This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Proxy setup w/ SSL From: Drew Taylor <dtaylor@vialogix.com> Date: Tue, 08 Aug 2000 11:49:16 -0400 Everyone, I have successfully setup the proxy system outlined in the guide, and it seems to be working well. In my instance, the front-end httpd has mod_proxy & mod_rewrite, while the backend is only mod_perl. I also have a seperate instance of stronghold/mod_perl for SSL connections. What I would like is to add SSL to the frontend servers and ditch stronghold all together. I'm interested in suggestions for how to do this. Should I try mod_ssl, raven, etc? I am trying to have only 2 servers running instead of three. Does anyone have experience in this area? === Subject: Re: Proxy setup w/ SSL From: Stas Bekman <stas@stason.org> Date: Tue, 8 Aug 2000 18:02:17 +0200 (CEST) On Tue, 8 Aug 2000, Drew Taylor wrote: > Everyone, > > I have successfully setup the proxy system outlined in the guide, and it > seems to be working well. In my instance, the front-end httpd has > mod_proxy & mod_rewrite, while the backend is only mod_perl. I also have > a seperate instance of stronghold/mod_perl for SSL connections. > > What I would like is to add SSL to the frontend servers and ditch > stronghold all together. I'm interested in suggestions for how to do > this. Should I try mod_ssl, raven, etc? I am trying to have only 2 > servers running instead of three. Does anyone have experience in this > area? Hmm, how about: http://perl.apache.org/guide/install.html#Installation_Scenarios_for_mod_p See also http://perl.apache.org/guide/scenario.html#HTTP_Authentication_With_Two_Ser === Subject: Re: Proxy setup w/ SSL From: Matt Sergeant <matt@sergeant.org> Date: Tue, 8 Aug 2000 17:08:36 +0100 (BST) On Tue, 8 Aug 2000, Nigel Hamilton wrote: > Hi, > Also, does anyone know a way to speed up SSL somehow? Keep-alives. To be able to do that you need to store your output and make sure that your solution sends the appropriate headers that don't kill keep-alive. These include Content-Length (which is why you need to store your output before sending it) and some others which I forget, anyone? === Subject: Re: Proxy setup w/ SSL From: siberian <siberian@siberian.org> Date: Tue, 8 Aug 2000 09:15:27 -0700 (PDT) I use SSL hardware acceleration cards and they work like a champ. I think Rainbow builds these for a reasonable price ( ours came with the F5 hardware ). Before that we just ran a 'Lite' Stronghold on the front end and proxy'd back all connections to our dynamic ocntent servers. It held up really well and was a really easy config to manage and setup. However, now the F5 handles all SSL traffic and balances back to a server farm. Each box has two instances of apache running, one mod perl and one light ( on diff ports ). The load balancer checks the URI content and switches between the ports as needed. Careful with Keepalives, they'll kill you if your using some load balancing solutions. In the F5 world KeepAlives destroy rules based load balancing, it gets ugly. Your Mileage May Vary. === Subject: Re: Proxy setup w/ SSL From: Adi <adi@certsite.com> Date: Tue, 08 Aug 2000 12:34:55 -0400 Nigel Hamilton wrote: > > Hi, > Also, does anyone know a way to speed up SSL somehow? There are hardware SSL accelerators that you can buy (quite expensive) which offload the CPU-intensive encryption algorithms, freeing up your CPU to do other things. Personally, I think a better approach is to use a load-balanced set of proxy/SSL servers, as Stas describes in the guide. Commodity PC hardware running Linux has a much better performance/price ratio than expensive, single-purpose SSL accelerators. === Subject: Re: Proxy setup w/ SSL From: Stas Bekman <stas@stason.org> Date: Tue, 8 Aug 2000 18:37:35 +0200 (CEST) On Tue, 8 Aug 2000, Matt Sergeant wrote: > On Tue, 8 Aug 2000, Nigel Hamilton wrote: > > > Hi, > > Also, does anyone know a way to speed up SSL somehow? > > Keep-alives. To be able to do that you need to store your output and make > sure that your solution sends the appropriate headers that don't kill > keep-alive. These include Content-Length (which is why you need to store > your output before sending it) and some others which I forget, anyone? According to http://perl.apache.org/guide/correct_headers.html oroginally written by Andreas, Content-Length is all you need. Of course you have to enable KeepAlive in the server and the client should support it as well. === Subject: Re: Proxy setup w/ SSL From: