Re: Ipfilter with SSL?

Phil Dibowitz wrote:
> This is just SSL-offloading. Standard feature in most load balancers
> including netscaler and Foundry.

Never said it was uncommon. But so far (afaik) only "real" network devices do
this at such a level that you retain the extern real IPs.

>
> I would suspect you could do this with SQUID.... the docs say it can do
> HTTP acceleration and also say it can *terminate* and SSL connection.
> The two together sound like SSL offloading... and if it doesn't do this,
> it probably could be made to with much less hacking then making IPF do it.
>
> Of course that only works for https -> http... for smtps/pops/imaps ->
> smtp/pop/imap you'd need to do more hacking.
>
> Can you give is a better idea of the flow of traffic though?
>

teh Internets | Load Balancer | Internal

-> (plain TCP) host 1 192.168.1.10
204.123.45.15 (SSL) -> -> (plain TCP) host 2 192.168.1.11
-> (plain TCP) host 3 192.168.1.12

But, as seen by the software on each cluster host, the remote IP should appear
as "204.123.45.15", not the Internal NIC's IP of the load balancer.

If you use Squid, if only for https, the remote IP (as seen by the software) is
that of the load balancer (host running Squid).

If you use IPFilter and RDR, you will get external real IPs correctly, but you
would need SSL in your application.

If you use stunnel/squid, you can offload SSL, but you will not get real
external IPs.





--
Jorgen Lundman | <lundman@lundman.net>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)