httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From MARTYR Jean-Bernard <jean-bernard.mar...@renault.com>
Subject Re: [users@httpd] Reverse proxy and HTTP/1.1
Date Fri, 06 Aug 2004 06:29:32 GMT
I had a look at this excellent article and tried to change my rewrite config
to a proxypass/proxypassreverse config with no success.
I must admit I didn't use the mod_proxy_html but I don't think it would
solve my problem (remember Internet Explorer is working fine).
BTW thank for the clue. Any other comment, clue is appreciated.

JB.
----- Original Message ----- 
From: "suomi" <apache@ayni.com>
To: <users@httpd.apache.org>
Sent: Friday, August 06, 2004 8:24 AM
Subject: Re: [users@httpd] Reverse proxy and HTTP/1.1


> could that probaly help?
>
> http://www.apacheweek.com/features/reverseproxies
>
> suomi
>
> MARTYR Jean-Bernard wrote:
> > Hello,
> >
> > I've posting the following message last week with no reaction. Is there
> > anybody who could provide help, advice ?
> >
> > Thanks.
> > JB.
> > _______________
> > Hello,
> >
> > I'm currently experiencing a problem for which I'm really hoping apache2
is
> > the solution.
> >
> > Context :
> > ---------
> > End users access a web site hosted on IIS 5.0 on a win2K platform using
a
> > Netscape 4.06 or 4.78 browser.
> > The web site is accessed in SSL v3 (client & server certificate)
> > The normal way of accessing the site is through a transparent proxy
> > (Nestcape Proxy 3.6)
> > End users are on an private Extranet. Proxy on the nearest DMZ and web
> > server on another DMZ behind the proxy
> > IIS 5.1 is configured to use keep-alive
> > Too many users to migrate to IE (almost 70000).
> >
> > Issue :
> > ------
> > It appears that Netscape browser 4.x does not implement correctly the
Proxy
> > Keepalive standard so if a users want to access (as he should) the site
via
> > the proxy (through a connect method) he gets as much TCP sessions as the
> > number of objects on the html page to download it. You can imagine the
poor
> > performance of the result since it's not only the "normal" TCP
handshake,
> > but also each time the SSL hanshake.
> >
> > Various performance results :
> > -----------------------------
> > I've tried a couple of thing to measure and isolate the problem : my
> > application home page consists of 44 objects
> >
> > * IE 6 vs NS through proxy : I'm counting the number of network packet
> > exchanged and the number of TCP sessions.
> > IE = 360 to 380 packets and 5 TCP sessions to retrieve the page
> > NS = 930 to 1000 packets and 45 TCP sessions
> >
> > => So my understanding is clearly the lack of support for proxy
keep-alive
> > in Netscape
> >
> > * IE 6 vs NS direct access to the web server :
> > both NS and IE 6 = 260 to 290 packets and 5 TCP sessions to retrieve the
> > page
> >
> > => keep alive is ok in both cases.
> >
> > I was suspecting also a possible naggling problem with the win 2K
platform
> > so I've setup a win 2K3 server in the same condition cause naggling is
> > basically disabled there but the results were the same.
> >
> > Expected solution :
> > -------------------
> > Since the Netscape browser seems to implement correctly the simple HTTP
1.1
> > keep alive protocol my idea is to use apache as a reverse proxy facing
the
> > browser and acting as an http client to the IIS webserver. So no proxy
would
> > be needed to connect the NS browser to the apache web server (keepalive
> > should then work) and basically apache is a correct http/1.1 client.
> > Since the client certificate is also used to identify the UID of the
users
> > in the application I'm also implementing the requestheader function of
the
> > apache2 mod_header to pass it to the server.
> >
> > Why I need help :
> > ------------------
> > Apache2 is compiled on solaris 2.6 with these options :
>
> --enable-cache --enable-mime-magic --enable-expires --enable-headers --ena
bl
> >
e-proxy --enable-proxy-connect --enable-proxy-http --enable-ssl --enable-sta
> > tic-rotatelogs --enable-http --enable-rewrite --enable-so --enable-cgi
> >
> > My concern is that when using this configuration of apache and accessing
it
> > directly (no proxy) from NS I'm still having exactly the same
performance as
> > with a forwarding proxy. I've snooped also on the reverse-proxy server
the
> > network dialog between apache and IIS and it's the exact reflect of the
NS
> > to apache dialog. My understanding is really that a reverse proxy should
> > dissociate the browser to reverse from the reverse to web server dialog
and
> > it really does not seem to be the case.
> > Am I doing wrong assumptions there ?
> > Is there a misconfiguration here ?
> >
> > I've already spent a lot of time on this issue and would be very happy
if
> > anybody could bring some help.
> >
> > Thanks to all in advance.
