using nginx open source to tunnel https requests to backend set

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

using nginx open source to tunnel https requests to backend set

Brendan Doyle
Hi,

So I want to use nginx open source as a load balancer to forward https
requests
to a backend set where the TLS is terminated by the application on the
backend
servers. i.e I want to tunnel the TLS traffic. And I'm wondering about
the best
approach.

What I'm thinking is that I use the streams module to load balance the TCP
traffic to the backend set.

But my concern is that I need session persistence, else the TLS handshake
might fall between two different backend hosts.

So I'm thinking that I need to use something like:

a)
  upstream backend_hosts {
     ip_hash ;
     server host1.example.com;
     server host2.example.com;
     server host3.example.com;
}

b)
  upstream backend_hosts {
     hash $remote_addr$remote_port consistent;
     server host1.example.com;
     server host2.example.com;
     server host3.example.com;
}


To ensure session persistence, the disadvantage of a) is that all
traffic from a given IP
will always go to the same server, so it is not load balancing per
session per say.

With b) I guess there is more chance of a unique tcp src port per TCP
session, so there
will be a better persistent spread.


Thoughts

Thanks


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx