Perbal and Stunnel

Alessandro Ranellucci aar at
Mon Jan 16 18:46:51 UTC 2006

On 16-01-2006 at 18:32, Kevin Minnick wrote:

 >Yes, 100 different IP addresses.  We host SSL sites for many different
 >companies, each with their own SSL cert.

100 stunnel instances will work for sure. I don't know how does stunnel
scale, though, so it may also become a bottleneck. Maybe an SSL-enhanced
hardware load balancer would do that more nicely.

 >If mod_proxy supported an easy way (or any way) to:
 >1.  Detect a backend server failure
 >2.  Load Balance backend servers
 >I would use that since it does support SSL nicely.

What about mod_proxy > Perlbal > backends?

 >On a side note, I looked at the code for IO::Socket::SSL but I could
 >not figure out how to get passed the blocking issue, but I'm by no
 >means a skilled perl programmer.

The problem is not in IO::Socket::SSL and neither in Net::SSLeay, but is
in the OpenSSL libraries. That tiny SSL_accept() function in ssl_lib.c
is the blocking part, so I'm afraid that it would be quite impossible to
make that non-blocking by providing callbacks and so on.
I think that this task could be accomplished by a module silimiar to
IO::AIO, that is something with pthreads and a poll-like interface.
I haven't got no time to work on such a module, though :)

  - alessandro.

More information about the perlbal mailing list