|
On Mon, Oct 20, 2003 at 10:46:36AM -0700, Peter Mueller wrote:
> >> Better to let the real servers handle the SSL... you
> >> can always add more real servers if SSL processing
> >> bogs them down by some fraction.
>
> > I agree. And arguments that I have heard to the contrary
> > are usually tedious at best. SSL is probably the
> > most expensive thing that your cluster needs to do.
> > Thus disributing amongst the real servers makes the most sense
> > as you can scale that by just adding new machines.
>
> If I wanted to use a hardware SSL decrypting device such as a card in my
> LVS-director boxes, how could I set this up in LVS? I see no problem
> getting 443 to decrypt, but how do people then forward this traffic to the
> real server boxes? I like the idea of saving 20-30+ Thawte bills a month
> AND offloading a whole bunch of CPU for the one time cost of $500/card..
AFIK at this time the only real way to do this is to use
a user-space proxy of some sort. Once you have it in user space it
is pretty straight forward as long as the card is supported
by openssl / provides the appropriate engine library for openssl.
On the other hand, surely there is someone who isn't
committing highway robbery to provide certificates.
AFIK the reason you offer above is the only reason to use
an accellearator card in this situation. It is a techincal
solution to Thwate overcharging. A much better solution is to
distribute load on the cluster, that is what it is there for.
--
Horms
|
