Load Balancing

Setting Up SSL WebSites In A Cluster

Potential issues with SSL
The Zeus Load Balancer fully supports secure websites using the SSL protocol. However, it is important to configure your webservers correctly because SSL can place a significant load upon them. This section deals with both the Balancer and the Zeus Webserver; if you are using another webserver for your backends, then please also see the 'non-Zeus servers' section of this documentation for further information.

When a client web browser establishes an SSL connection with a webserver, both client and server participate in a 'handshake' protocol. There are two versions of this protocol - a longer version, when the client and server are unknown to each other, and a short version, used when both client and server have communicated before.

With a non-clustered webserver, a browser viewing the site is known to the server after requesting an initial page. If a website is clustered, then future requests by the same client may be passed on to different backend webservers. These webservers will have no knowledge of this client, and so will initiate the longer version of the handshake. This is computationally expensive; performing lots of these long handshakes will slow your webservers down.

Speeding up SSL
Firstly, the Zeus Load Balancer will try and steer future SSL requests from the same client onto the same backend machine. If this particular backend is out of service, or highly loaded, then the request will be directed elsewhere. The Balancer maintains a mapping of clients->backends, by default it will accomodate 2048 clients. If this value is too small for your needs, it can be adjusted by adding the following line to the Balancer configuration file $ZEUSHOME/balancer/global.cfg:
tuning!ssl_cache_size 2048
Replace the 2048 with the size that is required. Setting this value to 0 will turn off this feature (not recommended except for benchmarking purposes). Note: this tuneable is not a hard limit - your servers will not stop working if you get more clients!

The second approach to solving this problem is specific to Zeus Web Servers, and can be used in conjunction with the method described above: Clustered installs of the Zeus Web Server can share information with each other about their knowledge of SSL 'sessions'. Therefore, if a client contacts one machine, all the other machines in the cluster will be aware of this client. This will provide great performance enhancements.

To set up this feature, you must add the following line to the configuration file of each Zeus Web Server, $ZEUSHOME/web/global.cfg :
tuning!ssl_diskcache yes
Next, in the directory $ZEUSHOME/web, you must create a directory called 'ssl_cache'. You can do this with the following commands (ensure that you are entering these commands as a user with the correct permissions; for most installs, you will need to be root) :
cd $ZEUSHOME/web
mkdir ssl_cache
Finally, all the web servers must share their ssl_cache directory with each other. The standard method of doing this is to create a 'ssl_cache' directory on your file server, the machine that supplies web page data to all your servers. Then, use NFS or some other means to export this directory. Mount this directory on $ZEUSHOME/web/ssl_cache on each of the backend webservers. Finally, restart each webserver. You now will have a working shared SSL session cache.

SSL connections and logging
The Load Balancer streams SSL connections through to backend webservers and does not decrypt any data itself. Whilst this gives high performance, it means that the Balancer cannot manipulate the encoded HTTP requests to inform backends of the origin of each SSL connection. This means that non Balancer-aware webservers will log all SSL requests as if they originated from the Balancer itself.

By default, the Balancer adds some extra data to the start of each SSL connection to provide this information to webservers. This will confuse non Balancer-aware webservers - only the Zeus Web Server (version 3.3.2 or greater) will expect this data. When using other webservers, you should disable this feature. See the 'Non-Zeus Servers' section for details.