Re: Load balancing SSL sessions
I believe there is an issue with failover, however, with this route (thus, the second use case for load balancers - failover). If an IP address in the DNS list goes down, it can take up to 48 hours before the DNS maps are updated to reflect the loss of one of the IPs. In the meantime, clients may be getting directed to a server that is not available. Someone pls correct me if I'm wrong about that. From: Filip Hanik - Dev Lists [EMAIL PROTECTED] Reply-To: Tomcat Users List tomcat-user@jakarta.apache.org To: Tomcat Users List tomcat-user@jakarta.apache.org Subject: Re: Load balancing SSL sessions Date: Tue, 22 Feb 2005 16:01:10 -0600 you can also use DNS round robin, www.mysite.com resolves to two or more IP addresses. Filip Andrew Miehs wrote: We use F5 BigIPs, but they are probably overkill for your application - The cisco probably will be as well. A 'Cheap' software solution might be to work with redirects, and 2 separate IP addresses. ie: ssl1.mysite.com and ssl2.mysite.com - You will need 2 ssl keys though for this to work. Does all of your app require ssl? or just a certain part, ie: payment. Do you need the stickiness for the whole app? or just for the ssl (seeing you are using tomcat, you will probably need it for the whole app)... Andrew On Feb 22, 2005, at 10:24 PM, Kelly Vista wrote: Hi - We are looking to deploy our app, running on Tomcat 5, soon and are exploring load balancing options. We are looking at H/W and S/W solutions, and I was wondering if anyone had any past experience/advice they would like to share. Our deployment is as pretty run-of-the-mill as it gets: 2 machines, each running Tomcat. We would like to avoid replicating state (since we have a lot of state in these apps, for reasons beyond our current control). Even in-memory session replication would not be option here, so we're punting on the Tomcat cluster solution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Load balancing SSL sessions
BTW, I believe there is another issue with DNS round robin -- no support for sticky sessions. There is no assurance that a series of requests (i.e., a session) for a particular client IP or client with a particular session ID will be routed to the same server. Also, SSL sticky sessions are definitely not supported. Again, pls correct me if I'm wrong. From: Filip Hanik - Dev Lists [EMAIL PROTECTED] Reply-To: Tomcat Users List tomcat-user@jakarta.apache.org To: Tomcat Users List tomcat-user@jakarta.apache.org Subject: Re: Load balancing SSL sessions Date: Tue, 22 Feb 2005 16:01:10 -0600 you can also use DNS round robin, www.mysite.com resolves to two or more IP addresses. Filip Andrew Miehs wrote: We use F5 BigIPs, but they are probably overkill for your application - The cisco probably will be as well. A 'Cheap' software solution might be to work with redirects, and 2 separate IP addresses. ie: ssl1.mysite.com and ssl2.mysite.com - You will need 2 ssl keys though for this to work. Does all of your app require ssl? or just a certain part, ie: payment. Do you need the stickiness for the whole app? or just for the ssl (seeing you are using tomcat, you will probably need it for the whole app)... Andrew On Feb 22, 2005, at 10:24 PM, Kelly Vista wrote: Hi - We are looking to deploy our app, running on Tomcat 5, soon and are exploring load balancing options. We are looking at H/W and S/W solutions, and I was wondering if anyone had any past experience/advice they would like to share. Our deployment is as pretty run-of-the-mill as it gets: 2 machines, each running Tomcat. We would like to avoid replicating state (since we have a lot of state in these apps, for reasons beyond our current control). Even in-memory session replication would not be option here, so we're punting on the Tomcat cluster solution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Load balancing SSL sessions
