Hey thanks David,
Quick follow up:
(I've attached my build instructions with the modifications for
SSL_EXPERIMENTAL below, can you check?)
Should I assume that the "shmcb" cache would look something like this?
SSLSessionCache shmcb:/u1/httpd/logs/ssl_scache(1024000)
SSLSessionCacheTimeout 600
How do I check how full the cache is? Do I just ls -la ssl_cache, and check
for the size of the file?
Thanks for your help,
Max
# configure and build the OpenSSL library
cd openssl-0.9.x
sh config
make
make test
cd ..
# configure and build the Memory Manager
cd mm-1.1.x
./configure --disable-shared
make
cd ..
# apply mod_ssl to Apache source tree
cd mod_ssl-2.8.x-1.3.x
./configure \
--with-apache=../apache_1.3.x
--enable-rule=SSL_EXPERIMENTAL
cd ..
# apply mod_perl to Apache source tree
# and build/install the Perl-side of mod_perl
cd mod_perl-1.xx
perl Makefile.PL \
USE_APACI=1 \
EVERYTHING=1 \
SSL_BASE=../openssl-0.9.6 \
EAPI_MM=../mm-1.1.3 \
APACHE_PREFIX=/u1/httpd \
APACI_ARGS='--enable-module=ssl,--enable-module=rewrite,--enable-module=so,-
-disable-module=userdir'
-----Original Message-----
From: David Rees [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 22, 2001 1:12 PM
To: [EMAIL PROTECTED]
Subject: RE: Which SSLSessionCache to use for best performance?
Hi Max,
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Max Clark
>
> Hi all.
>
> I have been tuning my web farm (for the past 6 months now), and
> have had the
> typical MSIE SSL issues along the way. I stumbled across a post today
> regarding the SSLSessionCache (my config is below), and my
> question is which
> session cache will give the best performance for my system?
>
> I need to support every browser possible, and my servers each
> recieve about
> 300K page views a day. I'm running Apache 1.3.17, mod_ssl 2.8.0, openssl
> 0.9.6 on Linux.
>
> I saw a reference for SSL_EXPERIMENTAL as a compile option, can anyone
> explain that to me?
>
> Also, could anyone give me tuning advice for the size of the ssl_cache?
In a basic mod_ssl installation, there is only one session cache available,
the "dbm" session cache. This is also the slowest session cache (aside from
not having one, of course). It is also known to be unreliable on some
platforms.
If you compile the mm library into mod_ssl, this allows you to use a shared
memory session cache ("shm" or "shmht"). In my benchmarks (not real world
situations) this improved performance by about 30% on the SGI IRIX server I
was using.
If you compile the mm library into mod_ssl, and turn on the SSL_EXPERIMENTAL
flag during the configuration stage of apache, you get another shared memory
cache ("shmcb") which is supposed to be faster and more robust than the
standard shared memory cache. This code was donated by the folks at
Stronghold (who use mod_ssl in their server) and should be better under load
than the standard shared memory cache. I didn't see any performance
difference with this cache over the standard "shmht" cache.
FWIW, I've been using the "shmcb" cache in all my servers (various IRIX and
Linux machines) with no problems under various light to moderate (1 million
hits/day) load.
As for tuning advice for the size of the shared memory cache, it seems that
every ssl_session uses right around 140-150 bytes per session. This means
that with the default session cache size of 512000 bytes, you can support
about 3500 concurrent users before the cache fills up and the server starts
expiring sessions early.
There is no limit on the number of sessions cached when using the dbm cache.
I usually double the size of the session cache (1024000) and also double the
length that a session can be cached for. You'll want to avoid letting the
cache get too full (over 75-80%) since the performance of the cache will
likely start to drop at that point.
-Dave
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
