usually a web server farm).
Server Farms
One of the most commonly used applications of load balancing is to provide a single Internet service from multiple servers, sometimes known as a server farm.
Commonly load-balanced systems include popular web sites, large Internet Relay Chat networks, high-bandwidth File Transfer Protocol sites, Network News Transfer Protocol (NNTP) servers, Domain Name System (DNS) servers, and databases.
Q. If you have 3 web servers behind a load balancer (such as haproxy) and they are serving up content for the same domain, do you need SSL certificates for all the servers?
If you do your load balancing on the TCP or IP layer (OSI layer 4/3, a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL certificate installed.
If you load balance on the HTTPS layer (L7), then you’d commonly install the certificate on the load balancer alone, and use plain un-encrypted HTTP over the local network between the load balancer and the webservers (for best performance on the web servers).
If you have a large installation, then you may be doing Internet -> L3 load balancing -> layer of L7 SSL concentrators -> load balancers -> layer of L7 HTTP application servers…
The author of HAProxy, has a really nice overview of the canonical ways of load balancing HTTP/HTTPS.
Alternatives to hardware load balancing
Round-robin DNS
An alternate method of load balancing, which does not require a dedicated software or hardware node, is called round robin DNS. In this technique, multiple IP addresses are associated with a single domain name; clients are given ip in round robin fashion.
DNS delegation
Another more effective technique for load-balancing using DNS is to delegate www.example.org as a sub-domain whose zone is served by each of the same servers that are serving the web site. This technique works particularly well where individual servers are spread geographically on the Internet.
Leave a Reply