[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Distributing crypto work away from apache-ssl?

Hi Marcin,

On Mon, Feb 21, 2005 at 10:19:35PM +0100, Marcin Owsiany wrote:
> As more and more users access our mail services through TLS/SSL, the CPU
> load constantly grows. We already have multiple boxes for incoming
> SMTP/submission, and moving stunnels serving POP3S to other boxes is
> easy.
> 
> However I don't know what to do with the webmail, served by apache-ssl.
> Is it possible to somehow move the crypto work to another host? Does

Yes. This is how I've done this:

* main box(es) with Apache, and your webmail application, no ssl
* proxy ssl-box: set up apache as a reverse proxy, and terminate the SSL
  connections on that box. 

Upsides of this approach:
a) separation of ssl and apache backend (which is what you want)
b) great increase in flexibility; you can map URLs on the ssl proxy to
other URLs on the backend servers; do load balancing, etc.

It's real easy to set up as well. Have a look at the ProxyPass and
ProxyPassReverse directives.

Bye for now,
Ward.

-- 
Pong.be         -(     "The Linux philosophy is 'Laugh in the face of      )-
Virtual hosting -(    danger'. Oops. Wrong One. 'Do it yourself'. Yes,     )-
http://pong.be  -(                  that's it." -- Linus                   )-
GnuPG public key: http://gpg.dtype.org
Reply to: