Geek Answers Handbook

Lack of SSL in EC2

We have deployed our rail application in EC2. In our setup, we have two proxies in small instances behind a round DNS server. They run nginx load balancers for a dynamically growing and shrinking web server farm. Each web server also runs nginx with a mongrels cluster. Nginx here takes care of static content and load balancing on mongrels.

In any case, our traffic is basically HTTPS. We have 2 proxies that take care of SSL. I noticed that the network bandwidth in these cases is only 60 Mbps or so. For comparison, during testing, I can sequentially receive 700 Mbit / s on a small instance through regular HTTP. In fact, this is the same thing that I can get on a large copy. Similar to what the Right Scale guys got in their testing . (Amazon says the little one gets โ€œmoderateโ€ network I / O, while the big one gets โ€œhigh.โ€ If I had to think, I think this is just their way of saying that there are smaller instances on the physical box that use the same network card I'm not sure if this means that the big one gets a dedicated network interface, but I would doubt it.)

During testing, I was able to get a large copy to get the SSL protocol at a speed of 250 Mbps. This tells me that the processor or some other resource is a bottleneck. However, our monitoring charts do not show that the CPUs on our proxies are especially busy.

My questions:

  • Is my instinct that SSL is slower due to CPU correctness and our monitoring schedules erroneous? Or could some other resource be a limiting factor?
  • Should we just take the extra charge and put proxies on instances with a high processor? Or would it be better to do just adding smaller instances?
  • Should we turn off SSL termination on web servers? However, this is another problem: how do we get the client IP address in our application? Right now, our proxy sets it to the X-FORWARDED-FOR header, but obviously this will not be possible if it does not decrypt SSL.

I would love to hear about any such settings. We worked a little with their elastic load balancer, but I think that basically puts us in the same situation as No. 3 above. Has anyone else switched to ELB and found it worth it?

+6
ruby-on-rails ssl amazon-web-services amazon-ec2 nginx
source share
3 answers

Do you use the SSL session cache that nginx provides? This can help nginx save on cycles by constantly recycling encryption. See http://wiki.nginx.org/NginxHttpSslModule#ssl_session_cache

What monitoring do you use to determine your processor usage? Usually SSL is very intensive with the processor.

I would keep the SSL proxy as the assigned layer, so you can scale the cost of ssl negotiations separately from other problems.

+4
source share

I use SSL on Apache, which handles access to our Subversion repository on an instance of Small Windows EC2. In testing, I found that HTTPS access was less slow than HTTP, but for the obvious reason that encryption / decryption is not an instant process, as you would expect.

If your processor performance is correct and you do not see excessive load, then it is understood that throughput is a limiting factor; however, I really don't understand why you can get 700 Mbit / s in an HTTP instance compared to only 60 Mbit in an HTTPS instance. If the test conditions were not virtually identical, of course, and there something else happens inside the HTTPS instance that you did not take into account - in ...

Larger instances, of course, get a better share of the host bandwidth than Smalls - there are fewer competitors for resources. Since the internal EC2 network is Gigabit Ethernet, viewing a 700 Mbps on a large instance is possible if no other large instances on the same node satisfy the bandwidth requirements. To get this from a small instance, you need to be very successful to work inside a very easily loaded host. And in this case there will be no guarantee that you will maintain this level of performance - as soon as other Smalls go online, your share of available bandwidth will begin to decline.

I think that this is, in fact, a problem with the bandwidth of a small instance - adding more Smalls will not necessarily help a lot, because you can not control which host they are untwisted; Larger instances, however, receive a larger fragment of the bandwidth and, therefore, may have more stable availability.

0
source share

SSL is slower: - true, then any regular HTTPSSL HTTP request will be slower.

Try creating a similar installation on your local network, where you have 3 mongrel_clust and 2 web servers. and check with the curl loader by sending about 5k requests.

if everything is all right, that's great. maybe you will work harder with the guys from EC2.

-2
source share

More articles:


All Articles