- 浏览: 338703 次
- 性别:
- 来自: 北京
最新评论
-
hoey168:
请问楼主,ICE 客户端连接多个服务端,tcp -h 172. ...
ZeroC ICE之旅------负载均衡及容错 -
iOracleSun:
makeC++SharedLib 增加 -G参数即可链接成功 ...
AIX apache module问题 -
fanyonglu:
不错,讲的很细,学习中
ZeroC ICE之旅------java -
click_guobin:
...
我在深圳,每月收入850元,怎么也花不完,晒一晒我是怎么开销和投资的(zz) -
hanyu332:
引用修改%apache%/conf/httpd.conf修改为 ...
awstats日志分析小结(1)
SSL acceleration is a technique that off-loads the processor intensive public key encryption algorithms used in SSL transactions to a hardware accelerator. These solutions often involve a considerable up front investment as the specialized equipment is rather costly. This article though looks at using off the shelf server hardware and open source software to build a cost effective SSL accelerator.
Types of SSL Acceleration
Ultimately there are two ways to do SSL Acceleration or SSL off-load. It can be done on the server side by installing an SSL Accelerator card, which has special custom processors designed to perform the public key encryption algorithms in hardware rather than software. A quick search on Google will provide a number of guides on how to use those cards with projects such as Apache. This solution has the server performing the SSL transaction but the SSL transaction is processed on the card rather than using server resources. In fact, adding one of the higher end versions of these cards to the solution in this article would further increase its performance. However, it may simply be cheaper to add more horsepower to the server itself than to invest in expensive SSL off-load cards.
The other way to do SSL acceleration is to install a device in front of the web servers, this is typically an appliance or switch with comparable hardware to the SSL accelerator card. These devices often provide other features such as load balancing. They typically have higher transactions per second and thruputcapacity than a single server with an SSL accelerator card. The SSL accelerator in front of the servers takes the incoming SSL transactions, decrypts them, and then forwards them on to the servers as HTTP. This is still secure as the connection between the SSL accelerator and the servers is a private local network, there is no unsecured transaction going over the public Internet. This is the type of solution provided in this article, but instead of using an expensive SSL accelerator, it leverages the power of open source and off the shelf server processors.
Advantages of SSL Acceleration
SSL Acceleration reduces the amount of server processing considerably. The transaction coming into the web servers is simply a HTTP request, so there is no SSL encryption or decryption that needs to be done. The cost of managing SSL certificates and the number of SSL certificates is drastically reduced, now those SSL certificates reside on one or two SSL Accelerators, instead of many web servers. Improved security, as the SSL Accelerator is the only device that needs to be accessible to the Internet, the back-end web servers can reside on private IP subnets. The solution hides the back-end topology and the only IPs that need to access the web server ports are the SSL Accelerators.
Overview of the Solution
The Open Source SSL Accelerator requires a dedicated server running Linux. Which Linux distribution does not matter, Ubuntu Server works just as well as CentOS or Fedora Core. A multi-core or multi-processor system is highly recommended, with an emphasis on processing power and to a lesser degree RAM. This would be a good opportunity to leverage new hardware options such as Solid State Drives for added performance. The only software requirement is Nginx (Engine-X) which is an Open Source web server project. Nginx is designed to handle a large number of transactions per second, and has very well designed I/O subsystem code, which is what gives it a serious advantage over other options such as Lighttpd and Apache. The solution can be extended by combining a balancer such as HAproxy and a cache solution such as Varnish. These could be placed on the Accelerator in the path between the Nginx and the back-end web servers. Adding such options to the mix requires some trickery on the back-end to preserve the original client IP request.
In this solution, Nginx will handle the inbound SSL connections just like a regular HTTPS web server, but it will pass the request off to another web server rather than handling it by itself.
Configuring Nginx
Nginx can be built from source or installed using your favorite package management tool. Building it from source has been discussed in previous articles, and is well documented on the Nginx site itself. So to avoid duplication, this article will dive straight into the configuration. Within the http {} block, enable gzip compression.
- gzip on;
- gzip_min_length 1100;
- gzip_buffers 4 8k;
- gzip_types text/plain text/html text/css text/js;
With gzip compression enabled on the SSL Accelerator, there is no need to enable gzip compression on the web servers behind it. Thus further reducing the load on the servers. The upstream {} command is used to define which back-end set of servers to send requests to. For this example, the configuration is for ssl.b.o3magazine.com with three servers defined by private IPs. The SSL Accelerator in the test example had two NICs, one facing the public side and one facing the back-end server network, with an IP of 192.168.77.1/24.
