1

Need to setup a scalable backend infrastructure for a mobile app. Connections to the API need to be SSL encrypted. To achieve a simple scalable solution i don't want to terminate SSL at the load balancers. So my options are to terminate it at the app/web servers or in a separate termination layer. No problems so far.

As we know the SSL handshake takes a few roundtrips which unfortunately causes latency. A common solution for this is to cache the SSL sessions. But to keep the stack scalable and load balanced i don't want to use session stickyness and keep my servers stateless. So i need to use a central/distributed SSL session cache, but the options are limited as far as i know.

Some options i know of:
- NGINX as SSL terminator with memcached session cache (http://hezmatt.org/~mpalmer/blog/2011/06/28/ssl-session-caching-in-nginx.html).
- Stunnel as SSL terminator with sessiond as session cache (https://www.stunnel.org/sessiond.html)
- Apache as SSL terminator with distcache as session cache (distcache.sourceforge.net/)

But these options are all outdated and/or under-documented. Are there any solutions i don't know of or recommendations for a scalable and fast SSL termination process?

Wouter
  • 58
  • 5

1 Answers1

1

How big do you need to scale? Something like an F5 BigIP 8900 can handle thousands of simultaneous SSL connections, saving you the need to build something complicated in favor of something that's used by lots of people (which means other people will have found the bugs for you).

Dennis Kaarsemaker
  • 19,277
  • 2
  • 44
  • 70
  • True, but i would like to restrict myself to solutions applicable in cloud environments. Although i agree that a F5 is an easy solution. – Wouter Jun 06 '13 at 13:01