SSL Reverse Proxy
Hi We've got a non SSL web application (Netscape Calendar) that should be accesible via SSL. This should be possible using an SSL reverse Proxy. I seem to remember that this functionality has been donated to mod_ssl by Stronghold, but did not find anything in the mod_ssl documentation. Does anybody know if mod_ssl can perform as an SSL reverse Proxy and how to set it up? Bye Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape + ModSSL=Dead slow.
on 6/19/01 5:02 PM, David Rees at [EMAIL PROTECTED] wrote:
I've got a couple things for you to try.
snip
If that doesn't work, can you try adding this line?
BrowserMatch Mozilla nokeepalive downgrade-1.0 force-response-1.0
This will disable keepalive for all versions of Netscape and make sure that
the response is 1.0, not 1.1. If it helps, we can then tailor it to
Netscape on the Mac after we figure out what the UserAgent header is. You
can pull the UserAgent header out of the log files if you're using the
combined log format.
YES YES YES YES YES YES!!! instant response!
Log file SAYSS..
Mozilla/4.75C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; U; PPC)
I will begin testing every version we have available in the testlab and get
a good match. I'll then return this info to the list.
Thank you Dave, where are you at? I'm in Seattle and will be in Indianapolis
this fall. I owe you a beverage of choice.
DAve
--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655
[EMAIL PROTECTED]
http://www.rblc.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Netscape + ModSSL=Dead slow.
on 6/19/01 5:02 PM, David Rees at [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of DAve Goodrich It's running alright, I'm tailing the logs in a console as I connect. I'm running Slackware. If you search for this thread in the archives, you'll get everything you ever wanted to know about these boxes ;^) I've got a couple things for you to try. First of all, what kernel are you running? Are you running the stock kernel with Slackware 7.0? sysadmin@www2:/usr$ uname -a Linux www2 2.2.16 #6 Wed Dec 13 15:18:16 /etc/localtime 2000 i686 unknown Nope, the kernel is stripped of all unneeded goodies, I don't have file systems other than ext2 compiled in, no sound, only my required inet drivers, etc. If so, can you try upgrading to 2.2.19? Previous versions had some known TCP/IP bugs which could cause problems like you're describing. Out of curiosity, what problems that would only affect mod_ssl? I'll pull sources today for 2.2.19+ If that doesn't work, can you try adding this line? BrowserMatch Mozilla nokeepalive downgrade-1.0 force-response-1.0 I can do that right away. This will disable keepalive for all versions of Netscape and make sure that the response is 1.0, not 1.1. If it helps, we can then tailor it to Netscape on the Mac after we figure out what the UserAgent header is. You can pull the UserAgent header out of the log files if you're using the combined log format. What version of Netscape on the Mac are you using? Are multiple versions of Netscape affected? And what version of Mac OS? Mac OS 8.1/8.5/9.0/9.1 running Netscape 4.73/4.74/4.75[en_US] I believe all combinations were tested, but I won't swear to it. Working..Working..Working..Working..Working..Working..Working.. DAve. -- Dave Goodrich Director of Interface Development Reality Based Learning Company 9521 NE Willows Road, Suite 100 Redmond, WA 98052 Toll Free 1-877-869-6603 ext. 237 Fax (425) 558-5655 [EMAIL PROTECTED] http://www.rblc.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape + ModSSL=Dead slow.
Oddly enough, on our Red Hat Linux server, the only Mac browswer I had difficulty with was Explorer. Netscape has always worked like a champ. on 6/20/01 10:38 AM, Brian O'Neill at [EMAIL PROTECTED] wrote: I can confirm that I had this same slow/hang problem with Macs running netscape 4.73 and 4.75, using several mod_ssl and apache version, running on Solaris. This was not a Linux-centric issue. It wasn't a priority for my client at the time, but I did send a BrowserMatch statement for them to try. -Brian I've been using Netscape 4.77 (OS 9.1 I think) on an iMac over here without any problems and stock settings. Before that I've used Netscape 4.76 without any problems as well. I don't recall testing anything earlier, although I've got a couple production sites running mod_ssl on Linux (RedHat 6.2 systems with 2.2.18/19) without any problems. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Netscape + ModSSL=Dead slow.
