I use Pound (http://www.apsis.ch/pound/) as an SSL-terminating reverse
proxy .. on commodity hardware, it can handle - at least according to
quotes from the field - up to around 400 conns/sec. It also affords you
some additional firewalling in that you can put the SSL terminating
accelerator in the DMZ and pass straight HTTP traffic to the backend
without the client ever directly connecting to the web server/cluster.
I also use keepalived to keep a pair of Pound proxies in a
high-availability scenario. If you really need it, you could probably
put up a HA/LVS cluster of Pound proxies up that terminate and proxy
traffic for an entire web farm - if your traffic demands it.
The other bonus is that by terminating SSL at the DMZ, your IDS/IPS
system gets a chance to peek at the traffic.
Pound does numerous other things as well (URL normalization, etc) ..
head to the URL and have a good read.
Best~
-d
Pigeon wrote:
Hello, I am trying to plan a system that can handle 10k-100k users.
I am only using apache w/mod-ssl
What should I look at to reduce overhead of bandwidth/cpu/mem?
At what point should I look at ssl accelerators?
Should I definitly look at clustering?
Also.. I ahve heard about ssl session key caching, anyone know how much
this will improve things?
Any good resources I can read?
thanks!
Lee ______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
