NodeBalancers 一直支持包括 SSL 在内的基于 TCP 的协议,但我们很高兴地宣布,NodeBalancers 现在包括本地 HTTPS 支持。
这意味着NodeBalancer可以为你终止SSL连接,并拥有你已经从HTTP模式中享受到的功能和行为--包括正确设置一个 X-Fowarded-For 头与请求者的IP地址,以及用于后端节点粘性的会话cookies。
为了做到这一点,使用443端口(通常)创建一个新的配置文件,将协议设置为HTTPS,然后提供证书及其私钥(没有口令)。链式中间证书也被支持。下面是一张显示新选项的截图:
对于流量较大的 SSL 网站的注意事项:SSL 协商是一项计算成本很高的操作,SSL 模式下的 NodeBalancer 可能跟不上。 在这种情况下,我们建议使用 TCP 模式,并将 SSL 终止负载分配给后端 Linodes。 或者,您也可以在 SSL 模式下使用多个NodeBalancers ,并使用轮循 DNS。
更多信息:
好好享受吧!
评论 (10)
Does Linode use HAProxy to run this service?
Hi,
If not good for high traffic, what’s the advantage ?
Thanks
@Jan: convenience – it’s very easy to get SSL working using the NodeBalancer user interface. This is also a good first step for us supporting native SSL — we gotta start somewhere.
How computationally expensive is SSL for you guys?
From Google: “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead.” (https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html)
What kind of maximum concurrency are we talking about here for SSL on a nodebalancer?
What traffic max rate is expected to be handled by these balancers? If a regular balancer handles 10k, what about SSL ones?
NodeBalancers have a 10,000 concurrent connection limit. It’s not a request/sec limit. There is no artificial request/sec limit built into NodeBalancers. A NodeBalancer config in TCP or HTTP mode can accept connections pretty much as fast as packets can be slung to/from the backends. In other words: it’s a lot.
A NodeBalancer config in HTTPS mode can achieve 10,000 concurrent connections, too – it may just take some time to ramp up to that. While testing very small requests (connections don’t live long) we’ve seen about 150 req/sec via HTTPS mode. Again, it’s a good place to start, and we’ll be working on improving the req/sec throughput of native HTTPS mode.
Thanks for the comments 🙂
Hi. I previously asked if Linode uses HAProxy for this service? (And indirectly I guess I was wondering what other software/hardware is being use. My post is still awaiting moderation even though posts made after mine have been approved.
In the past Linode has been quite open about its architecture, especially about its implementation of Xen. Is there a reason we don’t get much detail about how NodeBalancers work? Is there something offensive or inappropriate about me asking these things?
Tom, I’d be interested too… Although it’s not out of the realm of possibility that they built their own with something like Golang (esp since 1.1), an accounting proxy would be trivial on such stack.
Any chance to have TLS renegotiation so we can host more than one domain on HTTPS ?