As I said, it wasn't a priority for the client at the time, although I may have asked about it at the time but not received a satisfactory response. I am no longer at that client, so it is even less a priority now...I am currently away from home at a client, so reading all the mailing list e-mail is also not a priority... -Brian On Wed, 20 Jun 2001, David Rees wrote: Interesting, I wonder why I haven't seen anything on the mod_ssl list regarding this until DAve posted? I've been on the list since last year... -Dave -Original Message- From: Brian O'Neill I can confirm that I had this same slow/hang problem with Macs running netscape 4.73 and 4.75, using several mod_ssl and apache version, running on Solaris. This was not a Linux-centric issue. It wasn't a priority for my client at the time, but I did send a BrowserMatch statement for them to try. I've been using Netscape 4.77 (OS 9.1 I think) on an iMac over here without any problems and stock settings. Before that I've used Netscape 4.76 without any problems as well. I don't recall testing anything earlier, although I've got a couple production sites running mod_ssl on Linux (RedHat 6.2 systems with 2.2.18/19) without any problems. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- == Brian O'Neill @ home [EMAIL PROTECTED] At work I'm: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Netscape + ModSSL=Dead slow.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of WSO Support Does solving this problem with sweeping wildcard BrowserMatch statements adversely affect the functionality of Apache and ModSSL? No. Everything will function fine. What I getting at is, why don't we just BrowserMatch everything and call it a day? What are be losing when we downgrade or force 1.0? Performance. By downgrading to HTTP 1.0 and disabling keep alives, the client has to negotiate a new connection on every hit. If your site contains many small images, your clients will definately notice a slowdown if they are on a slow link (dial up, across the ocean, etc). Pages will take longer to load. You may also notice a slight increase in server load, but also see that more httpd processes are needed (since they will be tied up longer waiting for the client to send something over the pipe instead of disconnecting immediately after sending a response). But some browsers are simply broken with regards to SSL, keep alives and HTTP 1.1. All versions of MSIE older than 5.0 are known to be problematic, and now it appears that Netscape on Macintosh is also broken. For more info related to this, search the archives for the thread KeepAlive and IE, again -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Netscape + ModSSL=Dead slow.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of DAve Goodrich
OK, that went faster than expected.
I clean-installed Netscape from several sources, below are the
text strings
recorded in the apache log for each Netscape version I tested. I can
confirm, each Netscape DID NOT work with out the BrowserMatch regex, and
each DID work with the BrowserMatch regex. I tried to make the match as
close as possible and I think it works fine. Regex junkies please correct
me.
I added this line to httpd.conf;
BrowserMatch Mozilla/4\..*PPC)$ nokeepalive downgrade-1.0
force-response-1.0
Netscape installers taken from OEM CD's;
iMAC_8.6_OEM = Mozilla/4.61 (Macintosh; I; PPC)
G4/9.0_OEM = Mozilla/4.76 (Macintosh; I; PPC)
G4_9.1_OEM = Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC)
Netscape Installers taken from ftp.netscape.com;
Mozilla/4.73 = Mozilla/4.73 (Macintosh; U; PPC)
Mozilla/4.74 = Mozilla/4.74 (Macintosh; U; PPC)
Mozilla/4.75 = Mozilla/4.75 (Macintosh; U; PPC)
Mozilla/4.76 = Mozilla/4.76 (Macintosh; U; PPC)
Mozilla/4.77 = Mozilla/4.77 (Macintosh; U; PPC)
All browsers now work! Does anyone see a flaw in this solution? Should I
file a bug report?
I'm using Netscape 4.76 straight from Netscape without any problems over
here.
Now, you've basically disabled all keep alives and HTTP 1.1 for all browsers
except Netscape on the PC and Unix and probably have something like this:
BrowserMatch MSIE nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
BrowserMatch Mozilla/4\..*PPC)$ nokeepalive downgrade-1.0
force-response-1.0
At this point, you may as well disable keep alives for everyone and simplify
the setup with something like this:
SetEnv nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch MSIE ssl-unclean-shutdown
But if your site has many small images with clients on slow links, I think
you'll find yourself looking for ways to turn keep alive back on to speed
things up.
