Hacker News new | past | comments | ask | show | jobs | submit login

>"There are some really cool "tricks" for avoiding the round trip — round trips are why everyone should be using a global load balancer for SSL. Clients have to send 2 packets across the world and wait for a reply, which can add >100ms before any actual work happens."

What is a "global load balancer"? A load balancer doesn't avoid any round trips. The "work" of TLS begins as soon as the client sends a ClientHello which is during the second round trip. On a new connection the total round trips is 4 if you include the GET request. It's 3 round trips if you only consider the TCP hand shake and the TLS handshake. This is true whether there is a load balancer or not.




I assume a load balancing / caching solution that is available on an anycast IP address. The TLS termination happens at the (ideally) closest point of presence (PoP). The idea is to reduce the RTT from client to its termination point.

Think CloudFlare CDN or the Google Cloud Load Balancer.

Edit Mistyped RTT as TTL.


Sure, you can reduce the RTT by moving the edge closer to the eyeballs but that's not the same as avoiding an RTT as the OP stated. That's what all I was commenting on. There are mechanisms however to do that such as sessions tickets/resumption but that's not something specific to load balancers.


The OP didn't claim using a "global" LB would eliminate round-trips, just that you should use one because of the round trips.


The OP stated:

>"There are some really cool "tricks" for avoiding the round trip — round trips are why everyone should be using a global load balancer for SSL."

"Avoiding" means not incurring them, so yes they did claim a "global" LB would eliminate round trips.


That actually wasn't what I meant to claim, but it's too late to edit! It was an awkward sentence for sure.

The simpler sentence is: minimize round trip cost by getting close to users. Also avoid round trips if you can. :)


If you are terminating TLS on an edge network then you are likely caching the content there as well so as not to incur the latency in fetching it from origin. This is called a CDN not a load balancer.


There are a bunch of relatively pure global load balancer services available out there. Google Cloud's load balancer, for example. It works pretty well to terminate SSL close to visitors then maintain connections from load balancers back to app instances.


You avoid an RTT to the web server by having TLS terminate in the load balancer.


Why a load balancer and not a CDN? A CDN can definitely help.

Here's a good guide to an SSL handshake: https://www.incapsula.com/cdn-guide/cdn-and-ssl-tls.html#ssl...

The handshake adds 2+ additional round trips, so a CDN can definitely help this.


Agreed, I said the exact same thing in another comment on this thread.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: