Re: mod_proxy_http tuning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Jon,

Sorry for the delayed reply. Not sure if you still have the same
problem or not. Couple of observations.

On Wed, Aug 3, 2022 at 10:44 PM <jonmcalexander@xxxxxxxxxxxxxx.invalid> wrote:
>
> Hi Sekhar,
>
>
>
> Here is a sanitized copy of our httpd-ssl.conf file. Format is identical, just names changed. Note, we are enforcing client auth between the mod_proxy and Tomcat connector. Not end user client auth, just proxy.
>
>
>
> Thanks,
>
>
>
> #-----------httpd-ssl.conf-------------------
>
>
>
> # for web instance
>
>
>
> Listen 6750
>
> AddType application/x-x509-ca-cert .crt
>
> AddType application/x-pkcs7-crl .crl
>
>
>
> SSLPassPhraseDialog builtin
>
> SSLSessionCache "shmcb:/path/ssl_scache(512000)"
>
> SSLSessionCacheTimeout 300
>
> Mutex "file:/apps/apache/logs/pid/"
>
>
>
> ErrorDocument 500 /ilapp
>
>
>
> <VirtualHost _default_:6750>
>
>                 SSLEngine on
>
>
>
>                 SSLProtocol -all +TLSv1.2
>
>                 SSLCipherSuite <CIPHER LIST>
>
>                 SSLHonorCipherOrder on
>
>
>
>                 SSLCertificateFile myapp.cer
>
>                 SSLCertificateKeyFile myapp.key
>
>                 SSLCertificateChainFile intermediate.pem
>
>
>
>                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
>
>                 SSLOptions +StdEnvVars
>
>                 </FilesMatch>
>
>
>
>
>
>                 BrowserMatch "MSIE [2-5]" \
>
>                 nokeepalive ssl-unclean-shutdown \
>
>                 downgrade-1.0 force-response-1.0
>
>
>
>                 <IfModule proxy_module>
>
>
>
>                                 SSLProxyEngine On
>
>                                 SSLProxyVerify off

I don't see "off" in Apache doc. none/optional/require/optional_no_ca
are allowed. If you don't want certificate verification, you can set
it to "none". May I know what you are trying to do here?
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverify

>
>                                 SSLProxyCheckPeerName on
>
>                                 SSLProxyCheckPeerCN on
>
>                                 SSLProxyVerifyDepth 5
>
Then you have the above three settings which I believe contradicts
with the SSLProxyVerify setting you have. If you do not want the cert
verification, then why do further checks? You can adjust these
settings as per your need and check again.

Also another question which I forgot to ask earlier. You mentioned,
direct access to Tomcat works faster. Are you accessing it over http
or https? Also, can you please share Tomcat connector's configuration
here removing secrets.

>                                 SSLProxyCACertificateFile intermediate.pem
>
>                                 SSLProxyMachineCertificateFile myappClient.pem
>
>                                 ProxyRequests Off
>
>                                 BalancerPersist On
>
>
>
>                                 <Proxy balancer://icluster>
>
>                                                 BalancerMember https://tomcat-server:9999
>
>
>
>                                                 ProxySet lbmethod=bybusyness
>
>                                                 ProxySet stickysession=JSESSIONID
>
>                                                 ProxySet scolonpathdelim=On
>
>
>
>                                                 Order Deny,Allow
>
>                                                 Deny from none
>
>                                                 Allow from all
>
>                                 </Proxy>
>
>
>
>                                 ProxyPass /iapp balancer://icluster/iappp
>
>                                 ProxyPassReverse /iapp balancer://icluster/iappp
>
>
>
>                                 ProxyPass /idash balancer://icluster/idash
>
>                                 ProxyPassReverse /idash balancer://icluster/idash
>
>
>
>                 </IfModule>
>
>
>
> </VirtualHost>
>
>
>
> Dream * Excel * Explore * Inspire
>
> Jon McAlexander
>
> Senior Infrastructure Engineer
>
> Asst. Vice President
>
> He/His
>
>
>
> Middleware Product Engineering
>
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
>
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
>
> Tel 515-988-2508 | Cell 515-988-2508
>
>
>
> jonmcalexander@xxxxxxxxxxxxxx
>
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>
>
> From: Suvendu Sekhar Mondal <suv3ndu@xxxxxxxxx>
> Sent: Tuesday, August 2, 2022 12:03 PM
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re:  mod_proxy_http tuning
>
>
>
> Hello Jon,
>
> On Tue, Aug 2, 2022, 9:19 PM <jonmcalexander@xxxxxxxxxxxxxx.invalid> wrote:
>
> Hi Fellow Travelers!
>
>
>
> I have an application team that is seeing dismal performance when utilizing the Apache HTTPD front-end using mod_proxy_http to proxy a back-end Tomcat server over SSL. If they bypass the Apache and go direct to Tomcat, everything is nice and fast. However, if they do the same actions via the proxy, it takes 3 to 4 minutes to render the pages, that is if they even display.
>
> This is way too slow! Can you please share httpd configuration? Especially load balancer and compression part.
>
>
>
> Looking for some ideas as to how to improve the performance.
>
>
>
> Thanks,
>
>
>
> Dream * Excel * Explore * Inspire
>
> Jon McAlexander
>
> Senior Infrastructure Engineer
>
> Asst. Vice President
>
> He/His
>
>
>
> Middleware Product Engineering
>
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
>
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
>
> Tel 515-988-2508 | Cell 515-988-2508
>
>
>
> jonmcalexander@xxxxxxxxxxxxxx
>
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux