(unknown)

Hello; I would greatly appreciate assistance with an apache setup
problem.

Aim: Im trying to set up a mixed http/https server. The plan is to
hold secure stuff in one file hierarchy,
insecure in another. I don't seem to be able to get it to work. I've
tried searching both apache/ssl forums
and fedora forums for any info, but can't find any reports of similar
problems.

System info: Fedora core 4 on intel *86; I'm using the fedora httpd
configuration tool to do the setup

General structure: I'm aiming to configure separate ip virtual
servers to serve https traffic and http traffic

Problem: httpd startup always fails with the message:
"Starting httpd: (98)Address already in use: make_sock: could not
bind to address :443
no listening sockets available, shutting down"

In httpd configuration tool, I have configured the available
addresses as
:80
:443

I've configured two
virtual hosts:
"secure host" with address :443
(configured under the 'general options' tab as an ip virtual host on
:443
and with "enable ssl support" tiicked, and addresses provided for the
various keys

default host with address Default virtual host:80
configured as default virtual host and listening on port 80
and with 'enable ssl support unticked

In the httpd.conf file this generates
Listen :80
Listen :443

and lower down
:443>
DocumentRoot /var/www/shtml/
ServerAdmin
ServerName
DirectoryIndex index.shtml index.html index.htm
SSLEngine on



ServerAdmin
ServerName _default_:80
DirectoryIndex index.php index.html index.htm
SSLEngine on


(I'd prefer not to broadcast the whole httpd.conf for security
reasons, but a search reveals there are no
other references to either of the numbers 80 or 443)

Oh, and there isn't anything else listening to port 443:
/sbin/fuser -4 -n udp 443
gives a null result.

Any thoughts? The httpd.conf file looks OK to me as far as I have
been able to tell from reading the
documentation. In particular, is it possible that the httpd error is
misleading me? I'm not absolutely
confident that my key setup is correct; is there any possibility that
a failure in key lookup could
generate this error message about ports?

Thanks for any assistance
Bob


************************************************************ ************
*****************************************************
In case it's relevant, here's my key generation script (domain name
deleted in case I've left any gaping security holes):

openssl genrsa -des3 -out /etc/httpd/conf/ssl.crt/ca.key 4096

openssl req -new -x509 -days 1000 -key /etc/httpd/conf/ssl.crt/ca.key
-out /etc/httpd/conf/ssl.crt/ca.crt

openssl genrsa -des3 -out /etc/httpd/conf/ssl.key/server.key 4096

openssl req -new -key /etc/httpd/conf/ssl.key/server.key -out /etc/
httpd/conf/ssl.crt/server.csr -subj '/CN='

openssl x509 -req -days 1000 -in /etc/httpd/conf/ssl.crt/server.csr -
CA /etc/httpd/conf/ssl.crt/ca.crt -CAkey /etc/httpd/conf/ssl.crt/
ca.key -signkey /etc/httpd/conf/ssl.key/server.key -set_serial 01 -
out /etc/httpd/conf/ssl.crt/server.crt





____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re:

It really does sound like there's something else listening on port 443:

> "Starting httpd: (98)Address already in use: make_sock: could not
> bind to address :443
> no listening sockets available, shutting down"

That's usually what this message means. You said:

> Oh, and there isn't anything else listening to port 443:
> /sbin/fuser -4 -n udp 443
> gives a null result.

.... except that it's tcp, not udp, that we care about here.

As for your httpd.conf, it looks sort of close, although the
":443>" block needs to have the SSL
certificate and key configuration directives as well as some other
stuff (see the example httpd.conf that comes with mod_ssl), and the
"" block should NOT contain "SSLEngine on".

Hope this helps,
--Cliff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Mod_ssl and how to reduce overhead

Hello, I am trying to plan a system that can handle 10k-100k users.

I am only using apache w/mod-ssl

What should I look at to reduce overhead of bandwidth/cpu/mem?

At what point should I look at ssl accelerators?

Should I definitly look at clustering?

Also.. I ahve heard about ssl session key caching, anyone know how much this
will improve things?

Any good resources I can read?


thanks!
Lee
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

Hi,

A few words about intended usage would be of great help.

- How many concurrent users
- Type of transactions
- You really think the http front is going to be you bottle neck? or
are there back end systems that will pose a greater problem (I would
think so)

Why not just use a normal server as ssl accelerator? I know several
SSL accelerator "appliancees" that are just that anyway. Unless you
have specific keyhandling requirements (FIPS140-3 or something),
using normal server hardware is much cheaper.

regards
martin

On 26/09/2005, at 14.35, Pigeon wrote:

> Hello, I am trying to plan a system that can handle 10k-100k users.
>
> I am only using apache w/mod-ssl
>
> What should I look at to reduce overhead of bandwidth/cpu/mem?
>
> At what point should I look at ssl accelerators?
>
> Should I definitly look at clustering?
>
> Also.. I ahve heard about ssl session key caching, anyone know how
> much this will improve things?
>
> Any good resources I can read?
>
>
> thanks!
> Lee
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

I use Pound (http://www.apsis.ch/pound/) as an SSL-terminating reverse
proxy .. on commodity hardware, it can handle - at least according to
quotes from the field - up to around 400 conns/sec. It also affords you
some additional firewalling in that you can put the SSL terminating
accelerator in the DMZ and pass straight HTTP traffic to the backend
without the client ever directly connecting to the web server/cluster.

