One thing that you might want to look into assuming you haven't already
bought new hardware is that I think that you can get SSL hardware
accelerator cards rather than a separate box to do it? I don't know much
about it. I just know that I heard something about this where I work. They
were planning on doing this on a Sun box for our LDAP servers. I think that
OpenSSL was supposed to support the cards or something. So, basically,
everything would work the same way as if you weren't using hardware
acceleration, except that some of OpenSSL's processing would be offloaded to
hardware instead. I'm not an expert on this, so, I could be wrong, but, I
figured that I would mention it.
Jon
----- Original Message -----
From: "Mike Roberts" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 06, 2001 7:32 AM
Subject: Apache / mod_jk / Tomcat with Hardware SSL box?
> Hi,
>
> My company currently use Apache / mod_ssl / mod_jk / Tomcat to support SSL
> in our application
>
> My SysAdmin department would like to switch our SSL handling to a
dedicated
> hardware solution (eg
> http://www.intel.com/network/idc/products/accel_7115.htm) to take the SSL
> load off of our Webservers. My concern with this though is that our
> application will no longer be able to discern whether a request was secure
> or not. Has anyone tried this kind of thing?
>
> I guess one option would be for the Hardware SSL box to point to port 443
of
> Apache, but for Apache not to actually pass these requests to mod_ssl
> (Apache's 443 could then be firewalled off from the outside world and
> assumed only used as a target from the hardware SSL box for originally
> secure requests.) As the port is 443 though, would mod_jk still treat it
as
> though SSL was enabled? I doubt it, but thought I would ask.
>
> Another alternative would be for our app to look for the port requested,
> rather than whether the request was secure or not. We could get the
Hardware
> SSL box to pass originally secure requests to port 443 (or anything other
> than 80 for that matter) as above. In that case though, our App would need
> to know the port number that was attached to on Apache - is this passed
> through by mod_jk?
>
> Details: Apache 1.3.20 / mod_ssl 2.8.4-1.3.20 / Tomcat 3.2 (with mod_jk
> setup to use AJP13) / Solaris 8
>
> Thanks for any help,
>
> Mike
>
> ---
> Mike Roberts
> Developer
> DigitalRum
> mailto:mike.roberts@**spamdeflector**.digitalrum.com
>
