Pfsense: Inbound Load Balancing https with sticky connection

httpsload balancingpfsensesticky-sessions

first of all I'm very sorry for my English…

This is my scenario:

Internet

Firewall+LB: pfsense_1(Active) + pfsense_2(Passive) in CARP

Pool servers: 3 x nginx(PHP5+HTTP+HTTPS)

Pfsense 1 and 2 CARP configured with Virtual IP (pubblic). Nginx servers's ips are all private.

I want to load balance inbound HTTP and HTTPS connections between the 3 nginx web servers. An importat thing is that the HTTPS connections must be "sticky connections": in HTTPS connections, after login by username and password, I setup a php session and therefore when a client starts a HTTPS connection it will be always redirected to the same nginx server, until it disconnects itself, it closes the page/browser or after a timeout (30minutes?) without activity.
Is this possible whit the last release(2.0.1) of pfsense?

thank you very much…

Best Answer

What you want to do is install a more traditional load-balancing software such as HAProxy(it is a package in pfSense or can be a separate server). There you should be able to configure sticky sessions.

Related Solutions

nginx HTTPS – How to Serve HTTPS with Same Config as HTTP

You can combine this into one server block like so:

server {
    listen 80;
    listen 443 default_server ssl;

    # other directives
}

Official How-To

Sticky Sessions with Load Balancers – Downsides and Considerations

There are two main downsides:

Your load isn't evenly distributed. Sticky sessions will stick, hence the name. While initial requests will be distributed evenly, you might end up with a significant number of users spending more time than others. If all of these are initially set to a single server, that server will have much more load. Typically, this isn't really going to have a huge impact, and can be mitigated by having more servers in your cluster.
Proxies conglomerate users into single IP's, all of which would get sent to a single server. While that typically does no harm, again other than increasing individual server loads, proxies can also operate in a cluster. A request into your F5 from such a system would not necessarily be sent back to the same server if the request comes out of a different proxy server in their proxy cluster.

AOL was at one point using proxy clusters, and really screwed with load balancers and sticky sessions. Most load balancers will now offer sticky sessions based off of C-Class net ranges, or with the case of F5, cookie based sticky sessions which store the end node in a web request cookie.

While cookie based sessions should works, I've had some problems with them, and typically choose IP based sessions. BIG HOWEVER: I'm mostly working on internal apps - DMZ milage might vary.

All that being stated, we've had some great success with sites running behing F5 with sticky sessions and In-Proc sessions.

You also might want to take a look at one of the in memory distributed caching systems like Memcached or Velocity for an alternative to session being stored in SQL or the out of proc memory service. You get close to the speed of in-proc memory with the ability to run it across several servers.

Best Answer

Related Solutions

nginx HTTPS – How to Serve HTTPS with Same Config as HTTP

Sticky Sessions with Load Balancers – Downsides and Considerations

Related Topic