I also use keepalived to keep a pair of Pound proxies in a
high-availability scenario. If you really need it, you could probably
put up a HA/LVS cluster of Pound proxies up that terminate and proxy
traffic for an entire web farm - if your traffic demands it.

The other bonus is that by terminating SSL at the DMZ, your IDS/IPS
system gets a chance to peek at the traffic.

Pound does numerous other things as well (URL normalization, etc) ..
head to the URL and have a good read.

Best~
-d

Pigeon wrote:
> Hello, I am trying to plan a system that can handle 10k-100k users.
>
> I am only using apache w/mod-ssl
>
> What should I look at to reduce overhead of bandwidth/cpu/mem?
>
> At what point should I look at ssl accelerators?
>
> Should I definitly look at clustering?
>
> Also.. I ahve heard about ssl session key caching, anyone know how much
> this will improve things?
>
> Any good resources I can read?
>
>
> thanks!
> Lee ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

> Also.. I ahve heard about ssl session key caching, anyone know how much t=
his
> will improve things?

Session caching is more or less essential for any kind of reasonable
SSL performance. Disabling the session cache will hurt your SSL perf
by perhaps as much as an order of magnitude (roughly speaking -- it's
been a long time since I benchmarked it).

--Cliff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

We are going to have 10k-100k concurrent users (yeah... )

We are transfering EXE files (no not warez)

I am just trying to get some ideas.. I am concerned about all because I do
not know what to be concerned about :/

thanks
Lee



----- Original Message -----
From: "Martin Strandbygaard"
To:
Sent: Monday, September 26, 2005 8:42 AM
Subject: Re: Mod_ssl and how to reduce overhead


> Hi,
>
> A few words about intended usage would be of great help.
>
> - How many concurrent users
> - Type of transactions
> - You really think the http front is going to be you bottle neck? or are
> there back end systems that will pose a greater problem (I would think
> so)
>
> Why not just use a normal server as ssl accelerator? I know several SSL
> accelerator "appliancees" that are just that anyway. Unless you have
> specific keyhandling requirements (FIPS140-3 or something), using normal
> server hardware is much cheaper.
>
> regards
> martin
>
> On 26/09/2005, at 14.35, Pigeon wrote:
>
>> Hello, I am trying to plan a system that can handle 10k-100k users.
>>
>> I am only using apache w/mod-ssl
>>
>> What should I look at to reduce overhead of bandwidth/cpu/mem?
>>
>> At what point should I look at ssl accelerators?
>>
>> Should I definitly look at clustering?
>>
>> Also.. I ahve heard about ssl session key caching, anyone know how much
>> this will improve things?
>>
>> Any good resources I can read?
>>
>>
>> thanks!
>> Lee
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

On Mon, Sep 26, 2005 at 08:54:30AM -0400, Cliff Woolley wrote:
> Session caching is more or less essential for any kind of reasonable
> SSL performance. Disabling the session cache will hurt your SSL perf
> by perhaps as much as an order of magnitude (roughly speaking -- it's
> been a long time since I benchmarked it).
>
The actual performance benefit is dependent on the usage pattern (mostly
the length of sessions) but fetching a session from the cache is easily
100x faster than negotiating a new session key (again ymmv dependt on
how much spare processing power you have).
Openssl is usefull in at least getting an idea of the order of magnitude
- run openssl speed rsa on the box to figure out how many rsa operations
it can handle concurrently for your chosen keysize.
openssl s_client with the -reconnect option will help determine wheter
session caching is working on the server.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Re:

Thanks Cliff; will check it further Wednesday (the server needs to be
up &
running tomorrow). Thanks for pointing out the udp in the fuser command
(embarrassed grin). I checked tcp just now, nothing listening, but of
course
that may not be the state when I'm trying to run SSL/apache. The
other issues -
key info and SSL On - are kind of strange. I'm almost certain I had
them right in
the fedora httpd configuration gui. Will check again and confirm. If
it turns out
to be a configuration gui problem, I guess it takes the issue out of
modssl-users, and
it should go to fedoraforum or similar,
Thanks and Best WIshes
Bob

On 26/09/2005, at 21:22, Cliff Woolley wrote:

