Finding if SSL is enabled on back-end proxy-passed server
Hi all, I have a two machine setup: (A) A frontend running mod_ssl, mod_rewrite and mod_proxy. (B) A backend mod_perl machine server not running SSL that is proxypassed to from the frontend Problem: I need to know within my mod_perl backend server whether or not SSL is active on the frontend, because if not I won't permit login. So how can I find out from the backend server (B) whether or not the frontend (A) is running in SSL? Thanks! Joe Junkin [EMAIL PROTECTED]
Re: Finding if SSL is enabled on backend ..
Actually, I am wrong, the HTTP_REFERER is the previous referring document, not the current URL so this does not solve my problem. Again, if anyone knows a way to determine if SSL is activated on the backend, please let me know. Hi all, I have a two machine setup: (A) A frontend running mod_ssl, mod_rewrite and mod_proxy. (B) A backend mod_perl machine server not running SSL that is proxypassed to from the frontend Problem: I need to know within my mod_perl backend server whether or not SSL is active on the frontend, because if not I won't permit login. So how can I find out from the backend server (B) whether or not the frontend (A) is running in SSL? Thanks! Joe Junkin [EMAIL PROTECTED]
Best setting for KeepAliveTimeout with proxypass to modperl
I was wondering what people have found to be the best setting for the 'KeepAliveTimeout' for a backend modperl server that is proxypassed from a front end. My hunch is: On the front end, keep the normal setting (15 or so) On the back end, set KeepAliveTimeout to 0 because above all, I do not want a fat modperl process being tied up. My concern stemmed from the quote: "When keep-alives are in use, children will be kept busy doing nothing waiting for more requests on the already open connection." This makes sense to me. Does it make sense to others? [EMAIL PROTECTED] http://www.datacrawler.com
Re: Best setting for KeepAliveTimeout
Perhaps I should have read the configuration first: KeepAlive Off This seems like the best setting? This makes sense to me. Does it make sense to others? [EMAIL PROTECTED] http://www.datacrawler.com
Re: mod_perl Programmers demand is going up...
John White wrote: On Fri, Dec 03, 1999 at 11:15:53PM +0200, Stas Bekman wrote: Does anybody see a niche for a new web-hosting company specializing in mode_perl and other goodies, rather than the generic "package" ? Matt ? That could ease the management problem of "we agree mod_perl is great, but our hoster won't run it". I for one ended up having to host my own website because nobody would host mod_perl msql for less than an arm and a leg. Sure, Rod, there is a niche Build a rack of machines, give each client a dedicated box and have solved the problem of many people seeking mod_perl support. The question is how much this service is going to cost... From my experience: Above.net, tier 1, guaranteed bandwidth 19X12 Rack = $400 monthly allows 128K (in 95%, billed for increase) 19X12 Rack fits 3 3U cases each case holds 2X500 PIII, Intel GX MB w/onboard video,100baseT and UW SCSI,256M,18Gig UW IBM, Approx = $2500 per machine Situation 1: shared three tier platform First CPU: lightweight front end has Mod_proxy, Mod_rewrite, Mod_ssl 2nd CPU: Mod_perl 3rd CPU runs mysql possibly DNS and Qmail also. Add in $200 Switch to segment 10 baseT Internet drop from 100baseT 'internal' frontend/modperl/database network. Also 4 port 100base T hub for $100. Sitution 2: Each client gets a dedicated machine combining each of the three seperate ones from above (expensive, only 3 clients per rack). Initial hardware outlay approx: 7500+200+100 = $7800 upfront + 400 monthly (min) Approximate traffic that can be served from this platform?? Additional monthly fees for traffic above 128K? 256K and 19X24 rackspace = $800 I think Painful question. I guess the answer lies in how much responsibility the ISP is being asked to shoulder. I've thought about putting together a package of 1) Apache 2) mod_perl 3) mysql 4) reverse proxy cache 5) a slice of raid 6) automated remote backup 7) hardware update calendars... But you can't walk into Exodus without paying $750 for rackspace... Is this Rod's proverbial arm and a leg? Quite frankly, providing a service like this is a bit more interesting to me at the moment than actuall programming. If anyone is looking to partner up to make a service like this a reality, I'd certainly be interested in chatting. John