- upstream ssl.b.o3magazine.com {
- server 192.168.77.10:80;
- server 192.168.77.20:80;
- server 192.168.77.30:80;
- }
Finally the magic is configured within the server block.
- server {
- listen 10.77.4.43:443;
- server_name ssl.o3magazine.com ssl.b.o3magazine.com;
- access_log logs/sslacc.log main;
- root /sslacc/www/o3magazine/htdocs;
- index index.html index.htm;
- ssl on;
- ssl_certificate /certs/sslo3.crt;
- ssl_certificate_key /keys/sslo3.key;
- location / {
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header Host $http_host;
- proxy_set_header X-FORWARDED_PROTO https;
- proxy_redirect false;
- if (!-f $request_filename) {
- proxy_pass http://ssl.b.o3magazine.com;
- }
- }
- }
So this looks like a regular configuration entry for an SSL virtual server. It will listen on 10.77.4.43 port 443, the site is called ssl.o3magazine.com, has the usual ssl certificate and key configuration. The accelerator part is handled by the configuration within the location block. The X-Real-IP header is set to pass back the remote client IP, add the X-Forwarded-For, and set the HTTP host header. The X-FORWARDED_PROTO is there for web applications such as those running under Ruby on Rails. This command tells the web application to map its URLs to the HTTPS protocol even though the web application is receiving the request via HTTP. This is important because without it, the web application will generate HTTP rather than HTTPS type URLs, which will break links for the user.
The proxy_pass command passes the request via HTTP to the upstream block configured as ssl.b.o3magazine.com. This is what generates the HTTP request rather than a HTTPS request to the back-end servers. That is it, entries can be stacked in the server_name group, so if the same IP is used to bind to multiple sites and they use the same certificate. The block can be duplicated with the appropriate certificate lines changed and server_name lines changed to handle sites bound to the same servers but using different certificates.
Fine Tuning
The worker processes and worker connections determine the number of simultaneous connections Nginx can handle. Typically the number of worker processes should match the number of CPU cores on the system, then tweak the worker connections to meet the project requirements. It may also make sense to run multiple instances on Nginx, with the worker processes defined as 2, and the connections tweaked as needed. Then utilize the CPU affinity capabilities of the Linux distribution in use to assign each Nginx instance (the worker processes) to a particular CPU core. This is particular useful if one particular site is heavily hit, that site could be handled by a dedicated Nginx instance and assigned to a dedicated CPU core.
Storing Files on the SSL Accelerator
One thing that this solution can do that many commercial SSL accelerators cannot, is the ability to store files locally. In the example above, the conditional if statement only passes requests back to the web servers if the file is not found locally first. The ! -f in the if statement means if not found. To have files served by the SSL accelerator instead of back passing the request to the server, simply store the file in the document root within the appropriate path. In the example above, placing images in /sslacc/www/o3magazine/htdocs/images/ would have the SSL accelerator using local storage to serve up https://ssl.o3magazine.com/images/. On the flip side, if nothing is stored locally, simply remove the if statement completely to avoid the extra processing. On a high traffic site, it might make sense to store small heavily used files such as CSS, Javascript and Images on the SSL accelerator instead. This avoids passing traffic back to the web servers.
Offloading to different server farms
The conditional statements within Nginx are very powerful, its possible to perform a wide variety of Layer 7 packet processing on the HTTP or HTTPS request itself. This feature enables the solution to be deployed in non-traditional ways. A customer web site may consist of PHP and Rails components, along with static content. It might make sense to deploy the static content directly on the SSL Accelerator, then define two upstream blocks one for PHP and one for Rails. For example, php.ssl.o3magazine.com and rails.ssl.o3magazine.com. These would point to different IPs in the same format as the upstream block above. The conditional statement would simply redirect requests that matched the PHP application (perhaps by the .php and .inc extensions), using $request_uri and regular regex matching to http://php.ssl.o3magazine.com. Place that conditional above the existing one. Anything not PHP and not stored locally will get passed on to the rails back end. This makes the configuration simple and able to handle the URL based routing used in Rails. Further conditionals could be used to map the URLs used by the Rails App only to further secure the solution but depending on the application that maybe tedious.