Stas Bekman <stas@stason.org> Date: Tue, 8 Aug 2000 19:00:27 +0200 (CEST) On Tue, 8 Aug 2000, Nigel Hamilton wrote: Nigel, I hope you don't mind that I bounce it back to the list, since that's how it should be. > What is the rationale behind the content length speed improvement? > Can SSL more efficiently/quickly send the page if it knows the > content length in advance? The improvement is in taking the advantage of the KeepAlive feature, which enables a sending of more then one object over the same connection. So you save the handshake to initiate a connection for each requested object, which is especially expensive with SSL if you don't use caching of SSL keys. KeepAlive works only if the server sends a Content-Length header, since it has to know when the object has been sent, and when it should timeout in order to close the connection if there is no more incoming requests from the same page. Notice that it makes the user experience somewhat slower, since instead of initiating many connections and downloading all the objects (e.g. images) in parallel, the objects are downloaded sequencially. Make sure you set the KeepAliveTimeout to the value as small as possible, since the server is in idle state while waiting for the time out. For the reasons explained above you don't want to use KeepALive under mod_perl in most cases. === Subject: Re: Proxy setup w/ SSL From: Mads Toftum <mads@toftum.dk> Date: Tue, 8 Aug 2000 20:33:14 +0200 On Tue, Aug 08, 2000 at 05:08:36PM +0100, Matt Sergeant wrote: > > Keep-alives. To be able to do that you need to store your output and make > sure that your solution sends the appropriate headers that don't kill > keep-alive. These include Content-Length (which is why you need to store > your output before sending it) and some others which I forget, anyone? > Unfortunately keep-alive doesn't work too well with SSL and MSIE :( SSL Session caching is the way to go instead - an SSL cache hit (ie. no RSA operations) is probably about a hundred times faster than having to set up the session from scratch. === Subject: Re: Proxy setup w/ SSL From: Mads Toftum <mads@toftum.dk> Date: Tue, 8 Aug 2000 21:05:31 +0200 On Tue, Aug 08, 2000 at 04:07:58PM +0000, Nigel Hamilton wrote: > Also, does anyone know a way to speed up SSL somehow? Well worth a read is http://www.awe.com/mark/apcon2000/ which covers most of the performance related issues. Also note that the openssl project is currently adding hardware accelerator support which might end up giving us some cheaper hw options in the future. ==== Subject: Re: Proxy setup w/ SSL (fwd) From: Tom Brown <tbrown@baremetal.com> Date: Tue, 8 Aug 2000 12:28:48 -0700 (PDT) Stas wanted me to send this to the list, so I'll do that... Date: Tue, 8 Aug 2000 11:43:49 -0700 (PDT) From: Tom Brown <tbrown@baremetal.com> To: Stas Bekman <stas@stason.org> Subject: Re: Proxy setup w/ SSL > > > initiating many connections and downloading all the objects (e.g. images) > > > in parallel, the objects are downloaded sequencially. > > > > No. AFAIK It still opens up multiple/parallel connections... it just > > doesn't go through the handshake stuff repeatedly... > > Really? That's what I was always told. Any pointers to read about > this. Thanks! Sorry, no... although it should be easy enought to test, even mod_status should provide enough information... Part of my logic is that the browser doesn't even know if the connection is going to be keep alive until it gets the first response... so if you load a page from domain.com, and it contains 20 images from images.domain.com there would have to be a "test load" of the first image before deciding whether to open up multiple connections ... strikes me as simpler to just proceed as normal and use the pipelining on all connections if it is available... (maybe things are different for SSL than normal connections, but again, I can't see why they would be...) I've also done a little testing, and it looks like mod_status is showing 4 keepalive connections on my old (1.2.6 redhat secure) SSL server to my netscape 4.72 browser ... Srv PID Acc MCPU SSConn ChildSlot Host VHost Request 0 13413 4/4/4 K0.08 4 0.9 0.00 0.00 216.86.106.124secure.baremetal.com GET /icons/burst.gif HTTP/1.0 2 8451 11/14/14 K0.23 4 3.0 0.01 0.01 216.86.106.124secure.baremetal.com GET /icons/forward.gif HTTP/1.0 3 8450 7/11/11 K0.35 4 1.6 0.01 0.01 216.86.106.124secure.baremetal.com GET /icons/sound.gif HTTP/1.0 4 8449 6/10/10 W0.31 0 5.0 0.01 0.01 216.86.106.124secure.baremetal.com