Re: Proxy setup w/ SSL
siberian wrote: . In the F5 world KeepAlives destroy rules based load sorry - but what's an F5 box? -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
RE: Proxy setup w/ SSL
F5 makes load balancers -Original Message- From: ___cliff rayman___ [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 09, 2000 1:18 PM To: modperl Subject: Re: Proxy setup w/ SSL siberian wrote: . In the F5 world KeepAlives destroy rules based load sorry - but what's an F5 box? -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
Proxy setup w/ SSL
Everyone, I have successfully setup the proxy system outlined in the guide, and it seems to be working well. In my instance, the front-end httpd has mod_proxy mod_rewrite, while the backend is only mod_perl. I also have a seperate instance of stronghold/mod_perl for SSL connections. What I would like is to add SSL to the frontend servers and ditch stronghold all together. I'm interested in suggestions for how to do this. Should I try mod_ssl, raven, etc? I am trying to have only 2 servers running instead of three. Does anyone have experience in this area? -- Drew Taylor Vialogix Communications, Inc. 501 N. College Street Charlotte, NC 28202 704 370 0550 http://www.vialogix.com/
Re: Proxy setup w/ SSL
On Tue, 8 Aug 2000, Drew Taylor wrote: Everyone, I have successfully setup the proxy system outlined in the guide, and it seems to be working well. In my instance, the front-end httpd has mod_proxy mod_rewrite, while the backend is only mod_perl. I also have a seperate instance of stronghold/mod_perl for SSL connections. What I would like is to add SSL to the frontend servers and ditch stronghold all together. I'm interested in suggestions for how to do this. Should I try mod_ssl, raven, etc? I am trying to have only 2 servers running instead of three. Does anyone have experience in this area? Hmm, how about: http://perl.apache.org/guide/install.html#Installation_Scenarios_for_mod_p See also http://perl.apache.org/guide/scenario.html#HTTP_Authentication_With_Two_Ser _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://apachetoday.com http://jazzvalley.com http://singlesheaven.com http://perlmonth.com perl.org apache.org
Re: Proxy setup w/ SSL
Everyone, I have successfully setup the proxy system outlined in the guide, and it seems to be working well. In my instance, the front-end httpd has mod_proxy mod_rewrite, while the backend is only mod_perl. I also have a seperate instance of stronghold/mod_perl for SSL connections. What I would like is to add SSL to the frontend servers and ditch stronghold all together. I'm interested in suggestions for how to do this. Should I try mod_ssl, raven, etc? I am trying to have only 2 servers running instead of three. Does anyone have experience in this area? Hi, Also, does anyone know a way to speed up SSL somehow? NIge
Re: Proxy setup w/ SSL
On Tue, 8 Aug 2000, Nigel Hamilton wrote: Hi, Also, does anyone know a way to speed up SSL somehow? Keep-alives. To be able to do that you need to store your output and make sure that your solution sends the appropriate headers that don't kill keep-alive. These include Content-Length (which is why you need to store your output before sending it) and some others which I forget, anyone? -- Matt/ Fastnet Software Ltd. High Performance Web Specialists Providing mod_perl, XML, Sybase and Oracle solutions Email for training and consultancy availability. http://sergeant.org | AxKit: http://axkit.org
Re: Proxy setup w/ SSL
I use SSL hardware acceleration cards and they work like a champ. I think Rainbow builds these for a reasonable price ( ours came with the F5 hardware ). Before that we just ran a 'Lite' Stronghold on the front end and proxy'd back all connections to our dynamic ocntent servers. It held up really well and was a really easy config to manage and setup. However, now the F5 handles all SSL traffic and balances back to a server farm. Each box has two instances of apache running, one mod perl and one light ( on diff ports ). The load balancer checks the URI content and switches between the ports as needed. Careful with Keepalives, they'll kill you if your using some load balancing solutions. In the F5 