I use Pound (http://www.apsis.ch/pound/) as an SSL-terminating reverse proxy .. on commodity hardware, it can handle - at least according to quotes from the field - up to around 400 conns/sec. It also affords you some additional firewalling in that you can put the SSL terminating accelerator in the DMZ and pass straight HTTP traffic to the backend without the client ever directly connecting to the web server/cluster.

I also use keepalived to keep a pair of Pound proxies in a high-availability scenario. If you really need it, you could probably put up a HA/LVS cluster of Pound proxies up that terminate and proxy traffic for an entire web farm - if your traffic demands it.

The other bonus is that by terminating SSL at the DMZ, your IDS/IPS system gets a chance to peek at the traffic.

Pound does numerous other things as well (URL normalization, etc) .. head to the URL and have a good read.

Best~
-d

Pigeon wrote:
Hello, I am trying to plan a system that can handle 10k-100k users.

I am only using apache w/mod-ssl

What should I look at to reduce overhead of bandwidth/cpu/mem?

At what point should I look at ssl accelerators?

Should I definitly look at clustering?

Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things?

Any good resources I can read?


thanks!
Lee ______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to