[Novalug] Software-based load balancing

Dave Greene omniplex at omniplex.net
Wed Mar 7 19:11:06 EST 2012 

Security risks come in many forms.
For example if you do software load balancing and SSL offloading in the load
balancer will you be using an HSM (FIPS compliance) or do you need to worry
about your keys being on the load balancer.
Do you need to handle persistency and of so how do you want to handle it?
Offloading SSL to the load balancer, can the load balancer handle the load
without causing a performance hit?

Apache has a load balancing solution as well.
Your second flow would normally be correct in how to do everything if you
want to separate your zones into a presentation and secure zone ( app and
database live in secure zone ).

Generally I deal with F5 load balancers exclusively however I have used
Apache proxy some.

F5 also has a "virtual" load balancer that runs in vmware that may or may
not be worth looking at, cost wise I cannot tell you if it's cost effective
or not.


-----Original Message-----
From: novalug-bounces at calypso.tux.org
[mailto:novalug-bounces at calypso.tux.org] On Behalf Of Brander Snaxe
Sent: Wednesday, March 07, 2012 18:20 PM
To: novalug mailing list
Subject: [Novalug] Software-based load balancing

I am in charge of designing some of the infrastructure pieces for my
software development team. We have an n-tier solution accessed via the
browser. There is a presentation tier, a business logic tier, and the
database tier. The presentation tier is comprised of HTTP servers for static
content and Java EE servers for JSP/servlets. The business logic is
comprised of Java EE servers running web services, EJBs, and Spring.

The presentation tier is accessible to the internet. The business logic tier
is not. The database tier and the business tier are in the same network
zone.

It's like this:

client -----> [firewall] ---->presentation (HTTP/JSP) -----> [firewall]
----->business (Java EE/Spring) ------>database

Now, I plan on using Java EE clustering in the business tier no problem.

However, now I need to implement a load balancing strategy for both tiers. I
am assuming these load balancers would go here:
client -----> [firewall] ---->(LB/VIP)--> presentation (HTTP/JSP) ----->
[firewall] -----> (LB/VIP) --> business (Java EE/Spring) ------>database

Let me say that
1. I come from a developer background and not infrastrure/deployment 2. I DO
know basic system engineering (Linux+ and Network+, worked with
virtualization) 3. I have never worked with load balancing 4. I have done
lots of reading on the internet on it for the past few days

My goal is to do somthing that mimics real world deployment. I want to keep
it as simple as possible. This is NOT production, so performance is not as
important as whether or not all of our software works decently in the
configuration.

User base is probably 100 concurrent max.

Since this is DEV and not PROD, my costs need to be limited. I cannot
acquire any sort of hardware load balancing solution for this (I have read
about Netscalers and F5's). So I am forced to come up with a software-based
approach.

All of this will be done using virtual machines in vSphere.

I need SSL from the client side minimum. I have concerns about encrypted
traffic from tier-to-tier as well but need input.

I have researched the following:
1. Linux Virtual Servers (IPVS)
2. Pound
3. Pen
4. HaProxy
5. Nginx
6. CARP (freebsd/pfSense)
7. VRRP
8. keepalived
9. stunnel
10. stud
11. probably more I'm forgetting but these are the prominent items on my
mind


I have learned that load balancers come in two forms 1. Layer 4 2. Layer 7

This website was very helpful (but trust me this is not my only source of
research):
http://loadbalancing.org/

Now I'm struggling how to proceed.

What would you or do you use in your client environment?

I have thought of using Nginx as a layer 7 load balancer and also doing SSL
termination on it. This has the advantage of being simple and I can have
central management of SSL certs/installs. However, this means traffic inside
the network from the LB to the actual load balanced web server could be
sniffed. Is this a real concern? I really like the idea of central SSL
termination, but this seems like a security risk.

The same holds true for the presentation servers to the business logic
servers. If a presentation server uses a non-encrypted web service from the
business tier, then this traffic could be sniffed as well. In anybody's
experience, do you use SSL between tiers?

Linux Virtual Servers (IPVS) seems cool, but if I use it at any tier, then I
have to do SSL after the load balancer on the servers themselves as it is
Layer 4. This means no central management of SSL certs.

I'm sure I could talk about more configurations on my mind, but I wanted to
start a conversation just to get initial thoughts from those who do this
sort of thing. I realize there are always trade-offs with complexity,
security, performance, etc. but I just can't seem to decide on what 'real'
people are doing (and not just what google searches tell me people are
doing).
_______________________________________________
Novalug mailing list
Novalug at calypso.tux.org
http://calypso.tux.org/mailman/listinfo/novalug

More information about the Novalug mailing list