world KeepAlives destroy rules based load balancing, it gets ugly. Your Mileage May Vary. John- On Tue, 8 Aug 2000, Matt Sergeant wrote: On Tue, 8 Aug 2000, Nigel Hamilton wrote: Hi, Also, does anyone know a way to speed up SSL somehow? Keep-alives. To be able to do that you need to store your output and make sure that your solution sends the appropriate headers that don't kill keep-alive. These include Content-Length (which is why you need to store your output before sending it) and some others which I forget, anyone? -- Matt/ Fastnet Software Ltd. High Performance Web Specialists Providing mod_perl, XML, Sybase and Oracle solutions Email for training and consultancy availability. http://sergeant.org | AxKit: http://axkit.org
Re: Proxy setup w/ SSL
Nigel Hamilton wrote: Hi, Also, does anyone know a way to speed up SSL somehow? There are hardware SSL accelerators that you can buy (quite expensive) which offload the CPU-intensive encryption algorithms, freeing up your CPU to do other things. Personally, I think a better approach is to use a load-balanced set of proxy/SSL servers, as Stas describes in the guide. Commodity PC hardware running Linux has a much better performance/price ratio than expensive, single-purpose SSL accelerators. -Adi
Re: Proxy setup w/ SSL
On Tue, 8 Aug 2000, Matt Sergeant wrote: On Tue, 8 Aug 2000, Nigel Hamilton wrote: Hi, Also, does anyone know a way to speed up SSL somehow? Keep-alives. To be able to do that you need to store your output and make sure that your solution sends the appropriate headers that don't kill keep-alive. These include Content-Length (which is why you need to store your output before sending it) and some others which I forget, anyone? According to http://perl.apache.org/guide/correct_headers.html oroginally written by Andreas, Content-Length is all you need. Of course you have to enable KeepAlive in the server and the client should support it as well. _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://apachetoday.com http://jazzvalley.com http://singlesheaven.com http://perlmonth.com perl.org apache.org
Re: Proxy setup w/ SSL
On Tue, 8 Aug 2000, Nigel Hamilton wrote: Nigel, I hope you don't mind that I bounce it back to the list, since that's how it should be. What is the rationale behind the content length speed improvement? Can SSL more efficiently/quickly send the page if it knows the content length in advance? The improvement is in taking the advantage of the KeepAlive feature, which enables a sending of more then one object over the same connection. So you save the handshake to initiate a connection for each requested object, which is especially expensive with SSL if you don't use caching of SSL keys. KeepAlive works only if the server sends a Content-Length header, since it has to know when the object has been sent, and when it should timeout in order to close the connection if there is no more incoming requests from the same page. Notice that it makes the user experience somewhat slower, since instead of initiating many connections and downloading all the objects (e.g. images) in parallel, the objects are downloaded sequencially. Make sure you set the KeepAliveTimeout to the value as small as possible, since the server is in idle state while waiting for the time out. For the reasons explained above you don't want to use KeepALive under mod_perl in most cases. Thanks NIge Nigel Hamilton __ http://e1mail.come1mail - Encrypted 1st Class Maile1mail: 1001 On Tue, 8 Aug 2000, Stas Bekman wrote: On Tue, 8 Aug 2000, Matt Sergeant wrote: On Tue, 8 Aug 2000, Nigel Hamilton wrote: Hi, Also, does anyone know a way to speed up SSL somehow? Keep-alives. To be able to do that you need to store your output and make sure that your solution sends the appropriate headers that don't kill keep-alive. These include Content-Length (which is why you need to store your output before sending it) and some others which I forget, anyone? According to http://perl.apache.org/guide/correct_headers.html oroginally written by Andreas, Content-Length is all you need. Of course you have to enable KeepAlive in the server and the client should support it as well. _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://apachetoday.com http://jazzvalley.com http://singlesheaven.com http://perlmonth.com perl.org apache.org _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://apachetoday.com http://jazzvalley.com http://singlesheaven.com http://perlmonth.com perl.org apache.org
