SSL和负载平衡 [英] SSL and Load Balancing
问题描述
SSL对负载平衡的工作方式有何影响?我知道,如果您选择不将会话信息存储在数据库或进程外中,则需要使用粘性会话,但这对SSL有何影响?
What affect does SSL have on the way load balancing works? I know that you need to use sticky sessions if you have chosen to not store you session info in the DB or Out of Process but how does that effect SSL?
推荐答案
仅说明一下,SSL/TLS会话与HTTP会话无关. (某些实现可能会使用SSL/TLS会话ID作为维护HTTP会话的基础,但这是一个错误的设计,因为SSL/TLS可能会完全独立地更改HTTP的操作,从而改变会话.)
Just to clarify, the SSL/TLS sessions have nothing to do with the HTTP sessions. (Some implementations may use the SSL/TLS session ID as a basis for maintaining HTTP sessions, but this is a bad design, as SSL/TLS may change sessions completely independently what HTTP is doing).
在负载平衡方面,您有两种选择:
In terms of load balancing, you get a couple of options:
-
使用一个负载均衡器,它是您的SSL/TLS端点.在这种情况下,负载均衡将在HTTP级别完成:客户端连接到负载均衡器,负载均衡器解开SSL/TLS连接,以将HTTP内容(然后是明文)传递给其工作人员.
Use a load-balancer that is your SSL/TLS endpoint. In this case, the load-balancing will be done at the HTTP level: the client connects to the load-balancer and the load-balancer unwraps the SSL/TLS connection to pass on the HTTP content (then in clear) to its workers.
在TCP/IP级别上使用负载平衡器,该负载平衡器将整个TCP连接直接重定向到工作节点.在这种情况下,每个工作节点都必须具有证书和私钥(如果对其进行统一管理,则不一定有问题).使用这种技术,负载均衡器根本不执行任何HTTP处理(因为它不在SSL/TLS连接中查找):一方面,这减少了负载均衡器本身完成的处理;另一方面例如,它会阻止您基于URL结构将其调度到特定的工作程序节点.两种方法都有其优点和缺点.
Use a load-balancer at the TCP/IP level, which redirects entire the TCP connection directly to a worker node. In this case, each worker node would have to have the certificate and private key (which isn't necessarily a problem if they're administered consistently). Using this technique, the load balancer doesn't do any HTTP processing at all (since it doesn't look within the SSL/TLS connection): on the one hand this reduces the processing done by the load-balancer itself, on the other hand it would prevent you from dispatching to a particular worker node based on the URL structure for example. Both methods have their advantages and disadvantages.
这篇关于SSL和负载平衡的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
