Hi John, Without entering too much in details, we have a mutualized reverse proxy cache platform in order to accelerate HTTP content (you can call it CDN ;) ) on which we use an HTTP reverse proxy caches coded by a third party company. The reverse proxy software run over a centos linux and has a cost (licence). The hardware is HP server (2U) with 2 quad cores, 32G of memory and a lot of hard drives. I can't remember the numbers exactly, but when we tested the SSL capacity inside the HTTP accelerator, we decreased a lot the overall performance (maybe because of the code) and to keep the same capacity (HTTP throughput) on our CDN we should have bought more servers and more licences.
Without SSL enabled, we tested the HTTP accelerator with live traffic at more than 700MB/s, more than 20K HTTP Req/s and 80% of CPU... With only a small percentage of this traffic encrypted the performance decreased a lot, but I can't remember how much :/ Note that in a normal day, our caches run only at 10% of CPU and 100 Mb... Note that we did not saturated our servers with SSL, I'm just saying that to keep enough free capacity to absord customer's pike traffic, we should have bought more servers and licences and the cost would have been too much. It was cheaper to let our old vpn3050 in the racks doing the job :) Maybe it's related to the code of our supplier ;) Anyway, they were working on improving their SSL capacity by taking advantage of offloading the SSL computation to a daughter card into the chassis and keep on using the CPUs and memory to do HTTP acceleration, URL rewrite, ACLs, etc.... All the SMART stuff :) Note: the software is not Varnish ;) On Wed, Nov 17, 2010 at 3:46 PM, John Marrett <jmarr...@mediagrif.com> wrote: > Bedis, > >> Cause using the cores to decrypt traffic would reduce drastically >> overall performance. >> Well, this is what we saw on our HTTP cache server (running CentOS) on >> 8 cores hardware: when enabling SSL, the performance were so bad that > >> So we kept our old Nortel vpn 3050 to handle the SSL traffic. > > I'm astonished to hear that you had these kinds of issues on modern > hardware. We stopped using dedicated SSL hardware quite some time ago. > > Of course, everyone's traffic is different. May I ask what volume of > traffic (Connections / second, Megabits) you are dealing with that > saturated an 8 core machine? > >> we should have ordered more chassis and licences to handle the same >> traffic... leading to earn less money :) > > What web/ssl server were you using and what version of CentOS. The use > of the word licenses is interesting :) > > Were you already high in CPU consumption without the SSL traffic on the > machine? > > -JohnF > >
