Re: Distributing crypto work away from apache-ssl?
On Mon, Feb 21, 2005 at 06:03:09PM -0500, Ward Vandewege wrote:
> Hi Marcin,
> On Mon, Feb 21, 2005 at 10:19:35PM +0100, Marcin Owsiany wrote:
> > As more and more users access our mail services through TLS/SSL, the CPU
> > load constantly grows. We already have multiple boxes for incoming
> > SMTP/submission, and moving stunnels serving POP3S to other boxes is
> > easy.
> > However I don't know what to do with the webmail, served by apache-ssl.
> > Is it possible to somehow move the crypto work to another host? Does
> Yes. This is how I've done this:
> * main box(es) with Apache, and your webmail application, no ssl
> * proxy ssl-box: set up apache as a reverse proxy, and terminate the SSL
> connections on that box.
> Upsides of this approach:
> a) separation of ssl and apache backend (which is what you want)
> b) great increase in flexibility; you can map URLs on the ssl proxy to
> other URLs on the backend servers; do load balancing, etc.
Hm, this sounds nice, especially the load-balancing bit, since I need to
have a look at this shortly. BTW: do you happen to know whether that
setup forwards all those apache ssl-related environment variables to the
non-ssl apache, so that its CGIs "think" they are running on an
FYI: I have already done some very preliminary tests with stunnel, and
it seems to work...
Marcin Owsiany <firstname.lastname@example.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216