GET /server-status HTTP/1.0 I'm not sure why only 28 files are shown in the "this connection" column, there were 29 icons, an html file, and the status page... ------------------------------------------------------------------------ Srv Server number PID OS process ID Acc Number of accesses this connection / this child / this slot M Mode of operation CPU CPU usage, number of seconds SS Seconds since beginning of most recent request Conn Kilobytes transferred this connection ChildMegabytes transferred this child Slot Total megabytes transferred this slot === Subject: Re: Proxy setup w/ SSL From: Vivek Khera <khera@kciLink.com> Date: Tue, 8 Aug 2000 17:10:38 -0400 (EDT) DT" == Drew Taylor <dtaylor@vialogix.com> writes: DT> What I would like is to add SSL to the frontend servers and ditch DT> stronghold all together. I'm interested in suggestions for how to do Why not just add mod_proxy and mod_rewrite to stronghold, and remove mod_perl from it. The it is your front end. Since you've already paid for it, it seems the way to go. Using mod_ssl may pose legal issues until the RSA patents expire next month. === Subject: Re: Proxy setup w/ SSL From: Ask Bjoern Hansen <ask@valueclick.com> Date: Tue, 8 Aug 2000 20:44:18 -0700 (PDT) On Tue, 8 Aug 2000, siberian wrote: [...] > Careful with Keepalives, they'll kill you if your using some load > balancing solutions. In the F5 world KeepAlives destroy rules based load > balancing, it gets ugly. Your Mileage May Vary. uh, say what. Another performance killer of SSL would be to not make sure the client gets to the same server on every request (as the server is caching some ssl information (which gets done in the F5 box in your setup)). - ask === Subject: Re: Proxy setup w/ SSL From: Drew Taylor <dtaylor@vialogix.com> Date: Wed, 09 Aug 2000 10:25:47 -0400 Vivek Khera wrote: > > >>>>> "DT" == Drew Taylor <dtaylor@vialogix.com> writes: > > DT> What I would like is to add SSL to the frontend servers and ditch > DT> stronghold all together. I'm interested in suggestions for how to do > > Why not just add mod_proxy and mod_rewrite to stronghold, and remove > mod_perl from it. The it is your front end. Since you've already > paid for it, it seems the way to go. Using mod_ssl may pose legal > issues until the RSA patents expire next month. That is an excellent point. My initial thought was based on the fact that I was given the server with Stronghold already compiled w/ mod_perl and I was trying to get around having to recompile Stronghold again. Would it be worthwhile to have a non mod_perl stronghold as the front end for ALL incoming connections (of course having only the necessary domains running SSL) instead of the plain apache I'm running now? In the long run, your solution is the way to go and once I get back from vacation (thank goodness!) I will look into it. === Subject: Re: Proxy setup w/ SSL From: ___cliff rayman___ <cliff@genwax.com> Date: Wed, 09 Aug 2000 10:17:55 -0700 siberian wrote: > . In the F5 world KeepAlives destroy rules based load sorry - but what's an F5 box? === Subject: RE: Proxy setup w/ SSL From: Jerrad Pierce <Jerrad.Pierce@networkengines.com> Date: Wed, 9 Aug 2000 13:25:31 -0400 F5 makes load balancers === Subject: Re: how to check for ssl. From: Jean-Denis Girard <jd-girard@esoft.pf> Date: Sun, 06 Aug 2000 14:03:24 -1000 > > cliff rayman wrote: > > > > > $port=$r->get_server_port(); > > > > > > scotta@musiciansfriend.com wrote: > > > > > > > Ok, so what is the PORT variable and how do i access it? > > > > > > > > On 3 Aug 2000, at 22:08, Stas Bekman wrote: > > > > > Not really, you can spoof both: > > > > > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html cliff@genwax.com wrote: > Jean-Denis Girard wrote: > > For some reason (probably my error), > > > > $r->get_server_port() > > > > always returns 80 although my mod_perl backend only > > listen to 8080 and 8443 (I use Listen directives). I'm > > using (sockaddr_in($r->connection->local_addr))[0] to get > > the port instead. Though it works, I must load one more > > module (Socket), which I would like to avoid if > > possible... > > > > Any idea about my mistake ? > > > > My conf: > > apache-1.3.12 + mod_ssl-2.3.4 <=> apache-1.3.12 + mod_perl-1.24 > > > > on linux-2.2.14 > > cliff rayman wrote: > try these and see what they return: > > $r->server->port(); > $r->parsed_uri->port(); > $r->server->port() returns 0 $r->parsed_uri->port() and $r->parsed_uri->fragment() return nothing !!! ===