Re: Mod_ssl and how to reduce overhead (Thanks!)
Thanks for all the great info! It definitly gives me a nice footing from which I can start. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Mod_ssl and how to reduce overhead
Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Hi, A few words about intended usage would be of great help. - How many concurrent users - Type of transactions - You really think the http front is going to be you bottle neck? or are there back end systems that will pose a greater problem (I would think so) Why not just use a normal server as ssl accelerator? I know several SSL accelerator appliancees that are just that anyway. Unless you have specific keyhandling requirements (FIPS140-3 or something), using normal server hardware is much cheaper. regards martin On 26/09/2005, at 14.35, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
I use Pound (http://www.apsis.ch/pound/) as an SSL-terminating reverse proxy .. on commodity hardware, it can handle - at least according to quotes from the field - up to around 400 conns/sec. It also affords you some additional firewalling in that you can put the SSL terminating accelerator in the DMZ and pass straight HTTP traffic to the backend without the client ever directly connecting to the web server/cluster. I also use keepalived to keep a pair of Pound proxies in a high-availability scenario. If you really need it, you could probably put up a HA/LVS cluster of Pound proxies up that terminate and proxy traffic for an entire web farm - if your traffic demands it. The other bonus is that by terminating SSL at the DMZ, your IDS/IPS system gets a chance to peek at the traffic. Pound does numerous other things as well (URL normalization, etc) .. head to the URL and have a good read. Best~ -d Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Session caching is more or less essential for any kind of reasonable SSL performance. Disabling the session cache will hurt your SSL perf by perhaps as much as an order of magnitude (roughly speaking -- it's been a long time since I benchmarked it). --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
We are going to have 10k-100k concurrent users (yeah... ) We are transfering EXE files (no not warez) I am just trying to get some ideas.. I am concerned about all because I do not know what to be concerned about :/ thanks Lee - Original Message - From: Martin Strandbygaard [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 26, 2005 8:42 AM Subject: Re: Mod_ssl and how to reduce overhead Hi, A few words about intended usage would be of great help. - How many concurrent users - Type of transactions - You really think the http front is going to be you bottle neck? or are there back end systems that will pose a greater problem (I would think so) Why not just use a normal server as ssl accelerator? I know several SSL accelerator appliancees that are just that anyway. Unless you have specific keyhandling requirements (FIPS140-3 or something), using normal server hardware is much cheaper. regards martin On 26/09/2005, at 14.35, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
On Mon, Sep 26, 2005 at 08:54:30AM -0400, Cliff Woolley wrote: Session caching is more or less essential for any kind of reasonable SSL performance. Disabling the session cache will hurt your SSL perf by perhaps as much as an order of magnitude (roughly speaking -- it's been a long time since I benchmarked it). The actual performance benefit is dependent on the usage pattern (mostly the length of sessions) but fetching a session from the cache is easily 100x faster than negotiating a new session key (again ymmv dependt on how much spare processing power you have). Openssl is usefull in at least getting an idea of the order of magnitude - run openssl speed rsa on the box to figure out how many rsa operations it can handle concurrently for your chosen keysize. openssl s_client with the -reconnect option will help determine wheter session caching is working on the server. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Hmm.. 10k -100k are pretty much guaranteed numbers.. So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) And using a single server is out of the question? If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? thanks! Lee On Mon, 26 Sep 2005, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not to mention 15MB download * 100K concurrent users is some *serious* traffic. If you're going to be paying that kind of $$$ for bandwidth, I hope you've got some cash left over for a load balancer and additional web servers. Some quick (and hopefully accurate) math: For a T3: 15MB * 1024^2 bytes/MB * 8 bits/byte * 100,000 sessions / (45Mbit/s * 1024^2 bits/Mbit) / 60 sec/min / 60 min/hour = 74 hours For a 100Mbps ethernet uplink: 15MB * 1024^2 bytes/MB * 8 bits/byte * 100,000 sessions / (100Mbit/s * 1024^2 bits/Mbit) / 60 sec/min / 60 min/hour = 33 hours And those assume zero overhead for framing and TCP/IP. Not to mention, 100K Apache children/threads running to support all those connections (not going to happen). So yeah, uh, them some serious numbers. You're going to need some serious uplink and hardware (load balancer, multiple boxes) to pull this off. I gotta ask though, just what are you doing where you expect 100K people trying to download a 15MB file all at the same time? You working for Microsoft and planning the next security tuesday patch update or something? :) - -- Aaron Turner, Sr. Security Engineer [EMAIL PROTECTED] Ph: 408.329.6320 Fax: 408.329.6317 On Sep 26, 2005, at 8:52 AM, Dave paris wrote: In an earlier note, you said that it was 10K-100K *concurrent* users. a) that's a magnitude of difference, see if you can get better numbers from whomever is doing the marketing/project planning. b) ain't no way you're going to do that many *CONCURRENT* transactions on a single box. -d Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) And using a single server is out of the question? If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? thanks! Lee On Mon, 26 Sep 2005, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee ___ ___ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDOCI8klVhPAXg8nARAiP2AJ9sBkSOKy4mtsctO3XAb2RbXhLnAACgkXh7 k9Fs38X1Q8nJ5b5t2Xg43kA= =awV5 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Aaron Turner wrote: I gotta ask though, just what are you doing where you expect 100K people trying to download a 15MB file all at the same time? You working for Microsoft and planning the next security tuesday patch update or something? :) That or he has the video of Gates getting raped by the penguin. Oops, I hope this isn't a family list. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Just wondering, is this for the charter.net music download? I cannot believe you would have 100,000 comcurrent connections for a service such as that. I also see the download file is listed at 1.5MB, not 15. As as for bandwidth, that better be upgraded. It took over a minute just to download the home page of off charter.net. Jeffrey Burgoyne Chief Technology Architect KCSI Keenuh Consulting Services Inc [EMAIL PROTECTED] On Mon, 26 Sep 2005, Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) And using a single server is out of the question? If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? thanks! Lee On Mon, 26 Sep 2005, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. That's quite a wide margin. Are we talking concurrent users or just number of people who could be using it over a period of xx? So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) well, with 15meg files you've got more work to do encrypting the content as the session goes along. You can cache the key as long as you want, but depending on the type of encryption used, most browsers will not allow the key to live for all that long. I usually run for about 1 hour, but ymmv depending on the chosen parameters. And using a single server is out of the question? the number of concurrent users has very much to say in that regard. Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an ssl accelerator to the mix. If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm pretty sure you couldn't keep even without SSL. Doesn't your pr0n streaming business generate enough income to pay for a real server? ;) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Ok, lets assume I can get a network connection with: A)10mbit B)100mbit C)1000mbit And I will have 10k concurrent downloads (let us throw out 100k for now.. because i can alwasy scale up figures if we get a base). (The reason I say 10k concurrent is because we have an update system (sorta like windows update).. and as soon as we tell their computer to update, we have 10k boxes saying give me the file!) So my question is.. What would be the best (given we cannot do blades or the like since we have to use 'standard' 1u/2u/4u boxes from the dedi center). Should we definitly beat the problem with iron and get 5servers doing load balancing? 2servers? If 2servers go with the 1000mbit connection? thank you for all of your time and input! thanks Lee - Original Message - From: Mads Toftum [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 26, 2005 1:27 PM Subject: Re: Mod_ssl and how to reduce overhead On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. That's quite a wide margin. Are we talking concurrent users or just number of people who could be using it over a period of xx? So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) well, with 15meg files you've got more work to do encrypting the content as the session goes along. You can cache the key as long as you want, but depending on the type of encryption used, most browsers will not allow the key to live for all that long. I usually run for about 1 hour, but ymmv depending on the chosen parameters. And using a single server is out of the question? the number of concurrent users has very much to say in that regard. Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an ssl accelerator to the mix. If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm pretty sure you couldn't keep even without SSL. Doesn't your pr0n streaming business generate enough income to pay for a real server? ;) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
You're not looking at your problem from the right angle. 10K users... asking for the SAME file. Set up a smallish farm of four or five machines and use a HTTP Acclerator. (basically a Squid proxy turned on it's head - the examples exist in the config file for squid .. look at the http accelerator mode). Then use an SSL terminating proxy cluster on the frontend .. now you have 0 disk contention since the file will be sent straight from RAM. What you now need to know is the distribution of connection speeds for your users. If they're on T3's, you have no choice but to go with GigE. .. Frankly, you're probably looking at some sort of GigE burstable product offering anyway. Ok .. enough's enough .. Your original question has been answered long ago and you've heard from everyone with additional information and ideas. We're getting very close to the point of engineering this solution for you. Either you can take it from here or hire some of us as consultants to work out the rest of the engineering for you. Free software is one thing .. free engineering is quite another. Best~ -d Ok, lets assume I can get a network connection with: A)10mbit B)100mbit C)1000mbit And I will have 10k concurrent downloads (let us throw out 100k for now.. because i can alwasy scale up figures if we get a base). (The reason I say 10k concurrent is because we have an update system (sorta like windows update).. and as soon as we tell their computer to update, we have 10k boxes saying give me the file!) So my question is.. What would be the best (given we cannot do blades or the like since we have to use 'standard' 1u/2u/4u boxes from the dedi center). Should we definitly beat the problem with iron and get 5servers doing load balancing? 2servers? If 2servers go with the 1000mbit connection? thank you for all of your time and input! thanks Lee - Original Message - From: Mads Toftum [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 26, 2005 1:27 PM Subject: Re: Mod_ssl and how to reduce overhead On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. That's quite a wide margin. Are we talking concurrent users or just number of people who could be using it over a period of xx? So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) well, with 15meg files you've got more work to do encrypting the content as the session goes along. You can cache the key as long as you want, but depending on the type of encryption used, most browsers will not allow the key to live for all that long. I usually run for about 1 hour, but ymmv depending on the chosen parameters. And using a single server is out of the question? the number of concurrent users has very much to say in that regard. Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an ssl accelerator to the mix. If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm pretty sure you couldn't keep even without SSL. Doesn't your pr0n streaming business generate enough income to pay for a real server? ;) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Well, the math is simple 1000mbit/1 users = 100 kilobit/sec, or 12K per second, or 1200 seconds, 20 minutes per downlaod. Marginally acceptable by todays standards. To concurrently process that much data, that many connections, you will want a load balancer out front. With the system I'm currently administering, with a dual 3Gig Xeon we can safely handle about 2000 concurrent connections non SSL, although we have a rather overweight config. I would expect you need at least two boxes, and 5 would probably not be overkill. BTW, do you really need SSL? From a project design perspective, would it be possible to encrypt the file to be down downloaded (encryption cost only once)? Then using sendfile you could really have it hum. Jeffrey Burgoyne Chief Technology Architect KCSI Keenuh Consulting Services Inc [EMAIL PROTECTED] On Mon, 26 Sep 2005, Pigeon wrote: Ok, lets assume I can get a network connection with: A)10mbit B)100mbit C)1000mbit And I will have 10k concurrent downloads (let us throw out 100k for now.. because i can alwasy scale up figures if we get a base). (The reason I say 10k concurrent is because we have an update system (sorta like windows update).. and as soon as we tell their computer to update, we have 10k boxes saying give me the file!) So my question is.. What would be the best (given we cannot do blades or the like since we have to use 'standard' 1u/2u/4u boxes from the dedi center). Should we definitly beat the problem with iron and get 5servers doing load balancing? 2servers? If 2servers go with the 1000mbit connection? thank you for all of your time and input! thanks Lee - Original Message - From: Mads Toftum [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 26, 2005 1:27 PM Subject: Re: Mod_ssl and how to reduce overhead On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. That's quite a wide margin. Are we talking concurrent users or just number of people who could be using it over a period of xx? So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) well, with 15meg files you've got more work to do encrypting the content as the session goes along. You can cache the key as long as you want, but depending on the type of encryption used, most browsers will not allow the key to live for all that long. I usually run for about 1 hour, but ymmv depending on the chosen parameters. And using a single server is out of the question? the number of concurrent users has very much to say in that regard. Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an ssl accelerator to the mix. If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm pretty sure you couldn't keep even without SSL. Doesn't your pr0n streaming business generate enough income to pay for a real server? ;) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Pigeon wrote: Ok, lets assume I can get a network connection with: A)10mbit B)100mbit C)1000mbit And I will have 10k concurrent downloads (let us throw out 100k for now.. because i can alwasy scale up figures if we get a base). (The reason I say 10k concurrent is because we have an update system (sorta like windows update).. and as soon as we tell their computer to update, we have 10k boxes saying give me the file!) So my question is.. What would be the best (given we cannot do blades or the like since we have to use 'standard' 1u/2u/4u boxes from the dedi center). Should we definitly beat the problem with iron and get 5servers doing load balancing? 2servers? If 2servers go with the 1000mbit connection? The short answer is that you need to benchmark using various configurations. You have a particularly bad problem, what with the per-request encryption beating on the CPU's, and the large file size beating on the network (and putting your servers at the mercy of the clients). Pushing all of the solutions downstream like this instead of coming up with a better front-end is going to cost you. This all just screams for a more elegant solution than just asking apache to stick it's finger in the dike. Good luck. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
On 9/26/05, Phil Ehrens [EMAIL PROTECTED] wrote: Pigeon wrote: (The reason I say 10k concurrent is because we have an update system (sorta like windows update).. and as soon as we tell their computer to update, we have 10k boxes saying give me the file!) I think I agree with the guy who said this thread has pretty much been asked and answered at this point, but I figured I'd just throw in one more little nugget for you to think about. It sounds to me from the limited information above that you're causing your own problem here by instructing 10k-100k clients to update themselves with some multi-megabyte patch file simultaneously. This is obviously a huge amount of bandwidth, but it doesn't seem obvious to me that it would be a huge amount of bandwidth on a 24/7 basis... rather it would come in bursts _at times specified by you_. This to me begs for a software engineering effort rather than a sysadmin/netadmin effort; if you can get the clients to wait some random length of time after receiving the update available notification prior to requesting the update, your number of concurrent accesses will drop dramatically. Alternatively, if you have more control over the server-side code than the client-side code, you could publish the update available notification TO the clients a handful at a time rather than all at the same time. Hope this helps, and best of luck... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]