On Tue, Apr 30, 2013 at 11:14:48AM -0700, Daniel Friesen wrote:
On Tue, 30 Apr 2013 10:27:21 -0700, Petr Bena benapetr@gmail.com wrote:
SSL is requiring more CPU, both on server and client and disable all kinds of cache (such as squid or varnish), and some browsers may have problems with it OR in some countries encryption may be even illegal.
SSL does not disable caches. SSL is terminated at the cluster, Squid/Varnish are in on the raw HTTP and serve out HTTP EXACTLY the same way they serve out normal HTTP requests (they even use the exact same cache thanks to our protocol relative urls).
I can verify that the above is correct and Petr is wrong.
However, we terminate SSL before proxying to the normal caching layers, and the infrastructure for this is too small to handle significant portions of the traffic (if it were bigger, it'd be a waste of resources and hence money, considering its current usage). If we were to push normal traffic to them, we'd quickly reach all kinds of limits, incl. CPU and network.
That isn't to say that it's impossible to scale up this infrastructure if needed (or, more likely, adapt the design of the infrastructure to incorporate such an expansion by putting it closer to the caching layers), but it should be considered that it's not just about enabling a MediaWiki config setting to do this but also involves other operations-related engineering work.
That being said, my gut tells me that making all the logins SSL-enabled is not going to make a significant difference compared to current usage, but I don't have any numbers to back this up right now. Maybe Ryan has them.
Cheers, Faidon