NodeBalancers는 항상 SSL을 포함한 TCP 기반 프로토콜을 지원해 왔지만 NodeBalancers는 이제 기본 HTTPS 지원을 포함하고 있음을 발표하게 되어 기쁩니다.
즉, NodeBalancer는 SSL 연결을 종료하고 HTTP 모드에서 이미 즐기는 기능과 동작을 올바르게 설정하는 것을 의미합니다. X-Fowarded-For
요청자의 IP 주소가 있는 헤더및 백엔드 노드 스티커에 대한 세션 쿠키입니다.
이렇게 하려면 포트 443(일반적으로)을 사용하여 새 구성 프로파일을 만들고 프로토콜을 HTTPS로 설정한 다음 인증서와 개인 키(암호 없이)를 제공합니다. 체인 된 중간 인증서도 지원됩니다. 다음은 새 옵션을 보여주는 스크린샷입니다.
더 높은 인신 매매된 SSL 사이트에 대한 참고 사항: SSL 협상은 계산 비용이 많이 드는 작업이며 SSL 모드에서 NodeBalancer가 계속 사용할 수 있는 기능은 충분하지 않을 수 있습니다. 이러한 상황에서는 TCP 모드를 사용하고 SSL 종료 부하를 백엔드 리노드에 배포하는 것이 좋습니다. 또는 SSL 모드에서 여러 NodeBalancers를 사용하고 라운드 로빈 DNS를 사용할 수 있습니다.
자세한 내용은 다음과 같은 것입니다.
즐길!
댓글 (10)
Does Linode use HAProxy to run this service?
Hi,
If not good for high traffic, what’s the advantage ?
Thanks
@Jan: convenience – it’s very easy to get SSL working using the NodeBalancer user interface. This is also a good first step for us supporting native SSL — we gotta start somewhere.
How computationally expensive is SSL for you guys?
From Google: “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead.” (https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html)
What kind of maximum concurrency are we talking about here for SSL on a nodebalancer?
What traffic max rate is expected to be handled by these balancers? If a regular balancer handles 10k, what about SSL ones?
NodeBalancers have a 10,000 concurrent connection limit. It’s not a request/sec limit. There is no artificial request/sec limit built into NodeBalancers. A NodeBalancer config in TCP or HTTP mode can accept connections pretty much as fast as packets can be slung to/from the backends. In other words: it’s a lot.
A NodeBalancer config in HTTPS mode can achieve 10,000 concurrent connections, too – it may just take some time to ramp up to that. While testing very small requests (connections don’t live long) we’ve seen about 150 req/sec via HTTPS mode. Again, it’s a good place to start, and we’ll be working on improving the req/sec throughput of native HTTPS mode.
Thanks for the comments 🙂
Hi. I previously asked if Linode uses HAProxy for this service? (And indirectly I guess I was wondering what other software/hardware is being use. My post is still awaiting moderation even though posts made after mine have been approved.
In the past Linode has been quite open about its architecture, especially about its implementation of Xen. Is there a reason we don’t get much detail about how NodeBalancers work? Is there something offensive or inappropriate about me asking these things?
Tom, I’d be interested too… Although it’s not out of the realm of possibility that they built their own with something like Golang (esp since 1.1), an accounting proxy would be trivial on such stack.
Any chance to have TLS renegotiation so we can host more than one domain on HTTPS ?