httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From suomi <apa...@ayni.com>
Subject Re: [users@httpd] Reverse proxy and HTTP/1.1
Date Fri, 06 Aug 2004 06:24:07 GMT
could that probaly help?

http://www.apacheweek.com/features/reverseproxies

suomi

MARTYR Jean-Bernard wrote:
> Hello,
> 
> I've posting the following message last week with no reaction. Is there
> anybody who could provide help, advice ?
> 
> Thanks.
> JB.
> _______________
> Hello,
> 
> I'm currently experiencing a problem for which I'm really hoping apache2 is
> the solution.
> 
> Context :
> ---------
> End users access a web site hosted on IIS 5.0 on a win2K platform using a
> Netscape 4.06 or 4.78 browser.
> The web site is accessed in SSL v3 (client & server certificate)
> The normal way of accessing the site is through a transparent proxy
> (Nestcape Proxy 3.6)
> End users are on an private Extranet. Proxy on the nearest DMZ and web
> server on another DMZ behind the proxy
> IIS 5.1 is configured to use keep-alive
> Too many users to migrate to IE (almost 70000).
> 
> Issue :
> ------
> It appears that Netscape browser 4.x does not implement correctly the Proxy
> Keepalive standard so if a users want to access (as he should) the site via
> the proxy (through a connect method) he gets as much TCP sessions as the
> number of objects on the html page to download it. You can imagine the poor
> performance of the result since it's not only the "normal" TCP handshake,
> but also each time the SSL hanshake.
> 
> Various performance results :
> -----------------------------
> I've tried a couple of thing to measure and isolate the problem : my
> application home page consists of 44 objects
> 
> * IE 6 vs NS through proxy : I'm counting the number of network packet
> exchanged and the number of TCP sessions.
> IE = 360 to 380 packets and 5 TCP sessions to retrieve the page
> NS = 930 to 1000 packets and 45 TCP sessions
> 
> => So my understanding is clearly the lack of support for proxy keep-alive
> in Netscape
> 
> * IE 6 vs NS direct access to the web server :
> both NS and IE 6 = 260 to 290 packets and 5 TCP sessions to retrieve the
> page
> 
> => keep alive is ok in both cases.
> 
> I was suspecting also a possible naggling problem with the win 2K platform
> so I've setup a win 2K3 server in the same condition cause naggling is
> basically disabled there but the results were the same.
> 
> Expected solution :
> -------------------
> Since the Netscape browser seems to implement correctly the simple HTTP 1.1
> keep alive protocol my idea is to use apache as a reverse proxy facing the
> browser and acting as an http client to the IIS webserver. So no proxy would
> be needed to connect the NS browser to the apache web server (keepalive
> should then work) and basically apache is a correct http/1.1 client.
> Since the client certificate is also used to identify the UID of the users
> in the application I'm also implementing the requestheader function of the
> apache2 mod_header to pass it to the server.
> 
> Why I need help :
> ------------------
> Apache2 is compiled on solaris 2.6 with these options :
> --enable-cache --enable-mime-magic --enable-expires --enable-headers --enabl
> e-proxy --enable-proxy-connect --enable-proxy-http --enable-ssl --enable-sta
> tic-rotatelogs --enable-http --enable-rewrite --enable-so --enable-cgi
> 
> My concern is that when using this configuration of apache and accessing it
> directly (no proxy) from NS I'm still having exactly the same performance as
> with a forwarding proxy. I've snooped also on the reverse-proxy server the
> network dialog between apache and IIS and it's the exact reflect of the NS
> to apache dialog. My understanding is really that a reverse proxy should
> dissociate the browser to reverse from the reverse to web server dialog and
> it really does not seem to be the case.
> Am I doing wrong assumptions there ?
> Is there a misconfiguration here ?
> 
> I've already spent a lot of time on this issue and would be very happy if
> anybody could bring some help.
> 
> Thanks to all in advance.
> 
> Regards.
> 
> JB.
> 
> 
> _______________________________________________________
> _______________________________________________________
> My apache reverse conf :
> 
> [...]
> 
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
> 
> SSLPassPhraseDialog  builtin
> 
> SSLSessionCache        shmht:/usr/local/apache2/logs/ssl_scache(512000)
> SSLSessionCacheTimeout  300
> 
> CacheIgnoreCacheControl On
> CacheIgnoreNoLastMod Off
> CacheMaxExpire 15
> 
> SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
> 
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> 
> <VirtualHost _Locpro_>
> 
> SSLEngine on
> SSLProxyEngine on
> 
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> 
> [...]
> 
> SSLVerifyClient require
> SSLVerifyDepth 2
> 
> SSLOptions +ExportCertData +CompatEnvVars +StdEnvVars
> 
> #SetEnvIf User-Agent ".*MSIE.*" \
> #         nokeepalive ssl-unclean-shutdown \
> #         downgrade-1.0 force-response-1.0
> SetEnv proxy-keepalive On
> SetEnv keepalive On
> 
> 
> CustomLog /usr/local/apache2/logs/ssl_request_log \
>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENTS_DN}x \"%r\"
> %b"
> CustomLog /usr/local/apache2/logs/ssl_log common
> 
>   # Enable the URL rewriting engine
>   RewriteEngine        on
>   RewriteLogLevel      1
>   LogLevel             warn
>   RewriteLog           logs/rewrite_log.stats.renault.fr
>   ErrorLog             logs/error_log.stats.renault.fr
> 
>   # make sure the status page is handled locally
>   # and make sure no one uses our proxy except ourself
>   RewriteRule    ^/apache-rproxy-status.*  -  [F]
>   RewriteRule    ^(http|ftp)://.*          -  [F]
>   RewriteRule    \.htr($|.*) / [F]
>   RewriteRule    \.idc($|.*) / [F]
>   RewriteRule    etc/passwd / [F]
>   RewriteRule    etc/shadow / [F]
>   RewriteRule    /\./ / [F]
>   RewriteRule    /\.\./ / [F]
>   RewriteRule
> (administrators.pwd)|(authors.pwd)|(users.pwd)|(service.pwd) / [F]
>   RewriteRule    (root.exe?)|(cmd.exe?)|(default.ida?) / [F]
>   RewriteRule    msadcs.dll / [F]
> 
> 
>   RequestHeader set CERT-SUBJECT %{SSL_CLIENT_S_DN}e
> 
>   RewriteRule    ^/Locpro(.*)$                  to://my.iis.server/Locpro$1
>   RewriteRule    ^to://([^/]+)/Locpro(.*)       http://$1/Locpro$2      [P]
> 
>   RewriteRule    .*                    -              [F]
>   ProxyRequests        Off
> 
> </VirtualHost>
> 
> </IfDefine>
> _______________________________________________________
> _______________________________________________________
> 
> 
> 
> -- Disclaimer ------------------------------------
> Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee
et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes
pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer,
il vous est signifie que toute divulgation, distribution ou copie de cette transmission est
strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en
informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer
immediatement ce message de votre systeme.
> ***
> This e-mail and any attachments is a confidential correspondence intended only for use
of the individual or entity named above. If you are not the intended recipient or the agent
responsible for delivering the message to the intended recipient, you are hereby notified
that any disclosure, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify the sender by phone or by
replying this message, and then delete this message from your system.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message