Re: A SSL scenario (involving multiple SSL-servers)
The first hit is going to be pretty expensive on the client, since it has
to negotiate four different sets of keys. Subsequent requests will be
better, but still take a bit of overhead on the client to decrypt each
connction pseduo-simultaneously.
Perhaps a better plan would have been to create a single (or
high-availability pair using "keepalived") SSL-terminating reverse proxy
that map requests for certain images to standard (http, not https)
webservers on a privately addressed network. This would cut down the
client workload by 75% if you've got four SSL servers. Pound (
http://www.apsis.ch/pound/ ) is a great SSL-terminating reverse proxy
that's very lightweight and fast. I've deployed it often and found it to
be very stable, flexible, and responsive. Even on oldish hardware, it can
terminate upwards of 400 SSL sessions per second... newer hardware would
obviously push that number higher. Additionally, it has a FAR smaller
footprint than say using Apache as proxy.
Kind Regards,
-dsp
> Every item the browser requests, such as images, comes from a
> unique/distinct connection.
>
> So the links to the other web servers will result in independent
> connections
> to the other web servers. So you should be good to go.
>
>
>
> On 4/24/06, Vishwas <[EMAIL PROTECTED]> wrote:
>>
>> Hello there,
>>
>> I have few doubts, the scenario goes as below.
>>
>> Scenario: There are 4 SSL-enabled Apache servers {A1, A2, A3, A4}, all
>> of
>> them independently controlled and have valid certificates. Now, a "user"
>> on
>> A1 designs an HTML page ( index.html) that refers to images from all the
>> 4
>> servers. The links to these images are specified in the HTML file using
>> "
>> https://A[1-4]/...";
>>
>> Questions:
>> 1. A request for
>> https://A1/~user/index.htmlcomes, The
>> requestor is going to get a SSL connection from A1. And the
>> content from A1 to the browser is flowing through the SSL-tunnel. I
>> think
>> only the files that reside on A1 are going to flow through this tunnel
>> from
>> A1 to the browser!? And the files from A2, A3, and A4 are flowing
>> through
>> separate SSL-tunnels to the browser!? Then the browser shows only one
>> PADLOCK symbol, will it be for A1? YES. Then what about the
>> SSL-connections
>> from A2, A3, and A4? How does browser tells its user about these
>> connections?
>>
>> 2. Or does A1 brings the files from A2, A3, and A4 that referred inside
>> the "index.html" file by the "user" and serves to the browser?
>>
>> Am confused. Because my understanding was SSL is Secure socket layer,
>> and
>> one cannot tamper with this tunnel. And I used to think, when I ask the
>> browser to open some URL, it opens a connection (by obtaining a socket,
>> say
>> 56789, from underlying OS) to the port 80 of URL server. Now I feel, if
>> the
>> URL page has objects residing on other servers, my browser opens
>> separate
>> sockets (different from 56789) for these objects.!? Please clarify my
>> doubts. Or point me to some guides et al.
>>
>> Thank you for your patience.
>>
>> --
>> Best Regards,
>> Vishwas.
>>
>
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
You're not looking at your problem from the right angle. 10K users... asking for the SAME file. Set up a smallish farm of four or five machines and use a HTTP Acclerator. (basically a Squid proxy turned on it's head - the examples exist in the config file for squid .. look at the http accelerator mode). Then use an SSL terminating proxy cluster on the frontend .. now you have 0 disk contention since the file will be sent straight from RAM. What you now need to know is the distribution of connection speeds for your users. If they're on T3's, you have no choice but to go with GigE. .. Frankly, you're probably looking at some sort of GigE burstable product offering anyway. Ok .. enough's enough .. Your original question has been answered long ago and you've heard from everyone with additional information and ideas. We're getting very close to the point of engineering this solution for you. Either you can take it from here or hire some of us as consultants to work out the rest of the engineering for you. Free software is one thing .. free engineering is quite another. Best~ -d > Ok, lets assume I can get a network connection with: > A)10mbit > B)100mbit > C)1000mbit > > And I will have 10k concurrent downloads (let us throw out 100k for now.. > because i can alwasy scale up figures if we get a base). > > (The reason I say 10k concurrent is because we have an update system > (sorta > like windows update).. and as soon as we tell their computer to update, we > have 10k boxes saying give me the file!) > > So my question is.. > What would be the best (given we cannot do blades or the like since we > have > to use 'standard' 1u/2u/4u boxes from the dedi center). > Should we definitly beat the problem with iron and get 5servers doing load > balancing? 2servers? If 2servers go with the 1000mbit connection? > > > > thank you for all of your time and input! > > thanks > Lee > > > > > > - Original Message - > From: "Mads Toftum" <[EMAIL PROTECTED]> > To: > Sent: Monday, September 26, 2005 1:27 PM > Subject: Re: Mod_ssl and how to reduce overhead > > >> On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: >>> Hmm.. 10k -100k are pretty much guaranteed numbers.. >>> >> That's quite a wide margin. Are we talking concurrent users or just >> number of people who could be using it over a period of xx? >> >>> So my main computer crunching will be done at the beginning? (and to >>> relive >>> this I can do session key caching.. how long can I cache a key? is this >>> 'secure'?) (also.. all transfers will be ~15megs in size) >>> >> well, with 15meg files you've got more work to do encrypting the content >> as the session goes along. You can cache the key as long as you want, >> but depending on the type of encryption used, most browsers will not >> allow the key to live for all that long. I usually run for about 1 hour, >> but ymmv depending on the chosen parameters. >> >>> And using a single server is out of the question? >>> >> the number of concurrent users has very much to say in that regard. >> Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an >> ssl accelerator to the mix. >> >>> If we just go with one server.. shouldn't it be something super fast.. >>> amd64 1gig ram? >>> >> Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm >> pretty sure you couldn't keep even without SSL. >> Doesn't your pr0n streaming business generate enough income to pay for a >> real server? ;) >> >> vh >> >> Mads Toftum >> -- >> `Darn it, who spiked my coffee with water?!' - lwall >> >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Manager[EMAIL PROTECTED] >> > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