Limiting Ciphers
There are many different reasons for limiting the types of ciphers that can be used. Perhaps a commerce solution where only high-end ciphers are desired. In that case, the follow lines added to any server block will restrict the ciphers and SSL version that can be used. The SSL Accelerator makes implementing site-wide policies like this very easy to do.
- ssl_ciphers HIGH:!ADH;
- ssl_perfer_server_ciphers on;
- ssl_protocols SSLv3;
Offloading HTTP Compression
This solution can also be used to off-load gzip compression to the SSL Accelerator. Perhaps a HTTP device does not support gzip compression or the system administrator wants to reduce the processing overhead on the entire web server farm. To achieve gzip compression offloading, simply place the SSL accelerator in front of the web servers, configure the web servers in an upstream block, and add regular HTTP server entries to the nginx configuration. This would be the same process as above, just listening on port 80, without the ssl commands and without the proxy_set_header options. HTTP requests would be passed through the SSL Accelerator to the web servers, the return traffic being compressed on its way back to the client.
Performance
The lab test system was a dual processor AMD Opteron 2380 2.5GHz Quad-Core system, for a total of 8 processor cores, L2 cache was 4 x 512k, and L3 cache was 6MB. Standard Intel Server Gigabit NICs, and 32GB of RAM. On a Tyan Transport platform, the system cost was under $5k. The system had no problems handling over 26,590 TPS, the test lab ran out of capacity to generate additional transactions. Compare that to the F5 Networks Big-IP 6900 which handles a maximum of 25,000 TPS but carries a starting price tag of $55,000. That starting price only includes 500 SSL TPS, so expect to pay a lot more to get up to the 25,000 level. It should be possible using this solution and even better hardware (8xxx series Opterons and more RAM), and perhaps some 10GbE adapters from Intel to come close, if not beat the performance of the BIG-IP 8900. Which has a maximum rate of 58,000 TPS. While obviously not as polished as the F5 solution, this Open Source solution does get the job done for a fraction of the price.
Conclusion
Nginx once again has shown that it is a versatile open source project. For the cost of a server and a few hours work, any system administrator can increase the capacity of their existing server farm by building an Open Source SSL Accelerator. Reducing the complexity of certificate management, reducing the number of certificates needed and reducing the overall load per request on the existing server farm, this solution offers a cost-effective way of breathing new life into an existing server farm.
发表评论
-
Redis 2.2.0 RC1 is out
2010-12-17 10:15 1229Redis 2.2.0 RC1 新特性:很多都是我所期待的; ... -
iBATIS 3 for Java Released (BETA 1)
2009-08-09 13:52 1393A month ago iBATIS turned 7 yea ... -
Memcached 1.4.0 Release
2009-07-10 17:10 1912New Features Binary Protocol ... -
nginx-0.7.60
2009-06-16 09:01 1479Changes with nginx 0.7.60 ... -
nginx-0.7.55
2009-05-06 18:47 1147Changes with nginx 0.7.55 ... -
March 2009 Web Server Survey
2009-04-02 12:49 1032In the March 2009 survey, we re ... -
nginx 缓存功能
2009-03-26 16:02 4422随着 nginx-0.7.44的发布,nginx的c ... -
Memcached Beta 1.3.2 Released
2009-03-12 16:21 1210We've just released memcached ... -
nginx 0.7.40
2009-03-09 17:09 1045Changes with nginx 0.7.40 ... -
February 2009 Web Server Survey
2009-03-02 09:19 1078In the February 2009 survey we ... -
Handle 1 Billion Events Per Day Using a Memory Gri
2009-02-17 10:41 1053Moshe Kaplan of RockeTier shows ... -
Scaling Digg and Other Web Applications
2009-02-16 11:36 1103Joe Stump, Lead Architect at D ... -
MySpace Architecture
2009-02-13 10:39 1255Information Sources Presenta ... -
Cloud Relationship Model
2009-01-20 09:53 1158Hiya All, welcome to my first g ... -
January 2009 Web Server Survey
2009-01-19 15:33 1103In the January 2009 survey we ... -
December 2008 Web Server Survey
2008-12-25 17:47 1009In the December 2008 survey, ... -
Apache 2.2.11
2008-12-15 13:24 1422Changes with Apache 2.2.11 * ... -
nginx 0.7.26
2008-12-09 12:05 1089Changes with nginx 0.7.26 ... -
Python 3.0 final released
2008-12-04 10:47 1376We are pleased to announce the ... -
nginx-0.7.23
2008-11-28 08:38 912Changes with nginx 0.7.23 ...
