mod_proxy performance issues - Was: Re: [Cialug] Apache - SSL Proxy - Name Based VirtualHost Problem

chris chris at ia.gov
Fri Oct 19 16:37:14 CDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthew,

If you have the time, I'd be very interested in what kind of performance
issues you are having with mod_proxy.  What version are you running, are
you doing any rewriting at the reverse proxy?  What kind of traffic,
lots of little, lots of big, or a mix?

I'm in frequent contact with the apache mod_proxy dev's and if you are
having some issues it would be great to give us a chance to address
them.  I use squid and mod_proxy both and I have found squid to be very
capable but not nearly as flexible as I would like it to be.

Thanks!

chris


Matthew Nuzum wrote:
> Claus:
> 
> Something you can do (sometimes) with these cases is to ensure your
> proxy server can resolve the hostnames the way you want them to. Then,
> instead of proxying to localhost:port proxy to correct.host.name:port.
> 
> So since you're dealing with localhost, you could set up /etc/hosts file to
> 127.0.0.1 localhost correct.host.name
> 
> Also, you can create dummy network interfaces and bind your apache
> processes to these interfaces instead of alternate ports. I've done
> this and it works fine.
> 
> Just a note, we're not 100% satisfied with apache's proxying
> capability and are switching to squid. Its just not keeping up with
> our traffic load.
> 
> Also, can I suggest looking into fastcgi type solutions? It may be a
> simpler configuration for what you're trying to do.
> 
> On 10/19/07, Claus <cniesen at gmx.net> wrote:
>> I'm virtualizing the Apache servers, so each server is chrooted to their
>> directory and PHP scripts from one server can't access the other
>> servers.  So, on the server I'm running one main Apache instance that
>> listens to the publicly accessible port 80.  The other Apache instances
>> listen to local host only on their respective port (eg. 8010, 8020).  To
>> do this, and it does work, I use the following directives for the main
>> (proxy) Apache instance:
>>
>> <Directory proxy:http://localhost:8010/>
>>    Order deny,allow
>>    Allow from all
>> </Directory>
>> <VirtualHost *:80>
>>    ServerName host1.example.com
>>    ProxyPass / http://localhost:8010/
>>    ProxyPassReverse / http://localhost:8010/
>> </VirtualHost>
>>
>> <Directory proxy:http://localhost:8020/>
>>    Order deny,allow
>>    Allow from all
>> </Directory>
>> <VirtualHost *:80>
>>    ServerName host2.example.com
>>    ProxyPass / http://localhost:8020/
>>    ProxyPassReverse / http://localhost:8020/
>> </VirtualHost>
>>
>>
>> The next step was to add an SSL host, which successfully worked by
>> adding these directives:
>>
>> <Directory proxy:http://localhost:8030/>
>>    SSLRequireSSL
>>    Order deny,allow
>>    Allow from all
>> </Directory>
>> <VirtualHost *:80>
>>    ServerName sslhost3.example.com
>>    RewriteEngine on
>>    RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
>> </VirtualHost>
>> <VirtualHost *:443>
>>    SSLEngine on
>>    ServerName sslhost3.example.com
>>    ProxyPass / http://localhost:8030/
>>    ProxyPassReverse / http://localhost:8030/
>>    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
>>      +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>    SSLCertificateFile /etc/ssl/example.com.crt
>>    SSLCertificateKeyFile /etc/ssl/private/example.com.key
>>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive
>>       ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>> </VirtualHost>
>>
>>
>> Now I want to add another SSL host.  I know that each SSL host needs to
>> have their unique IP and port pair.  This is due to the fact that SSL
>> encryption needs to happen before the hostname is disclosed to the
>> server.  That's why name based virtual hosting doesn't work.
>> However, with proxy I thought I could do the following:
>>
>> 1. Main Proxy Server
>>    Accepts connection on port 80 and 443.  Forwards proxies port 80 as
>> usual but forwards port 443 to second proxy server in clear text.
>>
>> 2. Second Proxy Server
>>    Now that the incoming traffic is not encrypted the name based
>> VirtualHost directive should work.
>>
>> So I invisioned the directives to be:
>>
>> <VirtualHost *:80>
>>    ServerName sslhost3.example.com
>>    RewriteEngine on
>>    RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
>> </VirtualHost>
>> <VirtualHost *:80>
>>    ServerName sslhost4.example.com
>>    RewriteEngine on
>>    RewriteRule ^/(.*) https://sslhost4.example.com/$1 [L,R]
>> </VirtualHost>
>>
>> # Main Proxy Server
>> <Directory proxy:http://localhost:44344/>
>>    SSLRequireSSL
>>    Order deny,allow
>>    Allow from all
>> </Directory>
>> <VirtualHost *:443>
>>    SSLEngine on
>>    ServerName sslhost3.example.com
>>    ServerAlias sslhost4.example.com
>>    ProxyPass / http://localhost:44344/
>>    ProxyPassReverse / http://localhost:44344/
>>    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
>>      +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>    SSLCertificateFile /etc/ssl/example.com.crt
>>    SSLCertificateKeyFile /etc/ssl/private/example.com.key
>>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive
>>       ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>> </VirtualHost>
>>
>> # Second Proxy Server
>> <Directory proxy:http://localhost:8030/>
>>    Order deny,allow
>>    Allow from all
>> </Directory>
>> <VirtualHost *:44344>
>>    SSLEngine on
>>    ServerName sslhost3.example.com
>>    ProxyPass / http://localhost:8030/
>>    ProxyPassReverse / http://localhost:8030/
>>    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
>>      +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>    SSLCertificateFile /etc/ssl/example.com.crt
>>    SSLCertificateKeyFile /etc/ssl/private/example.com.key
>>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive
>>       ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>> </VirtualHost>
>>
>> <Directory proxy:http://localhost:8040/>
>>    Order deny,allow
>>    Allow from all
>> </Directory>
>> <VirtualHost *:44344>
>>    SSLEngine on
>>    ServerName sslhost4.example.com
>>    ProxyPass / http://localhost:8040/
>>    ProxyPassReverse / http://localhost:8040/
>>    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
>>      +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>    SSLCertificateFile /etc/ssl/example.com.crt
>>    SSLCertificateKeyFile /etc/ssl/private/example.com.key
>>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive
>>       ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>> </VirtualHost>
>>
>> So far I haven't gotten this to work.  Whatever I do it seems to pick
>> the first VirtualHost listed, seemingly ignoring the ServerName.  At the
>> point of processing the port 44344 request no encryption should hinder
>> the name based VirtualHost resolution, right?  Is there anything I'm
>> overlooking?
>>
>>    Claus
>>
>> PS:  I'm aware about mismatch between the SSL certificate and the domain
>> names.  At this point I'm not concerned about it.
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>>
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHGSOKtqidmIdniVgRAtMFAJ4nrQWSeNtJBgNPoCLhUPDQCjUQ6ACgi0Nk
J5pXWNY4882aKwGgdyXTfF4=
=Izsk
-----END PGP SIGNATURE-----

More information about the Cialug mailing list