> It really does sound like there's something else listening on port
> 443:
>
>
>> "Starting httpd: (98)Address already in use: make_sock: could not
>> bind to address :443
>> no listening sockets available, shutting down"
>>
>
> That's usually what this message means. You said:
>
>
>> Oh, and there isn't anything else listening to port 443:
>> /sbin/fuser -4 -n udp 443
>> gives a null result.
>>
>
> ... except that it's tcp, not udp, that we care about here.
>
> As for your httpd.conf, it looks sort of close, although the
> ":443>" block needs to have the SSL
> certificate and key configuration directives as well as some other
> stuff (see the example httpd.conf that comes with mod_ssl), and the
> "" block should NOT contain "SSLEngine on".
>
> Hope this helps,
> --Cliff
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>






____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

Hmm.. 10k -100k are pretty much guaranteed numbers..

So my main computer crunching will be done at the beginning? (and to relive
this I can do session key caching.. how long can I cache a key? is this
'secure'?) (also.. all transfers will be ~15megs in size)

And using a single server is out of the question?

If we just go with one server.. shouldn't it be something super fast.. amd64
1gig ram?

thanks!
Lee


>
> On Mon, 26 Sep 2005, Pigeon wrote:
>
>> Hello, I am trying to plan a system that can handle 10k-100k users.
>>
>> I am only using apache w/mod-ssl
>>
>> What should I look at to reduce overhead of bandwidth/cpu/mem?
>>
>> At what point should I look at ssl accelerators?
>>
>> Should I definitly look at clustering?
>>
>> Also.. I ahve heard about ssl session key caching, anyone know how much
>> this
>> will improve things?
>>
>> Any good resources I can read?
>>
>>
>> thanks!
>> Lee
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

In an earlier note, you said that it was 10K-100K *concurrent* users.

a) that's a magnitude of difference, see if you can get better numbers
from whomever is doing the marketing/project planning.
b) ain't no way you're going to do that many *CONCURRENT* transactions
on a single box.

-d

Pigeon wrote:
> Hmm.. 10k -100k are pretty much guaranteed numbers..
>
> So my main computer crunching will be done at the beginning? (and to
> relive this I can do session key caching.. how long can I cache a key?
> is this 'secure'?) (also.. all transfers will be ~15megs in size)
>
> And using a single server is out of the question?
>
> If we just go with one server.. shouldn't it be something super fast..
> amd64 1gig ram?
>
> thanks!
> Lee
>
>
>>
>> On Mon, 26 Sep 2005, Pigeon wrote:
>>
>>> Hello, I am trying to plan a system that can handle 10k-100k users.
>>>
>>> I am only using apache w/mod-ssl
>>>
>>> What should I look at to reduce overhead of bandwidth/cpu/mem?
>>>
>>> At what point should I look at ssl accelerators?
>>>
>>> Should I definitly look at clustering?
>>>
>>> Also.. I ahve heard about ssl session key caching, anyone know how
>>> much this
>>> will improve things?
>>>
>>> Any good resources I can read?
>>>
>>>
>>> thanks!
>>> Lee
>>> ____________________________________________________________ __________
>>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>> User Support Mailing List modssl-users@modssl.org
>>> Automated List Manager majordomo@modssl.org
>>>
>>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not to mention 15MB download * 100K concurrent users is some
*serious* traffic. If you're going to be paying that kind of $$$ for
bandwidth, I hope you've got some cash left over for a load balancer
and additional web servers. Some quick (and hopefully accurate) math:

For a T3:
15MB * 1024^2 bytes/MB * 8 bits/byte * 100,000 sessions / (45Mbit/s *
1024^2 bits/Mbit) / 60 sec/min / 60 min/hour = 74 hours

For a 100Mbps ethernet uplink:
15MB * 1024^2 bytes/MB * 8 bits/byte * 100,000 sessions / (100Mbit/s
* 1024^2 bits/Mbit) / 60 sec/min / 60 min/hour = 33 hours

And those assume zero overhead for framing and TCP/IP. Not to
mention, 100K Apache children/threads running to support all those
connections (not going to happen). So yeah, uh, them some serious
numbers. You're going to need some serious uplink and hardware (load
balancer, multiple boxes) to pull this off.