Modperl/ProxyPass ModSSl
Hello all, I am using a two server setup with a lightweight modproxy front end doing a proxypass to a backend modperl app server. So now I want to utilize modssl and enable an encrypted version, while still retaining a non-encrypted version. In this situation, where do I set up modssl? 1) on the modproxy/proxypass frontend? 2) on the secondary modperl server? 3) on both? I suppose it would be really nice if all I had to do is enable modssl on the proxypass front end. Any help would be appreciated. Thanks! Joe Junkin [EMAIL PROTECTED]
Re: Session state with/without cookies
This is not a simple answer, but here is my take: This is only My Opinion. Rule #1: Design your 'working part' of the app to minimize the dependence on stored session. This means to place common actions in the URL. Some people would say that's messy, but I disagree. This is because you can 'Walk in' to any part of the app in ANY stage of the game. Here is an example, the following views are all based on one record, Question #14 in a survey. Here is a complete view of all of the hierarchy: http://www.datafree.com/demo/dc?s=156-157p=3m=ndb=surveyd=fk=3a=er Now I want to isolate that question with it's answers http://www.datafree.com/demo/dc?s=156-157-158p=3m=ndb=surveyd=fk=197sn=156-157-158a=er Now, just view the question itself: http://www.datafree.com/demo/dc?s=156-157-158p=3m=ddb=surveyd=fk=197sn=156-157-158a=cr Add a new record? http://www.datafree.com/demo/dc?s=156-157-158p=3m=ddb=surveyd=fsn=156-157-158a=cr Split the screen: http://www.datafree.com/demo/dc?s=156-157-158p=3m=ddb=surveyd=fk=197a=ersw=on In all of these examples, you are 'Walking In'. The system assigns you as a guest. As soon as you continue you will notice a UID (u=) being assigned. What happens if you blow it away? Nothing. Now if you have a 'shopping cart' type of app, you will need to track session, because you don't want to be passing every product and other info the User has ordered. I would not store all that crap in cookies either, but one certainly could. So you assign each User a session ID. So now, You want to track a session, You need a unique identifier for each session, Solution: You must somehow pass a session identifier UID Popular choices: 1) Part of the URL ie "sessionid=12234" Drawbacks: A) Could be hijacked if someone guesses what it is Like this: http://www.datafree.com/demo/dc?s=156-157-158u=202118935938223051p=3m=ndb=surveyd=fk=204a=er Notice that if you continue with the app, you have hijacked that UID. This is allowed becuse the session is unsecure. B) Session is lost when the User leaves the site, unless they hit the back button. 2) Stored in the users browser as a cookie You can automatically restore the users last session (most people want this) and anything else about them you want to retain. You only need to send the UID once, and the user will hand it back every time. 3) (my choice) Combine the two. If the settings permit guest access, the system instantly adapts and handles the User. But to update, you must create and account and login. When you log in, I toss a cookie. If that cookie ain't there bub, you ain't continuing on (except as a guest). Once logged in, if you disable cookies I will detect it and switch you back to a guest. Finally, a combination of URL UID and cookie UID is the only way (I know of) to allow multiple secure sessions for a single user. A use for this is for developers to develop online web applications, pause and switch to an End User view to test, and quickly switch back. In each case, my system remembers your exact session (last URL, personal settings for that user) and instantly throws you back where you were. Here is a rough flowchart of the process, a bit out of date: http://www.datacrawler.com/images/main_user_mode.gif You have three main choices for maintaining a "session": 1) cookies 2) mangled URLs 3) hidden fields in forms If "static HTML" can't do #2 or #3, you are stuck with #1. I don't understand these answers. What is a mangled URL? I don't understand the conclusion about static HTML.