Hi Kelly, To do a software solution you could use the following method. www.mysite.com - Both servers can answer this request, (for example round robin dns) or some form of hsrp (im sure there is a patch for linux to do this)... and based upon load and a simple script (perl, java, etc) they then redirect the traffic server1.mysite.com, or server2.mysite.com This way the session then stays on server1 or server2. As I said though, you will need 2 certificates if you do not want the clients complaining about broken ssl certificates. Anderw Kelly Vista wrote: Thanks Andrew. In answer to your question, some of our app requires SSL -- exactly like an order-style app (but it's not a product ordering app). So, a person's session might involve the following path: 1. non SSL req 2. non SSL req 3. SSL req 4. non SSL req and we'd like that entire session to be persistent (i.e., sticky with one particular app server). BTW, it is not an issue for us if that server fails during the session. It will happen rarely and it's an acceptable failure for us (i.e., not mission critical data). I should have mentioned that we expect 1000 req/hour with this app. However, our app is not necessarily quick (dependent on external resources) and does keep a lot of state. I'm personally someone in favor of a H/W LB solution, but looking to be convinced that a valid S/W solution exists which is better (or just as good) as a H/W solution. I know the S/W solution will be less reliable (not solid state), but I'm looking to hear from folks who have done SSL session affinity with a S/W only approach. Andrew On Feb 22, 2005, at 10:24 PM, Kelly Vista wrote: Hi - We are looking to deploy our app, running on Tomcat 5, soon and are exploring load balancing options. We are looking at H/W and S/W solutions, and I was wondering if anyone had any past experience/advice they would like to share. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Load balancing SSL sessions
On Feb 22, 2005, at 10:24 PM, Kelly Vista wrote: Hi - We are looking to deploy our app, running on Tomcat 5, soon and are exploring load balancing options. We are looking at H/W and S/W solutions, and I was wondering if anyone had any past experience/advice they would like to share. Our deployment is as pretty run-of-the-mill as it gets: 2 machines, each running Tomcat. We would like to avoid replicating state (since we have a lot of state in these apps, for reasons beyond our current control). Even in-memory session replication would not be option here, so we're punting on the Tomcat cluster solution. You could use Coherence*Web to cluster your session state, and a Foundry switch to do the load balancing. It can do sticky load balancing, and if a server fails then coherence will ensure that your other boxes still have the session state. http://www.foundrynet.com/products/webswitches/serveriron/ http://www.tangosol.com/coherence-uses-a.jsp Best Regards, James - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Load balancing SSL sessions
We use F5 BigIPs, but they are probably overkill for your application - The cisco probably will be as well. A 'Cheap' software solution might be to work with redirects, and 2 separate IP addresses. ie: ssl1.mysite.com and ssl2.mysite.com - You will need 2 ssl keys though for this to work. Does all of your app require ssl? or just a certain part, ie: payment. Do you need the stickiness for the whole app? or just for the ssl (seeing you are using tomcat, you will probably need it for the whole app)... Andrew On Feb 22, 2005, at 10:24 PM, Kelly Vista wrote: Hi - We are looking to deploy our app, running on Tomcat 5, soon and are exploring load balancing options. We are looking at H/W and S/W solutions, and I was wondering if anyone had any past experience/advice they would like to share. Our deployment is as pretty run-of-the-mill as it gets: 2 machines, each running Tomcat. We would like to avoid replicating state (since we have a lot of state in these apps, for reasons beyond our current control). Even in-memory session replication would not be option here, so we're punting on the Tomcat cluster solution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Load balancing SSL sessions
you can also use DNS round robin, www.mysite.com resolves to two or more IP addresses. Filip Andrew Miehs wrote: We use F5 BigIPs, but they are probably overkill for your application - The cisco probably will be as well. A 'Cheap' software solution might be to work with redirects, and 2 separate IP addresses. ie: ssl1.mysite.com and ssl2.mysite.com - You will need 2 ssl keys though for this to work. Does all of your app require ssl? or just a certain part, ie: payment. Do you need the stickiness for the whole app? or just for the ssl (seeing you are using tomcat, you will probably need it for the whole app)... Andrew On Feb 22, 2005, at 10:24 PM, Kelly Vista wrote: Hi - We are looking to deploy our app, running on Tomcat 5, soon and are exploring load balancing options. We are looking at H/W and S/W solutions, and I was wondering if anyone had any past experience/advice they would like to share. Our deployment is as pretty run-of-the-mill as it gets: 2 machines, each running Tomcat. We would like to avoid replicating state (since we have a lot of state in these apps, for reasons beyond our current control). Even in-memory session replication would not be option here, so we're punting on the Tomcat cluster solution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Load balancing SSL sessions
