There surely are reasons not to integrate at the load balancer, but they're not because the load balancer will melt down.
IMO (and I believe Google agrees - http://www.imperialviolet.org/2010/06/25/overclocking-ssl.ht...) the advantages of terminating SSL at the load balancer outweigh the horizontal scalability of this approach, at least in most cases.
The latter point isn't that big a deal if the only reason for affinity is SSL session caching, because you could yank the server even if it has active sessions, and the clients would simply re-establish with the next backend.
I often load-balance ssl using session affinity, and would also like to know if this author has encountered other issues, or just hasn't looked at the capabilities of haproxy in a while.
The idea would be to make sure that a given client is always sent to the same SSL handler.
We could imagine having two layers of load balancers:
- first layer would use source IP address and/or session data to determine to which server of the second layer the connection should be forwarded;
- second layer would receive the connection and to the proper SSL handling.
I believe that this would work, but it seems that it would require a custom "half-implementation" of SSL on the first layer of load balancers. I don't know if there is any provision for that in OpenSSL or GNUTLS. Also, since there are already hooks to do session caching in most SSL-enabled servers, using those hooks to plug in a memcached backend seems to be less "disruptive" (read "easier to understand, implement and debug").
Sometimes though, you don't want affinity at all. If you don't care what backend server takes the request, you can balance the load more efficiently, and more easily rotate servers in and out of service.
Sounds useful, but how many visitors do you need to have for this to be worth doing?
If you have any visitors you are doing them a huge disservice if you do not have SSL session caching.
You would use external SSL caching like this if you have more than one SSL termination point (typically a webserver like nginx/Apache) behind a load-balancer.