Hi there - Have you considered HAProxy in multiprocess mode? You could have a frontend spread across multiple threads that terminates SSL. We're experimenting with such a design here.
On Fri, Apr 1, 2016 at 5:31 AM, Gerd Mueller <gerd.muel...@mikatiming.de> wrote: > Ok sounds good. Thanks for the input. > > Gerd > > -------- Weitergeleitete Nachricht -------- > Von: Vincent Bernat <ber...@luffy.cx> > An: Conrad Hoffmann <con...@soundcloud.com> > Kopie: Gerd Mueller <gerd.muel...@mikatiming.de>, haproxy@formilux.org > <haproxy@formilux.org> > Betreff: Re: ssl offloading > Datum: Fri, 1 Apr 2016 11:29:16 +0200 > > ❦ 1 avril 2016 11:11 +0200, Conrad Hoffmann <con...@soundcloud.com> : > > > > > I can't really back this up with reliable numbers, but a company I > > once > > worked for experimented with such hardware. The outcome was, and I > > would > > still always recommend this today, to rather throw more regular > > hardware at > > the problem. Modern processors have a lot special instructions > > specifically > > for cryptographic operations (maybe make sure you are making full use > > of > > that) and are way cheaper than specialized SSL hardware. Stuff like > > SSL > > changes a lot and often needs immediate security fixes, so going with > > general purpose hardware where you are not dependent on some vendor > > support > > will likely make your life easier at some point. > > > > That's just an opinion after all, of course. > I agree with you. x86 hardware is far less expensive and performant > than > dedicated hardware. Dedicated hardware is only useful if your team > don't > want to handle software (but in this case, you can also look at the > Aloha appliance). Go for the maximum number of GHz and as many cores as > you want since the performance scales almost linearly. > -- - Andrew Hayworth
