A few months ago there was a discussion of whether to put mod_ssl into a front-end or a back-end server. I've summarized it for a new Guide's item. Before I put it there, please see whether I didn't miss something. Thanks! =head1 mod_perl and mod_ssl If you need an SSL functionality, you can get it by adding the mod_ssl or equivalent apache_ssl to the light front-end server (httpd_docs) or the heavy back-end mod_perl server (httpd_perl). ( The configuration and installation instructions are located L<here|install/mod_perl_and_mod_ssl_openssl_>.) The question is whether it's a good idea to add mod_ssl into the back-end mod_perl enabled server. Given that your internal network is secured or if both the front and back end servers are running on the same machine and you can ensure a safe communication between the processes there is no need for an encrypted traffic between them. If this is the situation you don't have to put mod_ssl into the already too much heavy mod_perl server. You will have the external traffic encrypted by the front-end server, which will proxy-pass the unencrypted request and response data internally. Choosing the front-end machine to have an SSL functionality also simplifies configuration of mod_perl by eliminating VirtualHost duplication for SSL. mod_perl configuration files can be plenty difficult without the mod_ssl overhead. Also assuming that you have front-end machines under-worked anyway, especially if you run a high-volume web service deploying a cluster of machines to serve requests, you save some CPU as it's known that SSL connections are about 100 times more CPU intensive than non-SSL connections. Of course caching session keys so you don't have to set up a new symmetric key for every single connection, improves the situation. If you use the shared memory session caching mechanism that mod_ssl supports, then the overhead is actually rather small except for the initial connection. But then on the other hand, why even bother to run a full scale mod_ssl in front? You might as well just choose a small tunnel/port forwarding application like Stunnel or one of the many other mentioned at http://www.openssl.org/related/apps.html. Of course if you do a heavy SSL processing you should really be offloading it to dedicated cryptography hardware. ______________________________________________________________________ Stas Bekman | JAm_pH -- Just Another mod_perl Hacker http://stason.org/ | mod_perl Guide http://perl.apache.org/guide/ mailto:[EMAIL PROTECTED] | http://perl.org http://stason.org/TULARC/ http://singlesheaven.com| http://perlmonth.com http://sourcegarden.org ----------------------------------------------------------------------
