Currently we have a configuration that at the highest level looks like this:
[Traffic] -> Varnish (caching) -> HaProxy (load balancing) -> Apache (content and services)
There are (obviously?) multiple Apache servers and in general they provide two types of services ... one set of servers provides the more traditional types of web content (navigable pages for the most part) and the other set are service end points (and they in turn connect to a database and other backend functionality).
Service requests are filtered out early on in Varnish (specific domains, etc are identified in VCL and are passed directly to HAProxy -- there is no need to cache any of these calls).
"Content" requests do get cached by Varnish.
Need to add SSL support. Initially as a result of the need to add secure service requests (and responses) although I would expect eventually I will need to also have HTTPS calls into the content server(s) as well.
At present I have playing around with stunnel and while it works, the model I'm using effectively just uses stunnel to decrypt incoming requests and then passes them through HAProxy as normal *:80 traffic (so not using mod_ssl, etc., in Apache). So effectively things now look like:
[Traffic] -> Varnish (caching) -> HaProxy (load balancing) -> Apache (content and services) -----------> STunnel -----------------------------^
So it works, but my guts telling me this isn't really a long term solution. One possibility is just separating the traffic entirely):
[Traffic] -> Varnish (caching) -> HaProxy (load balancing) -> Apache (content and services)
[Traffic] -> Pound (or something else?) ------------------------> Apache (SSL content & services)
The Apache servers would likely be shared (SSL traffic would just be handled differently) but the systems which route traffic to the content/service servers would be different ...
Rummaging around turns up a number of opinions / options (including nginx, etc.,) but the first order question is whether the architecture as a whole makes sense (diverting incoming traffic to separate subsystems) or whether there is a more unified model that I should be looking at (and likely simpler). If the architecture makes sense then the follow-up is what to use for the SSL support aspect of this beastie ..