-Dave
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Netscape + ModSSL=Dead slow.
on 6/20/01 3:16 PM, David Rees at [EMAIL PROTECTED] wrote:
I'm using Netscape 4.76 straight from Netscape without any problems over
here.
I wish I were you ;^)
Now, you've basically disabled all keep alives and HTTP 1.1 for all browsers
except Netscape on the PC and Unix and probably have something like this:
? I think I've only removed keep alives and HTTP 1.1 on PPC Macintosh
machines running Netscape 4+. If there is more disabled, it's a result of
the default config of mod_ssl.
BrowserMatch MSIE nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
BrowserMatch Mozilla/4\..*PPC)$ nokeepalive downgrade-1.0
force-response-1.0
Closer to this;
IfModule mod_setenvif.c
BrowserMatch Mozilla/2 nokeepalive
BrowserMatch MSIE 4\.0b2; nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch RealPlayer 4\.0 force-response-1.0
BrowserMatch Java/1\.0 force-response-1.0
BrowserMatch JDK/1\.0 force-response-1.0
BrowserMatch Mozilla/4\..*PPC)$ nokeepalive downgrade-1.0
force-response-1.0
/IfModule
Which I will remove the new entry and then change to;
IfDefine SSL
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
VirtualHost 192.168.3.11:443
DocumentRoot /usr/local/www/secure
ServerName www.rblc.com
php_value session.cache_limiter nocache
lines removed for clarity ...
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SetEnvIf User-Agent Mozilla/4\..*PPC)$ \
nokeepalive downgrade-1.0 \
force-response-1.0
/VirtualHost
/IfDefine
This will, I believe, stop the hanging with Netscape 4+ on the Mac in the
secured area of my web site. Note that this area is a paying member area and
broadband is a requirement for the client. All other areas of the site will
still allow Netscape 4+ and MSIE 5+ to enjoy keep alives and HTTP 1.1
performance.
At this point, you may as well disable keep alives for everyone and simplify
the setup with something like this:
SetEnv nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch MSIE ssl-unclean-shutdown
But if your site has many small images with clients on slow links, I think
you'll find yourself looking for ways to turn keep alive back on to speed
things up.
-Dave
That would be akin to throwing my hands into the air, which I never do ;^)
It's not like I have to type a new httpd.conf entry every hour. If one line
in httpd.conf works for even 10% of my client base that is better than
simplifying the setup and crippling everyone.
So the problem isn't solved, just avoided at this point. I think it's
agreed something is wrong then and I should compile all the current
information and file a bug report.
DAve
--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655
[EMAIL PROTECTED]
http://www.rblc.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: Netscape + ModSSL=Dead slow.
IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl VirtualHost 192.168.3.11:443 DocumentRoot /usr/local/www/secure ServerName www.rblc.com php_value session.cache_limiter nocache lines removed for clarity ... SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SetEnvIf User-Agent Mozilla/4\..*PPC)$ \ nokeepalive downgrade-1.0 \ force-response-1.0 /VirtualHost /IfDefine This will, I believe, stop the hanging with Netscape 4+ on the Mac in the secured area of my web site. Note that this area is a paying member area and broadband is a requirement for the client. All other areas of the site will still allow Netscape 4+ and MSIE 5+ to enjoy keep alives and HTTP 1.1 performance. Looks good! Let us know how it works out. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Ultimate BrowserMatch List (was: Netscape + ModSSL=Dead slow.)