I gotta ask though, just what are you doing where you expect 100K
people trying to download a 15MB file all at the same time? You
working for Microsoft and planning the next security tuesday patch
update or something? :)

- --
Aaron Turner, Sr. Security Engineer

Ph: 408.329.6320 Fax: 408.329.6317


On Sep 26, 2005, at 8:52 AM, Dave paris wrote:

> In an earlier note, you said that it was 10K-100K *concurrent* users.
>
> a) that's a magnitude of difference, see if you can get better
> numbers from whomever is doing the marketing/project planning.
> b) ain't no way you're going to do that many *CONCURRENT*
> transactions on a single box.
>
> -d
>
> Pigeon wrote:
>
>> Hmm.. 10k -100k are pretty much guaranteed numbers..
>> So my main computer crunching will be done at the beginning? (and
>> to relive this I can do session key caching.. how long can I cache
>> a key? is this 'secure'?) (also.. all transfers will be ~15megs
>> in size)
>> And using a single server is out of the question?
>> If we just go with one server.. shouldn't it be something super
>> fast.. amd64 1gig ram?
>> thanks!
>> Lee
>>
>>>
>>> On Mon, 26 Sep 2005, Pigeon wrote:
>>>
>>>
>>>> Hello, I am trying to plan a system that can handle 10k-100k users.
>>>>
>>>> I am only using apache w/mod-ssl
>>>>
>>>> What should I look at to reduce overhead of bandwidth/cpu/mem?
>>>>
>>>> At what point should I look at ssl accelerators?
>>>>
>>>> Should I definitly look at clustering?
>>>>
>>>> Also.. I ahve heard about ssl session key caching, anyone know
>>>> how much this
>>>> will improve things?
>>>>
>>>> Any good resources I can read?
>>>>
>>>>
>>>> thanks!
>>>> Lee
>>>> ____________________________________________________________ _______
>>>> ___
>>>> Apache Interface to OpenSSL (mod_ssl)
>>>> www.modssl.org
>>>> User Support Mailing List modssl-
>>>> users@modssl.org
>>>> Automated List Manager
>>>> majordomo@modssl.org
>>>>
>>>>
>>>
>>>
>> ____________________________________________________________ _________
>> _
>> Apache Interface to OpenSSL (mod_ssl)
>> www.modssl.org
>> User Support Mailing List modssl-
>> users@modssl.org
>> Automated List Manager
>> majordomo@modssl.org
>>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFDOCI8klVhPAXg8nARAiP2AJ9sBkSOKy4mtsctO3XAb2RbXhLnAACg kXh7
k9Fs38X1Q8nJ5b5t2Xg43kA=
=awV5
-----END PGP SIGNATURE-----
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

Aaron Turner wrote:
>
> I gotta ask though, just what are you doing where you expect 100K
> people trying to download a 15MB file all at the same time? You
> working for Microsoft and planning the next security tuesday patch
> update or something? :)

That or he has the video of Gates getting raped by the penguin.

Oops, I hope this isn't a family list.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

Just wondering, is this for the charter.net music download? I cannot
believe you would have 100,000 comcurrent connections for a service such
as that. I also see the download file is listed at 1.5MB, not 15.

As as for bandwidth, that better be upgraded. It took over a minute just
to download the home page of off charter.net.

Jeffrey Burgoyne

Chief Technology Architect
KCSI Keenuh Consulting Services Inc
burgoyne@keenuh.com

On Mon, 26 Sep 2005, Pigeon wrote:

> Hmm.. 10k -100k are pretty much guaranteed numbers..
>
> So my main computer crunching will be done at the beginning? (and to relive
> this I can do session key caching.. how long can I cache a key? is this
> 'secure'?) (also.. all transfers will be ~15megs in size)
>
> And using a single server is out of the question?
>
> If we just go with one server.. shouldn't it be something super fast.. amd64
> 1gig ram?
>
> thanks!
> Lee
>
>
> >
> > On Mon, 26 Sep 2005, Pigeon wrote:
> >
> >> Hello, I am trying to plan a system that can handle 10k-100k users.
> >>
> >> I am only using apache w/mod-ssl
> >>
> >> What should I look at to reduce overhead of bandwidth/cpu/mem?
> >>
> >> At what point should I look at ssl accelerators?
> >>
> >> Should I definitly look at clustering?
> >>
> >> Also.. I ahve heard about ssl session key caching, anyone know how much
> >> this
> >> will improve things?
> >>
> >> Any good resources I can read?
> >>
> >>
> >> thanks!
> >> Lee
> >> ____________________________________________________________ __________
> >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >> User Support Mailing List modssl-users@modssl.org
> >> Automated List Manager majordomo@modssl.org
> >>
> >
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote:
> Hmm.. 10k -100k are pretty much guaranteed numbers..
>
That's quite a wide margin. Are we talking concurrent users or just
number of people who could be using it over a period of xx?

> So my main computer crunching will be done at the beginning? (and to relive
> this I can do session key caching.. how long can I cache a key? is this
> 'secure'?) (also.. all transfers will be ~15megs in size)
>
well, with 15meg files you've got more work to do encrypting the content
as the session goes along. You can cache the key as long as you want,
but depending on the type of encryption used, most browsers will not
allow the key to live for all that long. I usually run for about 1 hour,
but ymmv depending on the chosen parameters.

