On Wed, Apr 7, 2010 at 5:05 PM, Ken Brownfield <[email protected]> wrote: >> On Wed, Apr 7, 2010 at 2:30 PM, Poul-Henning Kamp <[email protected]> >> wrote: >>>> (1) stunnel doesn't scale particularly well, and can't scale across >>>> multiple CPUs in any event; >>> >>> There are other SSL proxies than stunnel. >> >> I'm not aware of any that both do what stunnel does and is more >> scalable. Any examples? > > Pound. Maybe eventually in haproxy. Plus a half dozen or so smaller > projects that aren't likely production-ready. Plus various commercial > solutions. > > You could drop Apache+mod_ssl+mod_proxy in front of Varnish. You can even > choose between prefork or worker. Of course, it would be painful to set up > and diagnose, and it scales poorly compared to the single-process model. But > your ps output will be longer.
None of those do what stunnel does. As a listener, stunnel merely decrypts the data on the SSL socket (which may not necessarily be HTTP) and forwards the decrypted data to the real server. The other solutions parse HTTP and thus incur more expense. > The single-process model as regards scalability is a red herring. It matters a lot with SSL. The handshaking process is very CPU-intensive. You really want something that's SMP-scalable. --Michael _______________________________________________ varnish-misc mailing list [email protected] http://lists.varnish-cache.org/mailman/listinfo/varnish-misc