Thanks Dave, much appreciated! So, has anybody compiled the ultimate BrowserMatch list for ModSSL-Apache? In my regular Apache I've had the following in for some time now: BrowserMatch Mozilla/2 nokeepalive BrowserMatch MSIE 4\.0b2; nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch RealPlayer 4\.0 force-response-1.0 BrowserMatch Java/1\.0 force-response-1.0 BrowserMatch JDK/1\.0 force-response-1.0 I build my regular Apache separately from my ModSSL-Apache so that I can run the ModSSL version at nice level -20, so that it appears to be as fast as possible. I would assume that the ultimate BrowserMatch list for ModSSL-Apache would be different and more inclusive than one for regular Apache? This is a great dialog, I appreciate the active responses. By the way, I run mine stuff on BSDI 2.1, 4.0.1 and 4.1 boxes without problems. Thanks, -Chris WSO At 03:05 PM 6/20/2001 -0700, you wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of WSO Support Does solving this problem with sweeping wildcard BrowserMatch statements adversely affect the functionality of Apache and ModSSL? No. Everything will function fine. What I getting at is, why don't we just BrowserMatch everything and call it a day? What are be losing when we downgrade or force 1.0? Performance. By downgrading to HTTP 1.0 and disabling keep alives, the client has to negotiate a new connection on every hit. If your site contains many small images, your clients will definately notice a slowdown if they are on a slow link (dial up, across the ocean, etc). Pages will take longer to load. You may also notice a slight increase in server load, but also see that more httpd processes are needed (since they will be tied up longer waiting for the client to send something over the pipe instead of disconnecting immediately after sending a response). But some browsers are simply broken with regards to SSL, keep alives and HTTP 1.1. All versions of MSIE older than 5.0 are known to be problematic, and now it appears that Netscape on Macintosh is also broken. For more info related to this, search the archives for the thread KeepAlive and IE, again -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Newbie to mod_ssl
I've downloaded apache_1.3.20.tar.gz and mod_ssl-2.8.4-1.3.20.tar.gz. Is there a step-by-step guide to install Apache with mod_ssl ? Such instructions are hidden away in a file named, somewhat cryptically, Install in the mod_ssl tar.gz. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9870 4718 North Ryde NSW 2113 Fax: (02) 9878 1755 This document and any attachments are intended solely for the named addressee(s), are confidential, and may be subject to legal professional privilege. Please notify us (on +61-2 9878 1744) as soon as possible if you have received this document in error. Any confidentiality or privilege is not waived or lost because this email has been sent to you by mistake. This document and any attachments are subject to copyright. No part of them should be reproduced or distributed by any means whatsoever without the prior consent of the copyright owner. Opentec does not warrant that this email and any attachments are error or virus free. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Ultimate BrowserMatch List (was: Netscape + ModSSL=Dead slow.)
At one time I had to add this to the end of my BrowserMatch list for SSL: BrowserMatch WebTV !ssl-unclean-shutdown WebTV browsers are based on MSIE, and they don't seem to like the ssl-unclean-shutdown option for some reason. I don't know if this is still the case. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of WSO Support Thanks Dave, much appreciated! So, has anybody compiled the ultimate BrowserMatch list for ModSSL-Apache? In my regular Apache I've had the following in for some time now: BrowserMatch Mozilla/2 nokeepalive BrowserMatch MSIE 4\.0b2; nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch RealPlayer 4\.0 force-response-1.0 BrowserMatch Java/1\.0 force-response-1.0 BrowserMatch JDK/1\.0 force-response-1.0 I build my regular Apache separately from my ModSSL-Apache so that I can run the ModSSL version at nice level -20, so that it appears to be as fast as possible. I would assume that the ultimate BrowserMatch list for ModSSL-Apache would be different and more inclusive than one for regular Apache? This is a great dialog, I appreciate the active responses. By the way, I run mine stuff on BSDI 2.1, 4.0.1 and 4.1 boxes without problems. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl Install question
hello, Quick question-- If I follow the standard installation of mod_ssl ../configure \ --with-apache=../apache_1.3.20 \ --with-ssl=../openssl-0.9.6a \ --prefix=/usr/local/apache Will this just add the mod_ssl to apache along with whatever else I have already compiled in (http_core.c,mod_so.c, mod_perl.c) to may apache server or will it remove the mod_so and mod_perl and just add mod_ssl ? Also, during the config script do I actually put ../apache_1.3.20 or the path to this dir (same --with-ssl=../openssl-0.9.6a do I just put ../openssl-0.9.6a or path to openssl-0.9.6a)? and should --prefix be the path to my apache source code /usr/local/apache_1.3.20 or to the root dir /usr/local/apache? Thanks for helping out a GREEN Bean :) Keven E. Jones __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem with Certificates
Hello, I have a problem with apache-1.3.20 + mod_ssl-2.8.4-1.3.20 + openssl-0.9.6a + mm-1.1.3. The ssl-module is built in as a shared object. The apache runs on SuSE Linux with a 2.0.36 kernel. If I have more than 114 certificates in the certificatepath, https doesn´t work. Have you any solution for this Problem? Arndt Funk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