相关推荐
### Intel Open Source HD Graphics Programmer's Reference Manual:关键知识点解析 #### 一、文档概述 《Intel Open Source HD Graphics Programmer's Reference Manual》(简称PRM)是针对2015-2016年Intel Core...
标题中的“Intel Cache Acceleration Software”(简称ICAS)是一款由英特尔公司开发的软件,旨在提升计算机系统的存储性能。这款软件特别关注的是利用傲腾(Optane)内存技术,为系统提供更快的数据存取速度。...
SSL acceleration reduces the number of servers required for secure applications, improves server efficiency and dramatically improves application performance. Offloading compute-intensive key ...
QDART (Qualcomm Development Acceleration Resource Toolkit ): 1.校准工具QSPR 2.QCRT 射频调试工具 3.QSML 高通QLIB库函数,做校准开发、下载工具等需用到 QXDM
Training Acceleration Research-engTraining Acceleration Research
windows加速工具
在Android Studio中,我们经常需要用到虚拟机ADV,但是运行的时候显示错误:ERROR: x86 emulation currently requires hardware acceleration!。安装此插件即可解决。
DirectX Video Acceleration (DXVA) 是微软为提升视频回放性能而开发的一套技术标准。它利用硬件加速功能来减轻CPU的负担,从而实现更流畅的高清视频播放体验。DXVA不仅支持常见的视频编解码器,如H.264、VP9等,还...
【标题】:“wp-acceleration-for-china”指的是针对WordPress网站在中国进行访问速度优化的解决方案。这通常涉及到一系列策略和工具,旨在改善中国用户访问基于WordPress的网站时的加载速度和用户体验。 【描述】...
QorIQ Data Path Acceleration Architecture (DPAA) 是NXP半导体公司(前身为Freescale Semiconductor)推出的一种硬件加速架构,旨在提高数据包处理的效率和性能。DPAA是一种针对网络通信应用的专用硬件加速解决...
标题“emulator: ERROR: x86 emulation currently requires hardware acceleration!”是Android开发中常见的一个错误信息,当尝试在没有硬件加速支持的环境中运行Android Emulator时会出现。这个错误提示意味着你...
Hardware Acceleration 279 Denial of Service Attacks 280 Key Exchange and Encryption CPU Costs 281 Client-Initiated Renegotiation 282 Optimized TLS Denial of Service Attacks 282 10. HSTS, CSP, and ...
### 加速技术在无线电覆盖预测中的应用 #### 摘要 本文介绍了一种用于优化无线电覆盖区域预测所需计算时间的技术。为了减少计算时间并提高效率,研究者们提出多种方法来简化所使用的传播模型的复杂性。...
作者 : Christian de Schryver, Henning Marxen, StefanWeithoffer, and NorbertWehn Build on these high-quality random number generators, we present an efficient FPGA architecture for option pricing in ...
标题中的"4NewMark linear acceleration.zip"指的是一个包含了四个不同版本或参数设置的Newmark算法实现,专门针对线性系统进行加速度的计算。"Newmark 位移_acceleration_newmark"强调了该程序关注的是利用Newmark...
本项目涉及的主题是“acceleration&economic_动力性仿真_vehicle_acceleration_vehicletovehicle”,这表明研究的核心在于通过仿真技术来分析车辆的加速性能以及在车对车(vehicle-to-vehicle, V2V)交互情况下的...
在车辆动力学领域,横摆角速度(Yaw Rate)和横向加速度(Lateral Acceleration)是两个关键的参数,它们对于车辆稳定性和操控性分析至关重要。本话题将深入探讨如何利用车辆模型来预估这两个参数,并将其与实际...
这个名为“Tesla-Regen-Brakes-and-Sudden-Acceleration.zip”的压缩包文件似乎聚焦于两个关键的特斯拉车辆功能:再生制动(Regenerative Braking)和突然加速(Sudden Acceleration)。 再生制动是特斯拉电动车的...
综上所述,"Acceleration(MMA7455L).zip_acceleration_mma7455l"这个项目主要涉及到使用STM32微控制器模拟MMA7455L重力加速度传感器,涵盖了硬件接口配置、驱动程序开发、数据处理和优化等多个方面的知识。...
Integrated browser based on the open source WebKit engine Optimized graphics powered by a custom 2D graphics library; 3D graphics based on the OpenGL ES 1.0 specification (hardware acceleration ...