Hi Matthew, > > And a hardware crypto device will level HTTPS to the HTTP volume > > without it? > > Probably. The usual approach with HTTPS once traffic levels get big > enough is crypto-offload. You use a separate device as the crypto > endpoint: typically built into a load balancer. You can do this using a > PF based firewall using relayd(8) for a lot less money, and in this case > one crypto accelerator card in your firewall could support several > webservers behind it.
That's pretty close to what I had in mind though I considered a separate device in a DMZ for load balancing and mod_proxy/mod_security, as a minimum. However, HTTP(s) is only one of so many protocols. > Heh. When I said 'pretty fancy kit' I meant something considerably more > *shiny* than a Cisco ASA5510. In fact, running OpenBSD on a commodity Ok, you win that one :) We typically use one up from that as a minimum. Dunno if that regains me my face though... > server is roughly performance compatible with a 5510 but considerably > cheaper if you want all the trimmings like high-availability, unlimited > numbers of servers, GB on all interfaces etc. That is all true but these arguments do only work if you talk to security-literate people, not managers who prefer "something with a real seal on" and regular updates etc. Since the latter are the ones who authorise the cash, here we go. There are some who I can convince but frequently it's just not worth the discussion. Imho, unfortunately, but I don't want to start an advocacy thread here. > Note that ASA5510 level kit tends to do things like deep packet > inspection, content based filtering etc. [Not to mention fubar'ing EDNS0 > and screwing with SMTP so hard it breaks.] PF itself is purely based on > dealing with packet headers: however you can easily add things like > squid caching and filtering, snort etc. but these will ramp up the CPU > requirements beyond what a small appliance could support. As indicated initially, I intend to shift the load off the firewall to a separate device which then may do a lot more to the traffic than the firewall. But I don't see why I should'nt try to use the same kind of hardware platform for both. However it may be, I first set up this with the hardware I already have and then see what I find and where to optimise best before going to series. I also must improve significantly on my config management before I actually can do that just as others do when I look at other threads. > > My reason for the post was considering more another 'quiet' and > > 'lowpower' project I have, so that's probably a completely different > > pair of shoes. I'll try without first and then see what comes out of > > it. > > Commodity servers certainly don't fulfil the "quiet" requirement. Most > of them have enough fannage to build a fairly respectable hovercraft. Nope, they don't. I used to dry my hair behind the cabinets. And I used to have a lot of that :) Thanks again for your responses, and All the best regards, Peter. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
