nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTPS-everywhere vs. proxy caching

From: Leslie <geekgirl () gmail com>
Date: Sun, 5 May 2013 07:26:14 -0700
On Fri, May 3, 2013 at 12:06 PM, Jay Ashworth <jra () baylink com> wrote:

It occurs to me that I don't believe I've seen any discussion of the
Unexpected Consequence of pervasive HTTPS replacing HTTP for unauthenticated
sessions, like non-logged-in users browsing sites like Wikipedia.

That traffic's not cacheable, is it?  Proxy caches on services like
mobile 3/4G, or smaller ISPs, or larger corporations can't cache it, I
wouldn't think, which means both that they will see traffic increases,
and that the end sites will as well.

Has this been discussed and I missed it?  Do I improperly understand
transparent caching?  Or is this just a bomb waiting to go off?

I assume that Wikipedia themselves are on top of the idea that their
in-house reverse-proxies won't be carrying that traffic (though I don't
actually know what their architecture looks like anymore), but..



If anyone's curious about Wikipedia (we're open with our architecture)
- we aren't really effected by using https instead of http for non
logged in sessions.  I'm assuming all of the other major sites use
similar methods.

The path goes user <--> LVS load balancer <--> nginx ssl termination
<--> varnish (caching layer) <--> (if cache miss) application layer

The only extra "hop" for https is the ssl termination, and while if
all of a sudden 100% of our traffic switched from http to https, we'd
be underprovisioned and have to scramble, the incremental effect of a
single user (or all the https everywhere users!) using https is
incredibly tiny.  It's not as cpu-intensive as many people think.

Unless a corporation is breaking ssl ( like in this case -
http://superuser.com/questions/115349/firefox-this-connection-is-untrusted-behind-corporate-firewall
) their proxies would be unable to cache SSL content.

If you're curious about wikimedia's architecture, you can check it out
on our wiki -- https://wikitech.wikimedia.org/wiki/Main_Page

Leslie


Cheers,
-- jra
--
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274
Previous By Date Next
Previous By Thread Next

Current thread: