[support] Drupal on HTTPS

Gordon Heydon gordon at heydon.com.au
Thu Oct 23 21:49:45 UTC 2008 

Hi,

it is not so much the additional load on your server to encrypt all  
the pages, but it is the flow on effect which is where the load gets  
bigger.

Mainly the SSL break proxy servers who can only pass thru pages and  
other artifacts without being able to cache anything. This means that  
you will use more bandwidth, and loading of pages for the most part  
will not be as snappy as users will always be getting stuff from your  
server and not something closer.

Gordon.

On 24/10/2008, at 7:10 AM, Daniel Carrera wrote:

> Thanks. I guess I might need to benchmark during a high period and  
> see.
>
> The website generally doesn't get a lot of hits, and we don't serve  
> very
> large files. It's mostly text. But we might see more traffic on the  
> last
> week of school.
>
> Metzler, David wrote:
>> It depends on many factors. The primary performance concern is
>> encrypt/decrypt of the data and its impact on cpu.  Image files,  
>> large
>> pdf documents, etc when encrypted can cause CPU performance  
>> impact.   If
>> your browsers cache much of this content it's not a huge load, but of
>> course you need to think about how many concurrent hits you're  
>> likely to
>> get on your site.
>>
>> Also understand that this means that the clients need to decrypt the
>> data. So again if you're sending say a big .wav file to grandmas 6  
>> year
>> old computer that is loaded with AV software and that old clunker  
>> has to
>> decrypt the content and then scan it for viruses, well grandma may
>> decide not to watch that movie after all.
>>
>> I guess what I'm saying is that if you're doing regular text, with  
>> small
>> numbers of images and you don't expect an insane amount of hits, and
>> you're not shared hosting, and you're server is reasonably current as
>> far as CPU is concerned, you probably aren't going to notice too  
>> much.
>>
>> But if your target audience has old clunkers, or you are planning on
>> putting up heavy content, or you aren't blessed with an abundance of
>> CPU, then it's probably worth your while to set up securepages, and  
>> make
>> sure your site can respond to https and http.  Frankly that last step
>> I'd do anyway so you can advertise example.com without users having  
>> to
>> remember to type https.
>>
>> Either way you can pretty much look at CPU load to determine whether
>> this is an issue for you.
>>
>> Good luck,
>>
>> Dave
>>
>>
>>
>> -----Original Message-----
>> From: support-bounces at drupal.org [mailto:support- 
>> bounces at drupal.org] On
>> Behalf Of Daniel Carrera
>> Sent: Thursday, October 23, 2008 1:48 AM
>> To: support at drupal.org
>> Subject: Re: [support] Drupal on HTTPS
>>
>> Thanks.
>>
>> You mention performance issues. How bad is it? I spent several hours
>> Googling and I found two papers. One that claims that the delay due  
>> to
>> HTTPS is minimal and another that claims that the delay is  
>> significant.
>> :-(
>>
>> Metzler, David wrote:
>>> Naw we do this (Aside from the obvious performance issues about
>>> decripting data for large numbers of hits).  There's a securepages
>>> module out there to force redirects on certain pages if your
>>> interested in making sur ethat just the login informatioin or user
>>> information happens over https.
>>>
>>> http://drupal.org/project/securepages
>>>
>>> Dave
>>>
>>> -----Original Message-----
>>> From: support-bounces at drupal.org [mailto:support-bounces at drupal.org]
>>> On Behalf Of Daniel Carrera
>>> Sent: Wednesday, October 22, 2008 1:07 PM
>>> To: support at drupal.org
>>> Subject: [support] Drupal on HTTPS
>>>
>>> Hello,
>>>
>>> Is there any harm in serving Drupal over HTTPS instead of HTTP?
>>>
>>> I want the Drupal login to be on HTTPS because I just don't like
>>> sending passwords in plain text. But with Apache it is no more  
>>> work to
>>
>>> make the entire site run on HTTPS versus just one page. In fact, it
>> seems easier.
>>> So, I was wondering, is there any good reason not to serve a Drupal
>>> site over HTTPS? It seems a bit odd, but I figure, if I already have
>>> an SSL certificate, I figure, what's the harm?
>>>
>>> Thanks.
>>> Daniel
>>> --
>>> [ Drupal support list | http://lists.drupal.org/ ]
>>
>> --
>> [ Drupal support list | http://lists.drupal.org/ ]
>
> -- 
> [ Drupal support list | http://lists.drupal.org/ ]

More information about the support mailing list