> And using a single server is out of the question?
>
the number of concurrent users has very much to say in that regard.
Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an
ssl accelerator to the mix.

> If we just go with one server.. shouldn't it be something super fast..
> amd64 1gig ram?
>
Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm
pretty sure you couldn't keep even without SSL.
Doesn't your pr0n streaming business generate enough income to pay for a
real server? ;)

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

Ok, lets assume I can get a network connection with:
A)10mbit
B)100mbit
C)1000mbit

And I will have 10k concurrent downloads (let us throw out 100k for now..
because i can alwasy scale up figures if we get a base).

(The reason I say 10k concurrent is because we have an update system (sorta
like windows update).. and as soon as we tell their computer to update, we
have 10k boxes saying give me the file!)

So my question is..
What would be the best (given we cannot do blades or the like since we have
to use 'standard' 1u/2u/4u boxes from the dedi center).
Should we definitly beat the problem with iron and get 5servers doing load
balancing? 2servers? If 2servers go with the 1000mbit connection?



thank you for all of your time and input!

thanks
Lee





----- Original Message -----
From: "Mads Toftum"
To:
Sent: Monday, September 26, 2005 1:27 PM
Subject: Re: Mod_ssl and how to reduce overhead


> On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote:
>> Hmm.. 10k -100k are pretty much guaranteed numbers..
>>
> That's quite a wide margin. Are we talking concurrent users or just
> number of people who could be using it over a period of xx?
>
>> So my main computer crunching will be done at the beginning? (and to
>> relive
>> this I can do session key caching.. how long can I cache a key? is this
>> 'secure'?) (also.. all transfers will be ~15megs in size)
>>
> well, with 15meg files you've got more work to do encrypting the content
> as the session goes along. You can cache the key as long as you want,
> but depending on the type of encryption used, most browsers will not
> allow the key to live for all that long. I usually run for about 1 hour,
> but ymmv depending on the chosen parameters.
>
>> And using a single server is out of the question?
>>
> the number of concurrent users has very much to say in that regard.
> Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an
> ssl accelerator to the mix.
>
>> If we just go with one server.. shouldn't it be something super fast..
>> amd64 1gig ram?
>>
> Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm
> pretty sure you couldn't keep even without SSL.
> Doesn't your pr0n streaming business generate enough income to pay for a
> real server? ;)
>
> vh
>
> Mads Toftum
> --
> `Darn it, who spiked my coffee with water?!' - lwall
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

You're not looking at your problem from the right angle.

10K users... asking for the SAME file. Set up a smallish farm of four or
five machines and use a HTTP Acclerator. (basically a Squid proxy turned
on it's head - the examples exist in the config file for squid .. look at
the http accelerator mode).

Then use an SSL terminating proxy cluster on the frontend .. now you have
0 disk contention since the file will be sent straight from RAM.

What you now need to know is the distribution of connection speeds for
your users. If they're on T3's, you have no choice but to go with GigE.
... Frankly, you're probably looking at some sort of GigE burstable produc=
t
offering anyway.

Ok .. enough's enough .. Your original question has been answered long ag=
o
and you've heard from everyone with additional information and ideas.
We're getting very close to the point of engineering this solution for
you. Either you can take it from here or hire some of us as consultants
to work out the rest of the engineering for you. Free software is one
thing .. free engineering is quite another.

Best~
-d

> Ok, lets assume I can get a network connection with:
> A)10mbit
> B)100mbit
> C)1000mbit
>
> And I will have 10k concurrent downloads (let us throw out 100k for now=
...
> because i can alwasy scale up figures if we get a base).
>
> (The reason I say 10k concurrent is because we have an update system
> (sorta
> like windows update).. and as soon as we tell their computer to update,=
we
> have 10k boxes saying give me the file!)
>
> So my question is..
> What would be the best (given we cannot do blades or the like since we
> have
> to use 'standard' 1u/2u/4u boxes from the dedi center).
> Should we definitly beat the problem with iron and get 5servers doing l=
oad
> balancing? 2servers? If 2servers go with the 1000mbit connection?
>
>
>
> thank you for all of your time and input!
>
> thanks
> Lee
>
>
>
>
>
> ----- Original Message -----
> From: "Mads Toftum"
> To:
> Sent: Monday, September 26, 2005 1:27 PM
> Subject: Re: Mod_ssl and how to reduce overhead
>
>
>> On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote:
>>> Hmm.. 10k -100k are pretty much guaranteed numbers..
>>>
>> That's quite a wide margin. Are we talking concurrent users or just
>> number of people who could be using it over a period of xx?
>>
>>> So my main computer crunching will be done at the beginning? (and to
>>> relive
>>> this I can do session key caching.. how long can I cache a key? is th=
is
>>> 'secure'?) (also.. all transfers will be ~15megs in size)
>>>
>> well, with 15meg files you've got more work to do encrypting the conte=
nt
>> as the session goes along. You can cache the key as long as you want,
>> but depending on the type of encryption used, most browsers will not
>> allow the key to live for all that long. I usually run for about 1 hou=
r,
>> but ymmv depending on the chosen parameters.
>>
>>> And using a single server is out of the question?
>>>
>> the number of concurrent users has very much to say in that regard.
>> Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an
>> ssl accelerator to the mix.
>>
>>> If we just go with one server.. shouldn't it be something super fast.=
..
>>> amd64 1gig ram?
>>>
>> Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'=
m
>> pretty sure you couldn't keep even without SSL.
>> Doesn't your pr0n streaming business generate enough income to pay for=
a
>> real server? ;)
>>
>> vh
>>
>> Mads Toftum
>> --
>> `Darn it, who spiked my coffee with water?!' - lwall
>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

