On Wednesday, 1 February 2017 17:05:58 UTC+2, Nelson, Erik - 2 wrote:
What’s the difference between ideas 1 and 2? It seems (on the OpenResty side) you’re using the OpenResty network libraries either way. Am I missing something?
The main difference that I was thinking about is that you can have:
1) a front-end web server where you don't do blocking calls
2) off-load blocking calls to another server (possibly) also OpenResty where you do the blocking NIO.
This way you can ensure that the frontend server(s) is/are never actually using blocked io. Here you of course need to build your own endpoints / API to communicate with these servers (or just proxy to it). And if something starts to act as a bottleneck, you can move it to a different machine or add more machines.
The difference is that on this another server you are using that 3rd party library as is, aka doing blocked calls and that server may not handle as much concurrent traffic easily. But at least it doesn't halt the front-end server. Of course this is not as good as solution 1), because it doesn't really solve the issue of blocking calls. It is a compromise, and I agree, not particularly good one. If HSM module is only used for something like logging in, it is still possible to (D)DOS login, but all the rest still works quite well (as the front-end is serving them and nothing blocks the front-end). If you put this HSM access that blocks in front end, you can (D)DOS the whole front-end (but as said, you can possibly also traffic limit HSM accessing endpoints).
It is hard to know how much of work is it to code that blocking client with OpenResty's non-blocking NIO. If it is not straightforward and easy, then it is about balancing that is it worth to do, how much does it take a time to build, how much it costs, and other possible business or other reasons.
This may or may not be related to this:
https://github.com/openresty/lua-nginx-module/pull/450
I wish that many C libraries would take this in account, and decouple io access as much as possible from the other stuff the library may be doing (encodings, serialization, cryptography, etc.).
Regards
Aapo