I'm looking for some suggestions on using multiple SSL-Offload modules (CSS5-SSL-C-K9) for ssl-termination and compression.
We ran into some isolated application problems with compression when it was globally enabled on a single ssl-termination service. As a work-around, we're selectively enabling compression on the cleartext content rules for those sites that support compression, however that seems like it maybe inefficient because the data back to the client will hit the ssl-module twice, once for compression (on the cleartext rules) and then again for encryption (on the ssl rule.)
I'm thinking that using two SSL-offload modules is a better solution. Both modules will use the same ssl-proxy-list, but one module's service will have compression enabled and the other will not. The decision then to enable compression, will be based upon which ssl service is added to the ssl content rule. In that design, compression will happen along with encryption for the compression-enabled service, and seems to be more efficient.
Has anyone done a design like that?
If not, has anyone run into any scalability or performance issues with selectively enabling compression on the cleartext rules?