Well, the math is simple

1000mbit/10000 users = 100 kilobit/sec, or 12K per second, or 1200
seconds, 20 minutes per downlaod. Marginally acceptable by todays
standards.

To concurrently process that much data, that many connections, you will
want a load balancer out front.

With the system I'm currently administering, with a dual 3Gig Xeon we can
safely handle about 2000 concurrent connections non SSL, although we have
a rather overweight config. I would expect you need at least two boxes,
and 5 would probably not be overkill.

BTW, do you really need SSL? From a project design perspective, would it
be possible to encrypt the file to be down downloaded (encryption cost
only once)? Then using sendfile you could really have it hum.


Jeffrey Burgoyne

Chief Technology Architect
KCSI Keenuh Consulting Services Inc
burgoyne@keenuh.com

On Mon, 26 Sep 2005, Pigeon wrote:

> Ok, lets assume I can get a network connection with:
> A)10mbit
> B)100mbit
> C)1000mbit
>
> And I will have 10k concurrent downloads (let us throw out 100k for now..
> because i can alwasy scale up figures if we get a base).
>
> (The reason I say 10k concurrent is because we have an update system (sorta
> like windows update).. and as soon as we tell their computer to update, we
> have 10k boxes saying give me the file!)
>
> So my question is..
> What would be the best (given we cannot do blades or the like since we have
> to use 'standard' 1u/2u/4u boxes from the dedi center).
> Should we definitly beat the problem with iron and get 5servers doing load
> balancing? 2servers? If 2servers go with the 1000mbit connection?
>
>
>
> thank you for all of your time and input!
>
> thanks
> Lee
>
>
>
>
>
> ----- Original Message -----
> From: "Mads Toftum"
> To:
> Sent: Monday, September 26, 2005 1:27 PM
> Subject: Re: Mod_ssl and how to reduce overhead
>
>
> > On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote:
> >> Hmm.. 10k -100k are pretty much guaranteed numbers..
> >>
> > That's quite a wide margin. Are we talking concurrent users or just
> > number of people who could be using it over a period of xx?
> >
> >> So my main computer crunching will be done at the beginning? (and to
> >> relive
> >> this I can do session key caching.. how long can I cache a key? is this
> >> 'secure'?) (also.. all transfers will be ~15megs in size)
> >>
> > well, with 15meg files you've got more work to do encrypting the content
> > as the session goes along. You can cache the key as long as you want,
> > but depending on the type of encryption used, most browsers will not
> > allow the key to live for all that long. I usually run for about 1 hour,
> > but ymmv depending on the chosen parameters.
> >
> >> And using a single server is out of the question?
> >>
> > the number of concurrent users has very much to say in that regard.
> > Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an
> > ssl accelerator to the mix.
> >
> >> If we just go with one server.. shouldn't it be something super fast..
> >> amd64 1gig ram?
> >>
> > Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm
> > pretty sure you couldn't keep even without SSL.
> > Doesn't your pr0n streaming business generate enough income to pay for a
> > real server? ;)
> >
> > vh
> >
> > Mads Toftum
> > --
> > `Darn it, who spiked my coffee with water?!' - lwall
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

Pigeon wrote:
> Ok, lets assume I can get a network connection with:
> A)10mbit
> B)100mbit
> C)1000mbit
>
> And I will have 10k concurrent downloads (let us throw out 100k for now..
> because i can alwasy scale up figures if we get a base).
>
> (The reason I say 10k concurrent is because we have an update system (sorta
> like windows update).. and as soon as we tell their computer to update, we
> have 10k boxes saying give me the file!)
>
> So my question is..
> What would be the best (given we cannot do blades or the like since we have
> to use 'standard' 1u/2u/4u boxes from the dedi center).
> Should we definitly beat the problem with iron and get 5servers doing load
> balancing? 2servers? If 2servers go with the 1000mbit connection?

The short answer is that you need to benchmark using various
configurations. You have a particularly bad problem, what with
the per-request encryption beating on the CPU's, and the large
file size beating on the network (and putting your servers at
the mercy of the clients).

