varnish with ssl

[Michael Fischer]

On Wed, Apr 7, 2010 at 5:05 PM, Ken Brownfield <kb+varnish at slide.com> wrote:
>> On Wed, Apr 7, 2010 at 2:30 PM, Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
>>>> (1) stunnel doesn't scale particularly well, and can't scale across
>>>> multiple CPUs in any event;
>>>
>>> There are other SSL proxies than stunnel.
>>
>> I'm not aware of any that both do what stunnel does and is more
>> scalable.  Any examples?
>
> Pound.  Maybe eventually in haproxy.  Plus a half dozen or so smaller projects that aren't likely production-ready.  Plus various commercial solutions.
>
> You could drop Apache+mod_ssl+mod_proxy in front of Varnish.  You can even choose between prefork or worker.  Of course, it would be painful to set up and diagnose, and it scales poorly compared to the single-process model.  But your ps output will be longer.

None of those do what stunnel does.  As a listener, stunnel merely
decrypts the data on the SSL socket (which may not necessarily be
HTTP) and forwards the decrypted data to the real server.  The other
solutions parse HTTP and thus incur more expense.

> The single-process model as regards scalability is a red herring.

It matters a lot with SSL.  The handshaking process is very
CPU-intensive.  You really want something that's SMP-scalable.

--Michael