I know this subject has been touched on before, but I couldn't find any
reasonable conclusion...

Is it possible to get pound to pass through ssl requests untouched to
backends? I feel there is a need to do this because ssl is an
overhead/bottleneck and in high load situations needs to be load balanced.

In the meantime I am having to switch over to using pen in a particular
case, which does allow this, although it means I lose a lot in flexibility
of configuration.

/David

You can balance SSL traffic at the IP level, but not at the content level.
This is because SSL is secure against man-in-the-middle attacks.

One option is to use a TCP load balancer to balance against multiple pound
instances.  Source IP sessioning at the IP load balancer would give you the
ability to do any session sticking on the pound instances.

Another option is to install SSL acceleration hardware.  This can obviously
be used in conjunction with the first case.

A final option is to get some networking hardware like an f5.  Almost (but
not all) every high volume site eventually has to go to a specialized
solution for this problem if only because it is hard to hand-roll really
robust high availability solutions that fail-over gracefully (losing all of
the session, connection and live transactions is not usually acceptable).
Management load also becomes important so things like being able to bring up
new services or adjust server pools or authentication while the system is
live becomes pretty critical.  Pound doesn't do any of this and probably
never will since the focus of its developers is elsewhere.  Haproxy can
probably handle the load and deals reasonably with some of the management
issues, but it doesn't do SSL at all.


On 10/8/06 4:34 AM, "david walters" <dwalters1(at)gmail.com> wrote:
[...]