httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Sutherland <>
Subject Re: [module porting] mod_proxy
Date Wed, 15 Mar 2000 12:55:34 GMT
On Wed, 15 Mar 2000, Graham Leggett wrote:

> James Sutherland wrote:
> > Yes, Apache is good here - compensating for partially braindead backend
> > servers, where you DO need some "intelligence" in the front-end.
> In all the systems I've come across, there has always been some niggling
> back end box that forced us to have intelligence on the front end. Using
> Apache on the frontend means the capability is there if I need it. The
> last thing I want to do in a design is to sacrifice flexibility to save
> a few cpu cycles that don't represent a saving anyway.

The saved cycles may well represent a saving if you have heavy enough
traffic to warrant offloading it onto a seperate box. In the example
someone quoted earlier in this thread, you could have a user on a 28.8K
modem downloading a large dynamically generated file. This will force
whatever process is sending the data to linger for (literally) hours,
pumping out another 4K of data every second.

I once had an Apache WWW server I was running flattened by one user. The
user opened a large number of connections, each downloading something very
large very slowly. Each connection tied up another Apache process, and
more kernel resources, and more memory...

> > I don't want a proxy server. If I did, I'd use Squid or Apache. I want
> > load-balancing, possibly with *transparent* encryption support. (i.e. the
> > backend server "thinks" it's handling a normal SSL request - but
> > offloading the encryption number crunching to another box.)
> SSL doesn't work like that - you cannot get a backend box to think it's
> doing encryption, it either does or it doesn't.

I mean, have the frontend perform the encryption/decryption, and pass
information on what it is doing to the backend. The backend box then sees
a normal SSL connection, even though the number crunching is being done on
another machine.

> > Interesting. How do you pass the information on certificates, protocol
> > used, remote IP etc. to the back end?
> We haven't needed to, but this could easily be achieved by adding
> certificate info into headers to be sent to the backend. This is an
> example of "intelligence" on the front end needed for the back end.

This is also the sort of simple bulk preprocessing I want to handle before
Apache "sees" the request. It doesn't take a complete WWW server process
to encrypt and decrypt a stream of data. You already get systems to
implement the SSL work in a dedicated hardware system - I want to do the
same with (a) dedicated machine(s). Yes, I COULD do something similar with
Apache-SSL and mod_proxy - but that's not what I'm after.


View raw message