Jump to content
Welcome to our new Citrix community!

Load balance to both HTTP and SSL services

Ross Bender

Recommended Posts

We have some current backend servers that we are load balancing to through HTTP (in a service group) on our LBVS. We now have some new backend servers for the same application that are over HTTPS and need to be configured with an SSL service or service group.


The one complication is that we want to weight the new servers less compared to the existing ones. When trying to add both HTTP and SSL services to the same LBVS, we get the error "Operation not permitted". This happens both for LBVS of type HTTP or SSL.


Can this be done? Any advice?

Link to comment
Share on other sites

My apologies, I should have given more detail in the original post.


The LBVS is an internal (non-addressable) server that receive traffics behind a CSVS. Client traffic comes in via HTTPS to the CSVS, and then CSVS passes to LBVS, and we now want the LBVS to talk both to HTTP and HTTPS backends.


The other thing to note is that if we have multiple service groups, we can't add weight between them, can we? We want 20% of traffic to go to the HTTPS backends (new servers) and the rest to go to HTTP (current/existing).

Link to comment
Share on other sites

Um...yeah; I don't think that's going to work exactly the way you want.

Let's forget the service group for a second. Let's just pretend its two services:

lb_vsrv_ssl (VIP1:SSL:443) and svc1_80  srv1:HTTP:80 and svc2_443  srv2:SSL:443

With or without weights, it sounded like you want traffic going to old server svc1:HTTP:80 and new traffic going to new server  svc2:HTTPS:443

You can't have SSL offload and End To End SSL in this case.


If you want to have lb vserver one handle HTTP traffic across old and new servers with the 20% weigh on the new stuff and then a separate SSL vserver for the SSL traffic to the new servers only (assuming the old servers can't do SSL), then maybe you have a fix.  But I don't think you can have both HTTP and SSL services as destinations on the same SSL vserver as one load balancing pool.  Won't work even with individual services (so not just a servicegroup thing).  


But maybe share your CS/LB/Service config to see if I just completely misunderstood your example.

Link to comment
Share on other sites

It seems like having mixed services on a vserver would be possible...but I guess not? It's weird that I could put an HTTP or an SSL service on an SSL vserver, but not both at the same time.


So, assuming different vservers are needed (one HTTP LBVS for HTTP services for old servers and one SSL LBVS for SSL services for new servers), is there a way to weight 20% of traffic to the SSL LBVS (new backend servers) and the rest to the HTTP LBVS?


If that's not possible, is there another way to accomplish it?

Link to comment
Share on other sites

If you separate your HTTP and HTTPS backend requests through some criteria such as path or cookie or other indicator, then maybe.  


If the NEW servers are using SSL for only certain services, use content switching to sort this traffic to lb_vs_1 which only directs traffic to the NEW servicegroup pool.

have all other traffic go to lb_vs_2 which sends traffic to but this would all be HTTP svcg_newstuff with increased weights and svcg_oldstuff with the lower weights. (or vice versa).

You basically would have some content HTTP only and only the new SSL-backend would hit the new servers.






Link to comment
Share on other sites

You can bind http services and SSL services to the same vServer. I did it (on firmware 10.5). It's obvious that they can't be in the same service group.


SSL would just not make sense. We're using it, to avoid non encrypted traffic on the LAN. But load balanced, half encrypted, half not? Seems like a waste of CPU to me.

Link to comment
Share on other sites

My test on 12.1 wouldn't allow both to be bound at the same time (either as services or servicegroups).    IF there was some other reason beyond the mixed protocol types, I just missed it...so feel free to correct me.


Ross - for your original issue, though I think you'd be best figuring out which of your content is HTTP only and let CS maybe direct it to an HTTP lb vserver with the correct mix of old/new servers. and then ensure the SSL traffic is directed to the NEW servers only.  Either that or add a cert to the old servers too, so both old and new servers can do SSL without the headaches (this would be the most straightforward idea unless there is a reason you don't want to add a cert to the old servers at all).  This way you still have your SSL frontend but can separate the HTTP vs SSL backend traffic, while load balancing still does the work.  The trick is whether you have some sort of header/path/cookie or other indicator that you can use to sort the traffic appropriately.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...