Re: Distributing crypto work away from apache-ssl?
Hi Marcin,
On Mon, Feb 21, 2005 at 10:19:35PM +0100, Marcin Owsiany wrote:
> As more and more users access our mail services through TLS/SSL, the CPU
> load constantly grows. We already have multiple boxes for incoming
> SMTP/submission, and moving stunnels serving POP3S to other boxes is
> easy.
>
> However I don't know what to do with the webmail, served by apache-ssl.
> Is it possible to somehow move the crypto work to another host? Does
Yes. This is how I've done this:
* main box(es) with Apache, and your webmail application, no ssl
* proxy ssl-box: set up apache as a reverse proxy, and terminate the SSL
connections on that box.
Upsides of this approach:
a) separation of ssl and apache backend (which is what you want)
b) great increase in flexibility; you can map URLs on the ssl proxy to
other URLs on the backend servers; do load balancing, etc.
It's real easy to set up as well. Have a look at the ProxyPass and
ProxyPassReverse directives.
Bye for now,
Ward.
--
Pong.be -( "The Linux philosophy is 'Laugh in the face of )-
Virtual hosting -( danger'. Oops. Wrong One. 'Do it yourself'. Yes, )-
http://pong.be -( that's it." -- Linus )-
GnuPG public key: http://gpg.dtype.org
Reply to: