/ Zope / Apsis / Pound Mailing List / Archive / 2006 / 2006-07 / Pound and SSL Setup

[ << ] [ >> ]

[ AOL-Problem / Michael Stegemann ... ] [ Pound 2.0.9 missing on experimental versions list ... ]

Pound and SSL Setup
"Mathew Brown" <mathewbrown(at)fastmail.fm>		 2006-07-30 22:43:30 [ FULL ] 
Hi,
  I currently have the following setup and I was wondering if Pound can
  help me in my setup.  I have 2xNLB servers (linux-based with one in
  stand-by mode) with 2+ application servers behind the NLB (I plan on
  running JBoss on them).  Users will be connecting via https to the
  application server, so I am investigating my options.  I was
  considering buying a SSL accelerator card but didn't find many that
  support Linux.  I then ran across pound and was wondering if it can
  take the place of the SSL accelerator (I might add an extra CPU to
  handle the load).  Is this setup doable using pound?  If so, how many
  SSL certificates would I need and on which machines would they be?  On
  the NLB?  On the Application Server?  Thanks for your help.[...]
Re: [Pound Mailing List] Pound and SSL Setup
Adam Borowski <kilobyte(at)angband.pl>		 2006-07-31 01:14:05 [ FULL ] 
On Sun, Jul 30, 2006 at 01:43:30PM -0700, Mathew Brown wrote:[...]

Yeah, it is one of the primary purposes behind pound!
[...]

Just one.  A SSL certificate is used per domain name, not per
machine.  All involved servers will have copies of the same cert.
[...]

It depends where you would want to have SSL decrypted.  If you want
to entrust pound with doing the load balancing, you will put both
pound and the SSL certs on your NLBs.  If you prefer netfilter-based
load balancing and want pound do nothing but decrypting SSL, on the
application servers.

I would strongly recommend the former.  Pound will notice when one of
your application servers goes down; doing this with netfilter would
require redundant work.


Regards,[...]
MailBoxer