Cookbook: SSL Offloading with Cherokee

It is no secret that HTTPS traffic has an important performance impact when compared to HTTP. This penalty is influenced by a number of reasons: handshaking overhead, latency due to the increased number of round trips, and increased CPU usage on the server.

This impact loss can be mitigated to a certain extent through several methods. You can use a dedicated hardware SSL layer. Or you can also ensure that the web server is using HTTP Keep-Alive, which allows the client to reuse SSL sessions, and avoids the need for another handshake. Cherokee will allow this, but you can also set it up to act as an HTTPS accelerator, which is pretty interesting by itself.

If you are using several servers this can be easily done. The theory is very simple:

  1. Set up a main HTTP Reverse proxy. This one should allow the clients to maintain HTTP Keep-Alive sessions, and will return data through a secured HTTPS channel. It can also use dedicated SSL hardware to speed up the encryption. This proxy will balance the load among a number of back-ends.

  2. Set up your HTTP back-ends, which will be in your local network and thus can transfer data through the regular HTTP protocol.

It seems easy enough. The performance gain is very significant since all the back-ends do not have to suffer the constant hammering involved with HTTPS overhead, and their contents can be efficiently cached.

The process in detail

Lets assume your back-end servers are running on your local network on,, and so on.

The front-end server would have to balance the load among them. For that, you will first have to add as many Information Sources as back-ends.

Multiple backends

Then you will have to configure the HTTP Reverse proxy. Visit your front-end’s virtual server through the vServers section, select the Behavior tab, and click on Rule Management. You will be able to choose the HTTP Reverse Proxy handler, and set it to balance the load among all your back-ends. In the example, we will allow Keepalive connections, and assign all the information sources for the defined backends.

HTTP Reverse Proxy balancing