I need to share ssl termination task among server farm or multiple processes. In this architecture, there should be a load balancer before this ssl termination task. After looking for an appropriate software load balancer a while, it turn out that only layer 4 (TCP) load balancers (haproxy) are suitable for this job rather than layer 7 (HTTP/HTTPS) ones.
My question is, why layer 7 load balancers like nginx, perlbal cannot just pass through ssl termination? Client IP addresses should be available in layer 7 load balancer. They can just forward requests, right?
The architecture is like:
HTTPS balancer (L4/TCP balancer)
/ | \ <--- HTTPS traffic
SSL server farm/processes
\ | / <--- HTTP traffic
HTTP balancer (L7/HTTP balancer)
/ | \
HTTP server farm/processes
Reference: http://1wt.eu/articles/2006_lb/index_09.html
Best Answer
TCP layer just route traffic with added headers/control over network packets from the underlying layer. It has no knowledge of what it transports, thus does not need to deal with its content, and whether it is HTTP(S). HTTP/HTTPS does not matter.
When dealing with the application layer, you are deep down within content, since you deal with an application. In case of HTTPS, you will need SSL termination. HTTP/HTTPS does matter.
Thus, if you want to load-balance at application level, you will then need to do SSL termination on the same load-balancers. nginx allows you to do that.
If you wish to separate those tasks, you will need a network/routing-level load-balancer.