Pushing all of the solutions downstream like this instead of
coming up with a better front-end is going to cost you. This
all just screams for a more elegant solution than just asking
apache to stick it's finger in the dike.

Good luck.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead

On 9/26/05, Phil Ehrens wrote:
> Pigeon wrote:
> > (The reason I say 10k concurrent is because we have an update system (s=
orta
> > like windows update).. and as soon as we tell their computer to update,=
we
> > have 10k boxes saying give me the file!)

I think I agree with the guy who said this thread has pretty much been
asked and answered at this point, but I figured I'd just throw in one
more little nugget for you to think about.

It sounds to me from the limited information above that you're causing
your own problem here by instructing 10k-100k clients to update
themselves with some multi-megabyte patch file simultaneously. This
is obviously a huge amount of bandwidth, but it doesn't seem obvious
to me that it would be a huge amount of bandwidth on a 24/7 basis...
rather it would come in bursts _at times specified by you_. This to
me begs for a software engineering effort rather than a
sysadmin/netadmin effort; if you can get the clients to wait some
random length of time after receiving the "update available"
notification prior to requesting the update, your number of concurrent
accesses will drop dramatically. Alternatively, if you have more
control over the server-side code than the client-side code, you could
publish the "update available" notification TO the clients a handful
at a time rather than all at the same time.

Hope this helps, and best of luck...

--Cliff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_ssl and how to reduce overhead (Thanks!)

Thanks for all the great info!

It definitly gives me a nice footing from which I can start.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Re:

Dear Cliff,
Thanks for your help.
On 26/09/2005, at 21:22, Cliff Woolley wrote:

> It really does sound like there's something else listening on port
> 443:
>
>
>> "Starting httpd: (98)Address already in use: make_sock: could not
>> bind to address :443
>> no listening sockets available, shutting down"
>>
>
> That's usually what this message means. You said:
>
>
>> Oh, and there isn't anything else listening to port 443:
>> /sbin/fuser -4 -n udp 443
>> gives a null result.
>>
>
> ... except that it's tcp, not udp, that we care about here.

Apologies; tcp gives a null result also. I'm pretty sure nothing but
httpd is
listening there.

>
> As for your httpd.conf, it looks sort of close, although the
> ":443>" block needs to have the SSL
> certificate and key configuration directives as well as some other
> stuff (see the example httpd.conf that comes with mod_ssl), and the
> "" block should NOT contain "SSLEngine on".

The "SSLEngine on" in was an error on my part, in
tidying up the sample I accidentally
pasted a duplicate in the wrong place - it's _not_ in the httpd.conf

However the key information really is missing. So it looks like this
may be a
problem in the fedora httpd configuration tool, because the key
information definitely is
there in the virtual host configuration in the gui, it's just not
getting saved for some reason.
Probably, I have a syntax error somewhere (but even so, the tool
shouldn't fail it silently).
I think this takes it out of modssl, so my next step will be to check
the fedora mailing lists,
and report it as a bug if it hasn't been already. Then I guess I'll
have to take the plunge,
and edit the httpd.conf manually.
>
> Hope this helps,
> --Cliff
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>

************************************************************ ***********
Bob McKay
521-302, School of Computer Science & Engineering,
College of Engineering, Seoul National University, San 56-1,
Sinlim-dong, Gwanak-gu, Seoul 151-744, Korea

Tel: +82 2 880 9392
email: rim@cse.snu.ac.kr
web: http://sc.snu.ac.kr




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Re:

> >> "Starting httpd: (98)Address already in use: make_sock: could not
> >> bind to address :443
> >> no listening sockets available, shutting down"
> However the key information really is missing. So it looks like this
> may be a problem in the fedora httpd configuration tool, because the key
> information definitely is
> there in the virtual host configuration in the gui, it's just not
> getting saved for some reason.

Okay... although I don't think we've yet found a good explanation for
why you're getting the message you're getting. Perhaps duplicate
Listen statements?
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Re: Re: httpd configuration problem

Solution (mostly) found. The problem is with a misconfiguration of
the Fecora Core 4
http configuration tool: the tool doesn't know about the split in
configuration files
in core 4 (httpd.conf in /etc/httpd/conf, ssl.conf in /etc/httpd/
conf.d). ssl.conf already
contains a Listen on 443 directive, so the listen on 443 directive
which the configuration
tool creates in httpd.conf is a duplicate, and causes a duplicate
listener problem.

I'll report the bug on bugzilla (my solution is to comment out the
listent directive in ssl.conf,
so I can still use the configuration tool). I'm still left with one
relatively minor problem. Fedora has a nice
Makefile support for creating certificates, including self-signed
certificates, which is what I
need. However there is no provision for creating a chain file, yet
the configuration tool insists
on there being one (it crashes otherwise). I put in a ca-bundle, and
it appears to work, but it's
clearly not the right solution. What should go there? Or is there an
appropriate way to create
my own chain file? Or is the configuration tool just wrong in
insisting on one?

