Forum Discussion

trx's avatar
trx
Jun 20, 2011

ssl (https) compression

I can't seem to post a forum to the "performance testings" as I've already joined the group, so I thought I post it on here.

 

 

Does anyone know if ssl compression can be done on the f5? I don't seen any options in the services profiles to do this.

 

I only http compression available.

 

 

 

Regards,

 

TRX

 

application delivery
dev
devops
iRules

14 Replies

Sort By
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jun 20, 2011
    When you say "SSL compression" do you mean compressing HTTP contents that are SSL encrypted? If so, then yes you can do that, provided you terminate the SSL on the BIG-IP.

     

     

    Colin
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 20, 2011
    I hadn't heard about SSL compression before, but this Chrome dev's blog has some info:

     

     

    http://www.belshe.com/2010/11/18/ssl-compression-and-you/

     

     

    Here's an RFC for it as well:

     

    http://tools.ietf.org/html/rfc3943

     

     

    It looks like Chrome is the only browser that supports compression of SSL. I'm not sure there is much benefit to it though.

     

     

    I don't think LTM supports SSL compression. If you see a good use case for it, you could open a case with F5 Support to request it be considered for addition to the product.

     

     

    Aaron
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jun 20, 2011
    By the sounds of that post, though, HTTP level compression would be preferred. Wouldn't it be better just to enable compression on the LTM rather than attempting to implement SSL compression?

     

     

    I suppose there are always corner cases, but I'm curious what the reasoning for using this particular form of compression is. :)

     

     

    Colin
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 20, 2011
    If you're decrypting the SSL you could use HTTP compression for this as Colin suggested.

     

     

    Aaron
  • trx's avatar
    trx
    Jun 20, 2011
    So are you saying if I enable http compression on the f5 using services profile, that would work for http and https? If yes, how would I confirm that is working?

     

     

    Regards,

     

    TRX
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 20, 2011
    Yes. You can check the response Content-Encoding header value for gzip or deflate:

     

     

    http://en.wikipedia.org/wiki/HTTP_compression

     

     

    Aaron
  • trx's avatar
    trx
    Jun 20, 2011
    Yes I'm aware of that in the response header already. Do you know of any other way?

     

     

    Regards,

     

    TRX
  • trx's avatar
    trx
    Jun 20, 2011
    I'm NOT sure how the http compression on the f5 would come into play if the traffic is on ssl the entire time. Would I just apply same profile on the SSL Virtual Server?

     

    Sounds too simple. :)

     

     

    Regards,

     

    TRX
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 20, 2011
    No, you'd need to decrypt the SSL on LTM if you want LTM to do HTTP compression. If that's not an option, then you could do it on the servers. If that's not feasible, then don't do compression at all.

     

     

    Considering the support for SSL compression is limited to Chrome, I wouldn't bother considering it (even if it did perform well which it doesn't seem to).

     

     

    Aaron
  • trx's avatar
    trx
    Jun 21, 2011
    When you say "decrypt on the LTM", do you mean using IRules or the profile configuration of the HTTPS VS or HTTP VS?

    Just want to clarify.

     

     

     

    Thanks.

     

     

     

    Regards,

     

    TRX