Nginx - TCP balancer
Aleksandar Lazic
al-nginx at none.at
Wed Jun 11 23:22:25 MSD 2008
Hi Kamil,
On Mit 11.06.2008 21:09, Kamil Gorlo wrote:
>Hi all,
>
>I have question about Nginx "features". Is it possible to run Nginx as
>a transparent load balancer (which works on TCP layer, not HTTP)??
>
>My case is that I have 5 of backends (strong, 4 core machines) which
>communicates with users over HTTPS (it's some kind of authentication
>service - user sends short https requests, get response, and does not
>keep connection any more; so user spends only few seconds on this
>service, but there are many users). Till today I was using simple dns
>balancing between those machines, but now I need something more
>powerful.
>
>So, I have another 2 machines (this time, they have only single core)
>which I want to be load balancers. But they cannot work on HTTP layer,
>as a standard load balancer, because of SSL - they simply does not have
>resources to do this SSL stuff. My idea is to use some kind of
>transparent load balancer on those machines - they should only forward
>requests to backends and all resource consuming work should be done on
>backends (SSL handshake, etc.).
>
>Can Nginx do that? If not, do you know any tools which can work as TCP
>balancers (I found HAProxy, but haven't tested it)?
No nginx can't do this, but it can be a excellent ssl-backend ;-)
haproxy can do this for you, from
http://haproxy.1wt.eu/download/1.3/doc/haproxy-en.txt
TCP mode
3) Autonomous load balancer
###
listen http_proxy
bind :80,:443
mode http
balance source
server web1 192.168.1.1
server web2 192.168.1.2
###
3.1) Server monitoring
###
.
.
.
Since the demand for HTTPS checks is high, it has been implemented in
1.2.15 based on SSLv3 Client Hello packets. To enable it, use 'option
ssl-hello-chk'. It will send SSL CLIENT HELLO packets to the servers,
announcing support for most common cipher suites. If the server responds
what looks like a SERVER HELLO or an ALERT (refuses the ciphers) then
the response is considered as valid. Note that Apache does not generate
a log when it receives only an HELLO message, which makes this type of
message perfectly suit this need.
.
.
###
It is a swiss amry knife ;-))
>Do you have any experience in similar situations?
Not in this setup but with stunnel => haproxy => apache ...
Hth
Aleks
More information about the nginx
mailing list