Hi,
I'm trying to hand all SSL requests to a backend mod_perl server
with mod_gzip installed for compression.
This means that SSL content is pre-compressed by the backend
server before being encrypted by the frontend (Mini How To - below).
Apparently mod_gzip and SSL on the same server will not work -
this is why I need to pass the request to a proxy to handle the compression.
So ... a request on https://turbo10.com:446/index.html (server A)
passes to http://turbo10.com:44300/index.html (server B).
The file is compressed by server B and passed back to server A for
encryption and tranmission to the client.
This works fine for static files.
.... BUT ....
Mod_perl scripts seem to fail:
https://turbo10.com:446/cgi-bin/splashpage1.cgi
The log reports:
[Mon Oct 14 21:33:25 2002] [error]
proxy:http://turbo10.com:44300/cgi-bin/splashpage1.cgi not found or unable
to stat
However, when I access the proxy directly, the mod_perl script
works fine (no access restrictions just yet):
http://turbo10.com:44300/cgi-bin/splashpage1.cgi
Any ideas? Is there some weird interaction between mod_perl +
mod_proxy?
Even better ... is there a way to do SSL compression in mod_perl
with only one server?
Any help would be much appreciated.
NIgel
MOD_GZIP WITH SSL MINI HOWTO
Version 0.2 February 23, 2002
Tim Behrendsen
This document is released into the public domain.
INTRODUCTION
This document describes how to run mod_gzip over SSL connections using
mod_ssl. The method described has been tested with Apache 1.3.22 under
RedHat 7.2 (Kernel 2.4.13), mod_gzip 1.3.19.1a, mod_ssl 2.8.5 and OpenSSL
0.9.6b.
THE PROBLEM
One would expect to be able to just plug in mod_gzip into Apache in the
normal way, and have it work with SSL. Unfortunately, due to technical
issues with mod_ssl beyond the scope of this document (apparently mod_ssl
greedily grabs the result before anyone else has a chance), the easy
solution doesn't work.
There are workarounds, however, that give the desired result.
THE SOLUTION
A workaround solution is to use mod_proxy. A front-end SSL-enabled Virtual
Host receives the request, and then uses mod_proxy to pass the result to a
back-end non-SSL virtual host that processes the request, compresses the
content and passes it back. The front-end then happily forwards the data
through the SSL connection.
CONFIGURATION
Install and test mod_gzip. Insallation information and sample configuration
may be found on the home page of mod_gzip at
http://www.remotecommunications.com/apache/mod_gzip. It's recommended to get
mod_gzip completely working before adding SSL.
After installing mod_gzip, enable mod_proxy in the configuration file by
adding or uncommenting the following lines to the appropriate areas (near
directives of the same form would be a good place). Note that the mod_gzip
module needs to be the last one in the chain, so activate these before the
mod_gzip module.
LoadModule proxy_module modules/libproxy.so
AddModule mod_proxy.c
Some mod_gzip configurations apparently need the following line. Add it to
your "item_include" sections:
mod_gzip_item_include handler ^proxy-server$
Add the following lines to your SSL VirtualHost:
ProxyRequests On
ProxyPass / http://localhost:44300/
ProxyPassReverse / http://localhost:44300/
mod_gzip_on No
This directs mod_proxy to send all requests to a back-end virtual host on
port 44300. Note that the "http" is required.
Finally add a virtual host section similar to your primary SSL section, but
without the SSL set-up. Note the security clause disabling access from
anywhere but localhost (127.0.0.1), which prevents a non-SSL "backdoor" into
your web server. This is optional, but recommended. It might also be a good
idea to make sure your firewall blocks requests to 44300 (or whatever port
you choose) just in case.
Listen 44300
<VirtualHost _default_:44300>
<Directory />
order deny,allow
deny from all
allow from 127.0.0.1
</Directory>
...host information...
</VirtualHost>
Restart Apache, and that should be it!
PROBLEMS
Q: Error log gives:
mod_gzip: EMPTY FILE [/tmp/_3630_118_19.wrk] in sendfile2
mod_gzip: Make sure all named directories exist and have the correct
permissions.
A: There are a number of causes for this error, but in the context of SSL,
this can be caused when mod_gzip is enabled for the SSL section. Make sure
it's either disabled using "mod_gzip_on No" or by specifying the mod_gzip
parameters only within the virtual host.
Q: I'm getting redirected to the non-SSL page!
A: Are you using mod_rewrite to fix trailing slashes or other mods? Try
removing it in the back-end non-SSL virtual host. Keep the rewrites on the
front-end.
Q: When I press "refresh" on my browser, the page is getting corrupted!
A: Unfortunately, IE6 (and perhaps earlier versions?) appears to have a bug
with gzip over SSL where the first 2048 characters are not included in the
HTML rendering of the page when refresh is pressed. It only seems to happen
on longish pages, and not when the page is first loaded. In fact, sometimes
it doesn't happen at all. The only current solution is to put a 2048
character comment at the start of your longish pages of all spaces (which
compresses pretty well, fortunately).
--
Nigel Hamilton
Turbo10 Metasearch Engine
email: [EMAIL PROTECTED]
tel: +44 (0) 207 987 5460
fax: +44 (0) 207 987 5468
________________________________________________________________________________
http://turbo10.com Search Deeper. Browse Faster.
