?

Log in

No account? Create an account
Perbal speaks SSL - brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Perbal speaks SSL [Aug. 16th, 2005|05:02 pm]
Brad Fitzpatrick
[Tags|, , ]

Perlbal can now do SSL like pound, speaking SSL to clients, but plain HTTP to the backends.

And it was only like almost no work thanks to IO::Socket::SSL.

I'm sure there's some more work to do here and there, but I didn't expect it to just work after so frickin' little effort.
LinkReply

Comments:
[User Picture]From: midendian
2005-08-17 12:25 am (UTC)
Is there a comparison of open source reverse proxy solutions somewhere? I didn't even know about pound.
(Reply) (Thread)
[User Picture]From: brad
2005-08-17 12:28 am (UTC)
As far as I know there are:

squid -- does caching
pound -- does SSL
plb -- event based (what else?)
mod_proxy -- de facto standard, but kinda sucks
perlbal -- includes the kitchen sink, but no caching

But an unbiased review? Not that I'm aware of.
(Reply) (Parent) (Thread)
[User Picture]From: lithiana
2005-08-17 12:33 am (UTC)
out of interest, what sucks about mod_proxy? people sometimes suggest we use it instead of squid...
(Reply) (Parent) (Thread)
[User Picture]From: brad
2005-08-17 12:43 am (UTC)
-- heavy(ier than alternatives)

-- exposes backend connect errors to clients, rather than reconnecting to another node, but see:

-- can't connect to more than one backend node, so it isn't really a load balancer, just a tiny little buffer. you can make it connect to multiple backend nodes with mod_rewrite + external rewrite map program grossness, but then it gets slow, and see second item above.... no way to handle errors if you map to a down node.

-- no visibility into what's going on, so hard to plug into monitoring tools (compare with all perlbal's runtime introspection commands)

-- not enough buffering flexibility
(Reply) (Parent) (Thread)
[User Picture]From: midendian
2005-08-17 12:36 am (UTC)
Thanks.

I've only used mod_proxy, and hate it. Thinking of switching to perlbal.
(Reply) (Parent) (Thread)
[User Picture]From: bsdguru
2005-08-17 11:11 am (UTC)

perlbal = <3

Perlbal is way better than mod_proxy. I'm even using it for reverse proxing doc.php.net as well as various other sites. You definately won't regret switching to Perlbal ;)
(Reply) (Parent) (Thread)
[User Picture]From: xaosenkosmos
2005-08-17 02:05 am (UTC)
We love us some squid at work; we have this ugly LVS<->Squid<->Apache<->Filer abomination for our www.${work}.org cluster, and it works great. We get appreciable winnage out of using squid for local caching of hot files.

But, sadly, squid for Host:-based vhosting had issues when a coworker looked into it last. My understanding is that it's been progressing, but I'm not sure where it stands.
(Reply) (Parent) (Thread)
[User Picture]From: bsdguru
2005-08-17 11:33 am (UTC)

SSL is good :)

Hi Brad,

Do you have a example config where you've setup the certificate and key for doing SSL support? :)
(Reply) (Thread)
[User Picture]From: brad
2005-08-17 03:40 pm (UTC)

Re: SSL is good :)

Docs and example confs are in the latest 1.35 release.
(Reply) (Parent) (Thread)
From: (Anonymous)
2005-08-17 05:36 pm (UTC)

Re: SSL is good :)

Excellent sir!
(Reply) (Parent) (Thread)
From: (Anonymous)
2005-08-18 04:13 am (UTC)

Re: SSL is good :)

I have used Pen (http://siag.nu/pen/) in the past and it has worked. What was especially convenient for me was the fact that Pen runs on Windows too, unlike most of these suggestions above. And I am doomed to use Windows servers.

How is monobal coming?
(Reply) (Parent) (Thread)
[User Picture]From: brad
2005-08-18 05:53 am (UTC)

Re: SSL is good :)

Monobal turned into Perlbal.

Perlbal should run on Windows, too, especially with PAR.
(Reply) (Parent) (Thread)