I'd like to know how the ACE modules handles the traffic re-encrypted and sent to the servers in a SSL end to end scenario.
What I mean is:
the ACE terminates SSL requests for the clients and then encrypts the traffic to load balanced servers.. how is this handled?
Do the ACE initiates a one-to- one client-server encrypted connection or could it establish and
maintain a sort of ssl tunnels to the servers? (keeping the sessions low in number)
I did some research but no precise info could be found.
Any information would be apreciated.
The "TCP Server Reuse" feature is what you are describing. It is documented here:
One thing to understand - TCP reuse does not allow more than one client to use a connection in the same moment of time. A single client makes a connection on the front end, a connection is made on the as well. After the client sends a FIN or RST, ACE closes the connection on the front end and leaves the connection open on the . It builds a pool of connections that it keeps open with TCP-Keepalives.
When a new client connection comes in, ACE tries to match the connection to one in the pool. If there is a match, ACE completes the handshake on the front end and maps it to the back end connection (the GET or whatever the request is would be send over the back end connection immediately after the 3 way handshake.)
If the connection did not match, ACE would open a new connection on the back end. The match is based on parameters in the SYN packet like TCP options, MSS, etc.
As this pertains to SSL, ACE would keep the back end SSL connection open (just a bit further than the 3 way handshake as referenced above of course.)