Hacker News new | comments | show | ask | jobs | submit login

The lack of mention of SNI is odd ... like the author doesn't know what they're talking about.

Most of the latter part is FUD.

One real problem that is encountered when moving to terminating SSL on many machines, instead of a single LB, is the problem of SSL session resumes. When the LB terminates all SSL on a single VIP, it has an SSL session cache and can resume with clients. If you make that LB DSR to servers behind it for SSL, they are going to have local session caches only. Odds are subsequent connections that try to resume the SSL session are going to map to a different machine, and without a distributed SSL session cache, the resume will fail.

We saw the ballpark of ~40-50% of SSL sessions were resumes at $BIG_INTERNET_COMPANY




Source-IP based persistence on the layer 3/4 load balancer solves that very easily. The src-ip cache merely needs the same timeout as the webservers' ssl cache.


Source IP persistence causes hot spots. Big web proxies etc end up clobbering a single machine.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: