Re: [load balancing] Offloading SSL termination and rewriting HTTP toHTTPS with Apache

From: Tal Klein <Tal.Klein [izzat]>
Date: Wed Jan 23 2008 - 15:08:43 EST

Hi Clarke,

Is the SSL stuff built into your pages or something? I ask because if
you're letting the LB do the SSL termination, apache should expect to
receive everything through HTTP/port 80 but it sounds like the problem
is that the page it's hitting is either looking for a cert or apache is
configured only to listen for that site on port 443. The initial
scenario isn't a function of apache because all it is doing is sending
requests back to a port on an IP, so if there's any SSL or cert-handling
stuff that happens inside of your site beyond the standard SSL handshake
that's probably what's not working. Otherwise, you may want to ensure
that apache is listening on the right port for the right IP/URL.


Tal M. Klein
Technical Marketing & Strategy
Delivery Systems Division
Citrix Systems, Inc.
-----Original Message-----
From: [] On Behalf
Of Clarke Morledge
Sent: Wednesday, January 23, 2008 11:50 AM
Subject: [load balancing] Offloading SSL termination and rewriting HTTP
toHTTPS with Apache
Hi, everyone.
When you offload SSL termination functionality to an external load 
balancer (whether it be a Cisco CSS, Foundry Server Iron, etc.), it
ideally save you in resources on your Apache real servers.
However, if you were normally doing a mix of clear text and SSL on the 
Apache system prior to offloading the SSL, retaining the appropriate 
session context becomes a problem.  You must somehow train Apache to 
distinguish between regular clear text sessions and other clear text 
sessions that have been SSL terminated on the external load balancer (or
SSL accelerator).
Unfortunately, with Apache 2.2.6, I have had no such luck getting this
work correctly.  I have tried sending the formerly SSL terminated
to a different port; i.e. something other than tcp/80, and then somehow 
forcing Apache to rewrite URLs with "http" in them to be "https" for all
sessions coming into that non-standard port.  (When I mean "I", I mean
system admin folks -- I am personally more of a network guy).
This not working consistently, so I am wondering if someone has a recipe
on how to do this with Apache.   I can manage to get some of the URLs 
rewritten from "http" to "https", such as URLs that are in the HTTP 
headers.  But URLs embedded in the web pages mostly get overlooked.
I have tried to get the external load balancer / SSL acceleration to
out, but so far with Cisco and Foundry I have not  managed to  find the 
appropriate solution.  Rewriting URLs in HTTP headers are one thing.
trying to rewrite URLs embedded in the TCP stream isn't really possible 
since it would be such a computationally expensive process.
The workaround I have is to continue with the SSL termination on the
balancer and settle for a lower grade, 40-bit SSL encryption on the 
backend connection to the real servers.  This is slightly better than 
having the real server doing all of the SSL directly with the client,
it sort of defeats the whole purpose of what I was trying to do in the 
first place --- getting rid of SSL computations completely on the real 
Does anyone have any solutions/recipes?
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
lb-l mailing list
Searchable Archive: Load Balancing Digest
lb-l mailing list
Searchable Archive: Load Balancing Digest
Received on Wed Jan 23 15:13:32 2008

This archive was generated by hypermail 2.1.8 : Wed Jan 23 2008 - 15:13:32 EST