Sure.. you can do this:
some kind of ssl proxy:
1. apache w/ ssl_mod and reverse proxy
or
2. openssl w/ sslproxy
These software frontends handle the conversion from ssl to normal http
headers. The backend would be the loadbalancer from orion, but with no ssl
configuration. These could be on the same machine. Of course, the <frontend
...> tag in the web-site.xml would have to have the proxy address and port,
and not the loadbalancer's address and port.
3. You could also do the same thing with a hardware ssl accelerator (for
example, the sonic wall ssl accelerator) which front-ends the loadbalancer.
There are also many other more expensive hardware solutions to this.
If a dedicated machine is used for 1 or 2, the cost is about the same as 3.
Oracle's strategy for using orion is the same:
1. https:// and http:// static loadbalancing from their apache adapted
frontend (like 1 or 2, above)
2. http session aware loadbalancing from the oc4j loadbalancer (Orion
1.5.x).
So you can be damn sure it works with Orion.
There is a 4th option. This is so clearly a need in the market that nobody
has addressed effectively for the low end, write your own ssl proxy front
end, put in on a "computer and disk on a chip"..there's a cnet article on
how to do this, and start selling it at a price below sonic wall's price.
Likewise, the clustering architecture that Orion uses makes use of multicast
messaging in java. If we had an open interface to this, you could right you
own loadbalancer...;).
Regards,
the elephantwalker
.ps I have found that the only thing the secure="true" controls is which
port is listened to, port 443 (for true) and port 80 for anything else
(secure="apples" makes the loadbalancer listen to the port 80). You can
comment out the ssl-config tag, and have secure-"true" and there are NO
COMPLAINTS. If you do the same in a web-site.xml, the server complains that
there is no secure class....definitantly this is a broken feature :(.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Greg Kogan
Sent: Friday, July 06, 2001 2:37 PM
To: Orion-Interest
Subject: Re: clustering + ssl together
> Greg,
>
> The orion team doesn't ordinarily moniter the orion-interest list. I have
> contacted them by email directly under our license contract, and Karl
noted
> the configuration for ssl in the load-balancer.xml. However, I haven't
heard
> from him after several direct emails. I think they are a little busy now.
> An email from Karl is included below.
>
> It might be a configuration error, but the ssl-config tag is exactly the
> same as the tag used in the web-site.xml, so I don't think that is the
> issue. When I used openssl s_client to check what was going on, it appears
> to blow-up in the handshake step.
>
> Regards,
>
> the elephantwalker
Thanks for the info. BTW, I looked on bugzilla, and this bug is not assigned
to a developer yet (if that means anything at all), though it seems to be a
show stopper (from my point of view.)
> .ps I think many people use apache reverse-proxy server and/or hardware
> loadbalancers to do this. There doesn't seem to be much interest in using
an
> orion ssl loadbalancer solution, or there would have been more response to
> this email trail. Sun's crypto solution is notoriously slow, so this could
> be why people aren't very interested in this.
Is it possible to use "apache reverse-proxy server and/or hardware
loadbalancers" and still make use of clustering (ssl or not)? I personally
am not attached to orion's loadballancer. I simply did not find another way
to achieve HTTP state replication. If you know of another way, please let me
know.
Thanks,
Greg.
> Karls email to me:
>
> > Please answer these questions.
> >
> > We have two problems with the loadbalancer
> >
> > 1. The access log for each orion instance only lists the ip address of
the
> > loadbalancer. We need a workaround for this bug (already logged as a
bug).
>
> Forwarding the ip of the request initiator to the backend is a feature
> that's
> not implemented yet. I can't see a way for you to handle this, unless you
> add
> your own logging mechanism.
>
> > 2. How to loadbalance our ssl site?
> >
>
> Look at http://www.orionserver.com/docs/load-balancer.xml.html
>
> That shows the syntax of the load-balancer.xml file. Look at the secure
> attribute and the ssl-config.
>
> Remember, that the software loadbalancer provided might not give the same
> performance as a hardware loadbalancer, and it might become a bottleneck
if
> you need to serve many requests.
>
> Regards,
> Karl Avedal
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Kogan
> Sent: Friday, July 06, 2001 10:18 AM
> To: Orion-Interest
> Subject: Re: clustering + ssl together
>
>
>
> Hello,
>
> I just encountered this problem myself, and a question popped up: "In
> which version did this bug appear?" So I went as far back as 1.3.8 and the
> bug was still there. Is there a possibility of misconfiguration here? Can
> anybody from Orion development team comment on this? This a very important
> issue to me and any feedback is greatly appreciated.
>
> Thank you,
> Greg Kogan.
>
>
>
