0

I am a building a site right now that has a lot of chat messages and social communication moving between users in both real-time and accessed through archives (text material, not images). I want to give the users the most secure experience possible and want to run everything through https. I'd say around 30% of the site really doesn't need https, but due to all the cross-frame javascript communication used in the site, it would be a development hassle to code things to work around cross-site scripting security measures. I am also using xhr long polling (ape ajax-push engine) for streaming data so I would also have many concurrent open connections running through stunnel.

My question is this: I have seen physical firewalls with hosts that can handle several hundred thousand regular concurrent connections but only several hundred concurrent ssl connections. In general, does scalability of physical firewalls deteriorate heavily with https vs http? Especially given that around 90% of all logged in users to the site will have a open connection to the server using the ape-engine for real-time data. If so, what options are there for firewalls to handle this situation properly for ssl while still allowing for scalability?

I understand the open ended nature of this question. What I am really just looking for what experiences other developers have had with such situations, how they have handled it, and what kind of hardware they have found useful in such cases. I can recode the site for https and http usage, but that's a last ditch option.

btw: The site is running on a LAMP stack. It will have to scale to around 1 million concurrent users so scalability really is important. (Let's not turn this into a debate about "your site will never get that large")

user57187
  • 177
  • 2
  • 7

2 Answers2

0

We're using F5 hardware loadbalancers here at work, and they can do SSL termination as part of what they do. They have taken a lot of load off of our servers by doing so, and we can scale horizontally much farther than we otherwise would have. The F5 model charges by concurrent SSL transactions per second, as defined by actively transmitting data in a given second, so that's hard to translate into from "1 million concurrent users" which is probably a session-count metric.

The key thing to note there is that these devices aren't a firewall in and of themselves. They're behind our firewall, we're just passing the tcp/443 traffic to them as we otherwise would tcp/80, and letting the devices shovel packets as needed. For SSL offloading, they're very efficient and come SSL certificate change-out time you only have to do it on a few devices instead of a bunch of servers.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • Given that the ssl traffic is being routed directly to the load balancers past the firewall, do these load balancers provide protection against attacks such as ddos? I'm looking for a way to have all traffic pass through the firewall. – user57187 Oct 15 '10 at 02:07
  • All traffic IS being passed through a firewall, at the TCP level. The firewalls are not handling traffic at the HTTP level, though. – sysadmin1138 Oct 15 '10 at 02:36
0

Have a look at xmpp, and some of the cluster-able free servers, can scale is more suited to web app's that need conncurrent persistent connections.

The Unix Janitor
  • 2,458
  • 15
  • 13