You might take a look at one of these: http://www.caviumnetworks.com/processor_security_nitroxLite.htm
They ship a modified OpenSSL stack to take advantage of the card. Cavium is what's inside most of the commercial load balancers...including I believe F5. -J Sent via iPhone Is your e-mail Premiere? On Nov 17, 2010, at 8:33, Bedis 9 <bed...@gmail.com> wrote: > Hi John, > > Without entering too much in details, we have a mutualized reverse > proxy cache platform in order to accelerate HTTP content (you can call > it CDN ;) ) on which we use an HTTP reverse proxy caches coded by a > third party company. > The reverse proxy software run over a centos linux and has a cost (licence). > The hardware is HP server (2U) with 2 quad cores, 32G of memory and a > lot of hard drives. > I can't remember the numbers exactly, but when we tested the SSL > capacity inside the HTTP accelerator, we decreased a lot the overall > performance (maybe because of the code) and to keep the same capacity > (HTTP throughput) on our CDN we should have bought more servers and > more licences. > > Without SSL enabled, we tested the HTTP accelerator with live traffic > at more than 700MB/s, more than 20K HTTP Req/s and 80% of CPU... > With only a small percentage of this traffic encrypted the performance > decreased a lot, but I can't remember how much :/ > Note that in a normal day, our caches run only at 10% of CPU and 100 Mb... > > Note that we did not saturated our servers with SSL, I'm just saying > that to keep enough free capacity to absord customer's pike traffic, > we should have bought more servers and licences and the cost would > have been too much. It was cheaper to let our old vpn3050 in the racks > doing the job :) > Maybe it's related to the code of our supplier ;) > Anyway, they were working on improving their SSL capacity by taking > advantage of offloading the SSL computation to a daughter card into > the chassis and keep on using the CPUs and memory to do HTTP > acceleration, URL rewrite, ACLs, etc.... All the SMART stuff :) > > Note: the software is not Varnish ;) > > > > > On Wed, Nov 17, 2010 at 3:46 PM, John Marrett <jmarr...@mediagrif.com> wrote: >> Bedis, >> >>> Cause using the cores to decrypt traffic would reduce drastically >>> overall performance. >>> Well, this is what we saw on our HTTP cache server (running CentOS) on >>> 8 cores hardware: when enabling SSL, the performance were so bad that >> >>> So we kept our old Nortel vpn 3050 to handle the SSL traffic. >> >> I'm astonished to hear that you had these kinds of issues on modern >> hardware. We stopped using dedicated SSL hardware quite some time ago. >> >> Of course, everyone's traffic is different. May I ask what volume of >> traffic (Connections / second, Megabits) you are dealing with that >> saturated an 8 core machine? >> >>> we should have ordered more chassis and licences to handle the same >>> traffic... leading to earn less money :) >> >> What web/ssl server were you using and what version of CentOS. The use >> of the word licenses is interesting :) >> >> Were you already high in CPU consumption without the SSL traffic on the >> machine? >> >> -JohnF >> >> >
