SSL session caching in nginx

Crypto hardware acceleration is commodity. I believe that Broadcom sold the chips for &#60;$5 over 5 years ago. To say they don't scale horizontally doesn't make sense either. If they're integrated with PCIe then you can get a lot of crypto processing in a single chasis. (Disclosure: Used to make crypto accelerators and load balancers)<p>There surely are reasons not to integrate at the load balancer, but they're not because the load balancer will melt down.

You'll usually run out of entropy before cpu usage becomes relevant with SSL processing, I've seen old versions of apache hang with little or no entropy to process SSL connections. I recommend some sort of RNG or a poor mans software version such as <a href="http://www.issihosts.com/haveged/" rel="nofollow">http://www.issihosts.com/haveged/</a>

Very cool post - not only is it informative, but you've taken the "oh-so-rare" extra step of actually coding up a solution to what you're talking about - rather than taking the easier approach and just telling others what they're doing wrong but presenting no practical alternatives. Kudos!

One downside of this approach (without some funky iptables/networking-fu) is that you loose the source IP from the original request. Adding headers like X-Forwarded-For only works after the request has been decrypted, so all the traffic will appear to source from the load balancer, which can present its own issues.<p>IMO (and I believe Google agrees - <a href="http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html" rel="nofollow">http://www.imperialviolet.org/2010/06/25/overclocking-ssl.ht...</a>) the advantages of terminating SSL at the load balancer outweigh the horizontal scalability of this approach, at least in most cases.

Why does session affinity not solve the problem of session caching? The author says it's "a whole other world of pain and suffering" but doesn't explain why.

Matt this is awesome. Nginx is becoming the standard for front end load balancing for many high traffic sites and this helps. We only have one nginx front end load balancer (even though we do over 4000 http req/s) but we'll be migrating to a cluster soon so I'll give this a whirl.

I had to check several times I hadn't accidentally hit zoom a few times.<p>Sounds useful, but how many visitors do you need to have for this to be worth doing?