Problem with round robin dns is that you can not guarantee that the web browser/ client will not make a second request to the dns server during the session - although very very unlikely. Andrew On Feb 22, 2005, at 11:01 PM, Filip Hanik - Dev Lists wrote: you can also use DNS round robin, www.mysite.com resolves to two or more IP addresses. Filip Andrew Miehs wrote: We use F5 BigIPs, but they are probably overkill for your application - The cisco probably will be as well. A 'Cheap' software solution might be to work with redirects, and 2 separate IP addresses. ie: ssl1.mysite.com and ssl2.mysite.com - You will need 2 ssl keys though for this to work. Does all of your app require ssl? or just a certain part, ie: payment. Do you need the stickiness for the whole app? or just for the ssl (seeing you are using tomcat, you will probably need it for the whole app)... Andrew On Feb 22, 2005, at 10:24 PM, Kelly Vista wrote: Hi - We are looking to deploy our app, running on Tomcat 5, soon and are exploring load balancing options. We are looking at H/W and S/W solutions, and I was wondering if anyone had any past experience/advice they would like to share. Our deployment is as pretty run-of-the-mill as it gets: 2 machines, each running Tomcat. We would like to avoid replicating state (since we have a lot of state in these apps, for reasons beyond our current control). Even in-memory session replication would not be option here, so we're punting on the Tomcat cluster solution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Load balancing SSL sessions
Thanks Andrew. In answer to your question, some of our app requires SSL -- exactly like an order-style app (but it's not a product ordering app). So, a person's session might involve the following path: 1. non SSL req 2. non SSL req 3. SSL req 4. non SSL req and we'd like that entire session to be persistent (i.e., sticky with one particular app server). BTW, it is not an issue for us if that server fails during the session. It will happen rarely and it's an acceptable failure for us (i.e., not mission critical data). I should have mentioned that we expect 1000 req/hour with this app. However, our app is not necessarily quick (dependent on external resources) and does keep a lot of state. I'm personally someone in favor of a H/W LB solution, but looking to be convinced that a valid S/W solution exists which is better (or just as good) as a H/W solution. I know the S/W solution will be less reliable (not solid state), but I'm looking to hear from folks who have done SSL session affinity with a S/W only approach. Thanks again, From: Andrew Miehs [EMAIL PROTECTED] Reply-To: Tomcat Users List tomcat-user@jakarta.apache.org To: Tomcat Users List tomcat-user@jakarta.apache.org Subject: Re: Load balancing SSL sessions Date: Tue, 22 Feb 2005 22:40:14 +0100 We use F5 BigIPs, but they are probably overkill for your application - The cisco probably will be as well. A 'Cheap' software solution might be to work with redirects, and 2 separate IP addresses. ie: ssl1.mysite.com and ssl2.mysite.com - You will need 2 ssl keys though for this to work. Does all of your app require ssl? or just a certain part, ie: payment. Do you need the stickiness for the whole app? or just for the ssl (seeing you are using tomcat, you will probably need it for the whole app)... Andrew On Feb 22, 2005, at 10:24 PM, Kelly Vista wrote: Hi - We are looking to deploy our app, running on Tomcat 5, soon and are exploring load balancing options. We are looking at H/W and S/W solutions, and I was wondering if anyone had any past experience/advice they would like to share. Our deployment is as pretty run-of-the-mill as it gets: 2 machines, each running Tomcat. We would like to avoid replicating state (since we have a lot of state in these apps, for reasons beyond our current control). Even in-memory session replication would not be option here, so we're punting on the Tomcat cluster solution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]