Nginx - TCP balancer

Aleksandar Lazic al-nginx at
Wed Jun 11 23:22:25 MSD 2008

Hi Kamil,

On Mit 11.06.2008 21:09, Kamil Gorlo wrote:
>Hi all,
>I have question about Nginx "features". Is it possible to run Nginx as
>a transparent load balancer (which works on TCP layer, not HTTP)??
>My case is that I have 5 of backends (strong, 4 core machines) which
>communicates with users over HTTPS (it's some kind of authentication
>service - user sends short https requests, get response, and does not
>keep connection any more; so user spends only few seconds on this
>service, but there are many users). Till today I was using simple dns
>balancing between those machines, but now I need something more
>So, I have another 2 machines (this time, they have only single core)
>which I want to be load balancers. But they cannot work on HTTP layer,
>as a standard load balancer, because of SSL - they simply does not have
>resources to do this SSL stuff. My idea is to use some kind of
>transparent load balancer on those machines - they should only forward
>requests to backends and all resource consuming work should be done on
>backends (SSL handshake, etc.).
>Can Nginx do that? If not, do you know any tools which can work as TCP
>balancers (I found HAProxy, but haven't tested it)?

No nginx can't do this, but it can be a excellent ssl-backend ;-)

haproxy can do this for you, from

TCP mode
3) Autonomous load balancer

listen http_proxy
         bind :80,:443
         mode http
         balance source
         server web1
         server web2

3.1) Server monitoring


Since the demand for HTTPS checks is high, it has been implemented in
1.2.15 based on SSLv3 Client Hello packets.  To enable it, use 'option
ssl-hello-chk'. It will send SSL CLIENT HELLO packets to the servers,
announcing support for most common cipher suites. If the server responds
what looks like a SERVER HELLO or an ALERT (refuses the ciphers) then
the response is considered as valid. Note that Apache does not generate
a log when it receives only an HELLO message, which makes this type of
message perfectly suit this need.

It is a swiss amry knife ;-))

>Do you have any experience in similar situations?

Not in this setup but with stunnel => haproxy => apache ...



More information about the nginx mailing list