Hi to everybody,

first of all I'm very sorry for my English...

This is my scenario:

Internet;

Firewall+nginx as load balancer: pfsense_1(active) + pfsense_2(passive) in CARP;

Poos servers: 3 x nginx(PHP5-FPM HTTP+HTTPS);


Pfsense 1 and 2 CARP configured with virtual IP (pubblic). Nginx pool servers's ips are all private.

I want to load balance inbound HTTP and HTTPS connections between the 3 nginx web servers. An importat thing is that the HTTPS connections must be "sticky connections": in HTTPS connections, after login by username and password, I setup a php session and therefore when a client starts a HTTPS connection it will be always redirected to the same nginx server, until it disconnects itself, it closes the page/browser or after a timeout (30minutes?) without activity.
I would like to do that without decript ssl traffic in the load balancer. Is it possible using the directive ip_hash?
The configuration will be something like this:

upstream poolservers_http { # HTTP (NO sticky connections...
server server1.example.com max_fails=1 fail_timeout=10s;
server server2.example.com max_fails=1 fail_timeout=10s;
server server3.example.com max_fails=1 fail_timeout=10s;
}

upstream poolservers_https { # HTTPS
ip_hash; # sticky connections
server server1.example.com max_fails=1 fail_timeout=10s;
server server2.example.com max_fails=1 fail_timeout=10s;
server server3.example.com max_fails=1 fail_timeout=10s;
}

server { # HTTP
listen public_ip:80;
server_name expample.com;
location / {
proxy_pass http://poolservers_http;
}
}

server { # HTTPS
listen public_ip:443;
server_name expample.com;
location / {
proxy_pass https://poolservers_https;
}
}

thank you very much....