Re: Proxy setup w/ SSL
On Tue, Aug 08, 2000 at 04:07:58PM +, Nigel Hamilton wrote: Also, does anyone know a way to speed up SSL somehow? Well worth a read is http://www.awe.com/mark/apcon2000/ which covers most of the performance related issues. Also note that the openssl project is currently adding hardware accelerator support which might end up giving us some cheaper hw options in the future. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
Re: Proxy setup w/ SSL (fwd)
Stas wanted me to send this to the list, so I'll do that... I've also done a little testing, and it looks like mod_status is showing 4 keepalive connections on my old (1.2.6 redhat secure) SSL server to my netscape 4.72 browser ... Srv PIDAcc MCPU SSConn ChildSlot Host VHostRequest 0 13413 4/4/4K0.08 4 0.9 0.00 0.00 216.86.106.124secure.baremetal.com GET /icons/burst.gif HTTP/1.0 2 8451 11/14/14 K0.23 4 3.0 0.01 0.01 216.86.106.124secure.baremetal.com GET /icons/forward.gif HTTP/1.0 3 8450 7/11/11 K0.35 4 1.6 0.01 0.01 216.86.106.124secure.baremetal.com GET /icons/sound.gif HTTP/1.0 4 8449 6/10/10 W0.31 0 5.0 0.01 0.01 216.86.106.124secure.baremetal.com GET /server-status HTTP/1.0 I'm not sure why only 28 files are shown in the "this connection" column, there were 29 icons, an html file, and the status page... Srv Server number PID OS process ID Acc Number of accesses this connection / this child / this slot M Mode of operation CPU CPU usage, number of seconds SS Seconds since beginning of most recent request Conn Kilobytes transferred this connection ChildMegabytes transferred this child Slot Total megabytes transferred this slot Date: Tue, 8 Aug 2000 11:43:49 -0700 (PDT) From: Tom Brown [EMAIL PROTECTED] To: Stas Bekman [EMAIL PROTECTED] Subject: Re: Proxy setup w/ SSL initiating many connections and downloading all the objects (e.g. images) in parallel, the objects are downloaded sequencially. No. AFAIK It still opens up multiple/parallel connections... it just doesn't go through the handshake stuff repeatedly... Really? That's what I was always told. Any pointers to read about this. Thanks! Sorry, no... although it should be easy enought to test, even mod_status should provide enough information... Part of my logic is that the browser doesn't even know if the connection is going to be keep alive until it gets the first response... so if you load a page from domain.com, and it contains 20 images from images.domain.com there would have to be a "test load" of the first image before deciding whether to open up multiple connections ... strikes me as simpler to just proceed as normal and use the pipelining on all connections if it is available... (maybe things are different for SSL than normal connections, but again, I can't see why they would be...)
Re: Proxy setup w/ SSL
"DT" == Drew Taylor [EMAIL PROTECTED] writes: DT What I would like is to add SSL to the frontend servers and ditch DT stronghold all together. I'm interested in suggestions for how to do Why not just add mod_proxy and mod_rewrite to stronghold, and remove mod_perl from it. The it is your front end. Since you've already paid for it, it seems the way to go. Using mod_ssl may pose legal issues until the RSA patents expire next month. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-301-545-6996 GPG MIME spoken herehttp://www.khera.org/~vivek/
Re: Proxy setup w/ SSL
On Tue, 8 Aug 2000, siberian wrote: [...] Careful with Keepalives, they'll kill you if your using some load balancing solutions. In the F5 world KeepAlives destroy rules based load balancing, it gets ugly. Your Mileage May Vary. uh, say what. Another performance killer of SSL would be to not make sure the client gets to the same server on every request (as the server is caching some ssl information (which gets done in the F5 box in your setup)). - ask -- ask bjoern hansen - http://www.netcetera.dk/~ask/ more than 70M impressions per day, http://valueclick.com