Home page logo

basics logo Security Basics mailing list archives

Re: HTTPs web-balancing
From: Patrick Debois <Patrick.Debois () jedi be>
Date: Mon, 13 Aug 2007 16:33:12 +0200

Some thoughts as you requested:

Loadbalancers and http/s often relate for
*) SSL offloading (decrypt the traffic, and sometime reëncrypt)
*) Balancing traffic (used for priorisation, Qos)
*) Failover mechanism

There is also a distinction using loadbalancers in http/s for
*)only server certificates
*)client certificates

Solutions exist either from the HW proxy world (bluecoat), SW proxy
(apache mod_balance), balance,  Network (css)

* I guess the problem you are refering to is that if loadbalancers
integrate at the real http/s layer that they work like a sort Man in the
When you take the whole chain server AND client certificates this is
indeed a problem. Only server certificates does not pose that much of a
problem because
you can install the same certificate on the loadbalancers. For SSL
client certifactes normally termination needs to be done on the http/s
webserver itself.
Vendors solve this by doing the reading of the client DN in the
certificate and passing it via an http-header to the backend . But
online checking with CRL's and OCSP are often not integrated.

*Stickyness in an SSL session: these loadbalancers can see the SSL
sessions but these tend to negotiated differently based on the browser type

*Buffering and delays:  the  introduction of http/s through a
loadbalancer can  cause some latency problems in case a lot of small
packets are encrypted/decrypted. Have a look  in google 'nagle algoritm'

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of MARTIN Benoni
Sent: Thursday, August 09, 2007 11:55 AM
To: security-basics () securityfocus com
Subject: HTTPs web-balancing

Hi !

Anyone has experiencied load-balancing with https ? Some guys say it's
possible, other say no. Some vendors say yes, some friends say no :(.
I'm quite lost !

Thx !

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]