Hi, I'm trying to hand all SSL requests to a backend mod_perl server with mod_gzip installed for compression.
This means that SSL content is pre-compressed by the backend server before being encrypted by the frontend (Mini How To - below). Apparently mod_gzip and SSL on the same server will not work - this is why I need to pass the request to a proxy to handle the compression. So ... a request on https://turbo10.com:446/index.html (server A) passes to http://turbo10.com:44300/index.html (server B). The file is compressed by server B and passed back to server A for encryption and tranmission to the client. This works fine for static files. .... BUT .... Mod_perl scripts seem to fail: https://turbo10.com:446/cgi-bin/splashpage1.cgi The log reports: [Mon Oct 14 21:33:25 2002] [error] proxy:http://turbo10.com:44300/cgi-bin/splashpage1.cgi not found or unable to stat However, when I access the proxy directly, the mod_perl script works fine (no access restrictions just yet): http://turbo10.com:44300/cgi-bin/splashpage1.cgi Any ideas? Is there some weird interaction between mod_perl + mod_proxy? Even better ... is there a way to do SSL compression in mod_perl with only one server? Any help would be much appreciated. NIgel MOD_GZIP WITH SSL MINI HOWTO Version 0.2 February 23, 2002 Tim Behrendsen This document is released into the public domain. INTRODUCTION This document describes how to run mod_gzip over SSL connections using mod_ssl. The method described has been tested with Apache 1.3.22 under RedHat 7.2 (Kernel 2.4.13), mod_gzip 1.3.19.1a, mod_ssl 2.8.5 and OpenSSL 0.9.6b. THE PROBLEM One would expect to be able to just plug in mod_gzip into Apache in the normal way, and have it work with SSL. Unfortunately, due to technical issues with mod_ssl beyond the scope of this document (apparently mod_ssl greedily grabs the result before anyone else has a chance), the easy solution doesn't work. There are workarounds, however, that give the desired result. THE SOLUTION A workaround solution is to use mod_proxy. A front-end SSL-enabled Virtual Host receives the request, and then uses mod_proxy to pass the result to a back-end non-SSL virtual host that processes the request, compresses the content and passes it back. The front-end then happily forwards the data through the SSL connection. CONFIGURATION Install and test mod_gzip. Insallation information and sample configuration may be found on the home page of mod_gzip at http://www.remotecommunications.com/apache/mod_gzip. It's recommended to get mod_gzip completely working before adding SSL. After installing mod_gzip, enable mod_proxy in the configuration file by adding or uncommenting the following lines to the appropriate areas (near directives of the same form would be a good place). Note that the mod_gzip module needs to be the last one in the chain, so activate these before the mod_gzip module. LoadModule proxy_module modules/libproxy.so AddModule mod_proxy.c Some mod_gzip configurations apparently need the following line. Add it to your "item_include" sections: mod_gzip_item_include handler ^proxy-server$ Add the following lines to your SSL VirtualHost: ProxyRequests On ProxyPass / http://localhost:44300/ ProxyPassReverse / http://localhost:44300/ mod_gzip_on No This directs mod_proxy to send all requests to a back-end virtual host on port 44300. Note that the "http" is required. Finally add a virtual host section similar to your primary SSL section, but without the SSL set-up. Note the security clause disabling access from anywhere but localhost (127.0.0.1), which prevents a non-SSL "backdoor" into your web server. This is optional, but recommended. It might also be a good idea to make sure your firewall blocks requests to 44300 (or whatever port you choose) just in case. Listen 44300 <VirtualHost _default_:44300> <Directory /> order deny,allow deny from all allow from 127.0.0.1 </Directory> ...host information... </VirtualHost> Restart Apache, and that should be it! PROBLEMS Q: Error log gives: mod_gzip: EMPTY FILE [/tmp/_3630_118_19.wrk] in sendfile2 mod_gzip: Make sure all named directories exist and have the correct permissions. A: There are a number of causes for this error, but in the context of SSL, this can be caused when mod_gzip is enabled for the SSL section. Make sure it's either disabled using "mod_gzip_on No" or by specifying the mod_gzip parameters only within the virtual host. Q: I'm getting redirected to the non-SSL page! A: Are you using mod_rewrite to fix trailing slashes or other mods? Try removing it in the back-end non-SSL virtual host. Keep the rewrites on the front-end. Q: When I press "refresh" on my browser, the page is getting corrupted! A: Unfortunately, IE6 (and perhaps earlier versions?) appears to have a bug with gzip over SSL where the first 2048 characters are not included in the HTML rendering of the page when refresh is pressed. It only seems to happen on longish pages, and not when the page is first loaded. In fact, sometimes it doesn't happen at all. The only current solution is to put a 2048 character comment at the start of your longish pages of all spaces (which compresses pretty well, fortunately). -- Nigel Hamilton Turbo10 Metasearch Engine email: [EMAIL PROTECTED] tel: +44 (0) 207 987 5460 fax: +44 (0) 207 987 5468 ________________________________________________________________________________ http://turbo10.com Search Deeper. Browse Faster.