Nginx - TCP balancer

Aleksandar Lazic al-nginx at none.at
Wed Jun 11 23:22:25 MSD 2008


Hi Kamil,

On Mit 11.06.2008 21:09, Kamil Gorlo wrote:
>Hi all,
>
>I have question about Nginx "features". Is it possible to run Nginx as
>a transparent load balancer (which works on TCP layer, not HTTP)??
>
>My case is that I have 5 of backends (strong, 4 core machines) which
>communicates with users over HTTPS (it's some kind of authentication
>service - user sends short https requests, get response, and does not
>keep connection any more; so user spends only few seconds on this
>service, but there are many users). Till today I was using simple dns
>balancing between those machines, but now I need something more
>powerful.
>
>So, I have another 2 machines (this time, they have only single core)
>which I want to be load balancers. But they cannot work on HTTP layer,
>as a standard load balancer, because of SSL - they simply does not have
>resources to do this SSL stuff. My idea is to use some kind of
>transparent load balancer on those machines - they should only forward
>requests to backends and all resource consuming work should be done on
>backends (SSL handshake, etc.).
>
>Can Nginx do that? If not, do you know any tools which can work as TCP
>balancers (I found HAProxy, but haven't tested it)?

No nginx can't do this, but it can be a excellent ssl-backend ;-)

haproxy can do this for you, from
http://haproxy.1wt.eu/download/1.3/doc/haproxy-en.txt

TCP mode
3) Autonomous load balancer

###
listen http_proxy
         bind :80,:443
         mode http
         balance source
         server web1 192.168.1.1
         server web2 192.168.1.2
###

3.1) Server monitoring

###

.
.
.
Since the demand for HTTPS checks is high, it has been implemented in
1.2.15 based on SSLv3 Client Hello packets.  To enable it, use 'option
ssl-hello-chk'. It will send SSL CLIENT HELLO packets to the servers,
announcing support for most common cipher suites. If the server responds
what looks like a SERVER HELLO or an ALERT (refuses the ciphers) then
the response is considered as valid. Note that Apache does not generate
a log when it receives only an HELLO message, which makes this type of
message perfectly suit this need.
.
.
###

It is a swiss amry knife ;-))

>Do you have any experience in similar situations?

Not in this setup but with stunnel => haproxy => apache ...

Hth

Aleks





More information about the nginx mailing list