Thanks for any suggestions
Bob McKay

On 29/09/2005, at 21:13, Cliff Woolley wrote:

>>>> "Starting httpd: (98)Address already in use: make_sock: could not
>>>> bind to address :443
>>>> no listening sockets available, shutting down"
>>>>
>> However the key information really is missing. So it looks like this
>> may be a problem in the fedora httpd configuration tool, because
>> the key
>> information definitely is
>> there in the virtual host configuration in the gui, it's just not
>> getting saved for some reason.
>>
>
> Okay... although I don't think we've yet found a good explanation for
> why you're getting the message you're getting. Perhaps duplicate
> Listen statements?
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>

************************************************************ ***********
Bob McKay
521-302, School of Computer Science & Engineering,
College of Engineering, Seoul National University, San 56-1,
Sinlim-dong, Gwanak-gu, Seoul 151-744, Korea

Tel: +82 2 880 9392
email: rim@cse.snu.ac.kr
web: http://sc.snu.ac.kr




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Grr.. where is my CA"s Certificate file?

Hello, I am trying to setup apache to use a PKI (I think that is what it is
called)... So each client will have to already have a public key to have
access to my 'secure' apache server. I might hand out 5 of these public
keys, and I want only those users to have access to this server.

My issue is this.. I cannot find my CA's certificate file (so I can tell
ssl.conf about it via SSLCACertificateFile).

I have run CA.pl -newca and then it creates these files:

>>--<<
[root@localhost demoCA]# ls
cacert.pem careq.pem certs crl index.txt index.txt.attr index.txt.old
newcerts private serial
[root@localhost demoCA]# ls -R
..:
cacert.pem careq.pem certs crl index.txt index.txt.attr index.txt.old
newcerts private serial

../certs:

../crl:

../newcerts:
EC895C0D3F2DC916.pem

../private:
cakey.pem
[root@localhost demoCA]#
>>--<<
but now where is the file I tell ssl.conf about via SSLCACertificateFile.


Sorry to bother you'll, but I have been trying to find this out nearly all
day.. without sucess :(

thanks for any input!
Lee
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Is it possible to not force SSL on port:443?

I am helping someone develop a product, and for the next little bit he will
need to access port 443 with out the communication being encrypted (aka he
could telnet to it if he wanted).

But in the very near future, he will want to make 443 encrypted..

Is it possible to not force encryption on port443?


thanks!
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is it possible to not force SSL on port:443?

On 10/14/05, Pigeon wrote:
> I am helping someone develop a product, and for the next little bit he wi=
ll
> need to access port 443 with out the communication being encrypted (aka h=
e
> could telnet to it if he wanted).
>
> But in the very near future, he will want to make 443 encrypted..
>
> Is it possible to not force encryption on port443?

Sure... you just tell Apache to listen on that port and don't turn the
SSLEngine on. :)

Or are you asking how to make it *optional*? You can do that too --
as long as "SSLRequireSSL" isn't set, it should work.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is it possible to not force SSL on port:443?

Also, here is my ssl.conf:
---------------------------------
LoadModule ssl_module modules/mod_ssl.so

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default

SSLCryptoDevice builtin

SSLProtocol +All
SSLCipherSuite HIGH:MEDIUM:+SHA1:+NULL:+aNULL:+eNULL

SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024

SSLProxyEngine off
-----------------------------------

Then I setup my vhost like:


DocumentRoot /var/www/websitename/
ServerName websitename
ErrorLog /var/log/httpd/websitename-ssl-error.log
CustomLog /var/log/httpd/websitename-ssl-access.log common
sslengine on
sslcertificatefile /etc/httpd/ssl/websitename/websitename.crt
sslcertificatekeyfile /etc/httpd/ssl/websitename/websitename.key


Right now I am using sslengine off and doing none encryption over 443, but I
really need to make encryption optional on the same port.

Any ideas?


----- Original Message -----
From: "Cliff Woolley"
To:
Sent: Friday, October 14, 2005 7:36 AM
Subject: Re: Is it possible to not force SSL on port:443?


On 10/14/05, Pigeon wrote:
> I am helping someone develop a product, and for the next little bit he
> will
> need to access port 443 with out the communication being encrypted (aka he
> could telnet to it if he wanted).
>
> But in the very near future, he will want to make 443 encrypted..
>
> Is it possible to not force encryption on port443?

Sure... you just tell Apache to listen on that port and don't turn the
SSLEngine on. :)

Or are you asking how to make it *optional*? You can do that too --
as long as "SSLRequireSSL" isn't set, it should work.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org