> >
> > Regards.
> >
> > JB.
> >
> >
> > _______________________________________________________
> > _______________________________________________________
> > My apache reverse conf :
> >
> > [...]
> >
> > AddType application/x-x509-ca-cert .crt
> > AddType application/x-pkcs7-crl    .crl
> >
> > SSLPassPhraseDialog  builtin
> >
> > SSLSessionCache        shmht:/usr/local/apache2/logs/ssl_scache(512000)
> > SSLSessionCacheTimeout  300
> >
> > CacheIgnoreCacheControl On
> > CacheIgnoreNoLastMod Off
> > CacheMaxExpire 15
> >
> > SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
> >
> > SSLRandomSeed startup builtin
> > SSLRandomSeed connect builtin
> >
> > <VirtualHost _Locpro_>
> >
> > SSLEngine on
> > SSLProxyEngine on
> >
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > [...]
> >
> > SSLVerifyClient require
> > SSLVerifyDepth 2
> >
> > SSLOptions +ExportCertData +CompatEnvVars +StdEnvVars
> >
> > #SetEnvIf User-Agent ".*MSIE.*" \
> > #         nokeepalive ssl-unclean-shutdown \
> > #         downgrade-1.0 force-response-1.0
> > SetEnv proxy-keepalive On
> > SetEnv keepalive On
> >
> >
> > CustomLog /usr/local/apache2/logs/ssl_request_log \
> >           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENTS_DN}x
\"%r\"
> > %b"
> > CustomLog /usr/local/apache2/logs/ssl_log common
> >
> >   # Enable the URL rewriting engine
> >   RewriteEngine        on
> >   RewriteLogLevel      1
> >   LogLevel             warn
> >   RewriteLog           logs/rewrite_log.stats.renault.fr
> >   ErrorLog             logs/error_log.stats.renault.fr
> >
> >   # make sure the status page is handled locally
> >   # and make sure no one uses our proxy except ourself
> >   RewriteRule    ^/apache-rproxy-status.*  -  [F]
> >   RewriteRule    ^(http|ftp)://.*          -  [F]
> >   RewriteRule    \.htr($|.*) / [F]
> >   RewriteRule    \.idc($|.*) / [F]
> >   RewriteRule    etc/passwd / [F]
> >   RewriteRule    etc/shadow / [F]
> >   RewriteRule    /\./ / [F]
> >   RewriteRule    /\.\./ / [F]
> >   RewriteRule
> > (administrators.pwd)|(authors.pwd)|(users.pwd)|(service.pwd) / [F]
> >   RewriteRule    (root.exe?)|(cmd.exe?)|(default.ida?) / [F]
> >   RewriteRule    msadcs.dll / [F]
> >
> >
> >   RequestHeader set CERT-SUBJECT %{SSL_CLIENT_S_DN}e
> >
> >   RewriteRule    ^/Locpro(.*)$
to://my.iis.server/Locpro$1
> >   RewriteRule    ^to://([^/]+)/Locpro(.*)       http://$1/Locpro$2
[P]
> >
> >   RewriteRule    .*                    -              [F]
> >   ProxyRequests        Off
> >
> > </VirtualHost>
> >
> > </IfDefine>
> > _______________________________________________________
> > _______________________________________________________
> >
> >
> >
> > -- Disclaimer ------------------------------------
> > Ce message ainsi que les eventuelles pieces jointes constituent une
correspondance privee et confidentielle a l'attention exclusive du
destinataire designe ci-dessus. Si vous n'etes pas le destinataire du
present message ou une personne susceptible de pouvoir le lui delivrer, il
vous est signifie que toute divulgation, distribution ou copie de cette
transmission est strictement interdite. Si vous avez recu ce message par
erreur, nous vous remercions d'en informer l'expediteur par telephone ou de
lui retourner le present message, puis d'effacer immediatement ce message de
votre systeme.
> > ***
> > This e-mail and any attachments is a confidential correspondence
intended only for use of the individual or entity named above. If you are
not the intended recipient or the agent responsible for delivering the
message to the intended recipient, you are hereby notified that any
disclosure, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify
the sender by phone or by replying this message, and then delete this
message from your system.
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- Disclaimer ------------------------------------
Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee
et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes
pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer,
il vous est signifie que toute divulgation, distribution ou copie de cette transmission est
strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en
informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer
immediatement ce message de votre systeme.
***
This e-mail and any attachments is a confidential correspondence intended only for use of
the individual or entity named above. If you are not the intended recipient or the agent responsible
for delivering the message to the intended recipient, you are hereby notified that any disclosure,
distribution or copying of this communication is strictly prohibited. If you have received
this communication in error, please notify the sender by phone or by replying this message,
and then delete this message from your system.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message