reduce handshake overhead in a reverse mod_proxy (SSL front-end + SSL back-end)

reduce handshake overhead in a reverse mod_proxy (SSL front-end + SSL back-end)

am 19.10.2005 21:54:52 von Jeff Ambrosino

We use mod_proxy and mod_ssl in a reverse proxy configuration; traffic
is accepted by the proxy through SSL, and then proxied backwards to
another server over SSL. Unfortunately, for application reasons, we
*must* proxy backwards via SSL, even through the proxy and the
back-end web server are located on the same rack (!)

My question is: are there any ways we can tune our configuration to
reduce SSL handshake overhead when connecting to the back-end web
server? Perhaps constraining the available ciphers to weaker ones
through SSLProxyCipherSuite? (I'm not sure if the SSLProxy*
directives affect the front-end and/or back-end of mod_proxy...) Note
that we don't have alot of control over the back-end web server
config, so I'm looking for software/config suggestions we can implement on
the proxy side.

thanks,
JB
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: reduce handshake overhead in a reverse mod_proxy (SSL front-end + SSL back-end)

am 19.10.2005 23:32:19 von Jeff Ambrosino

Hi Georg,

after I emailed the list, I found this info:

http://www.covalent.net/resource/documentation/faststart/2.0 .0/userguide/ht=
ml/sslconfigure.php#1176550

It appears that the Apache/mod_ssl "SSLProxyProtocol" directive lets
you limit the ciphers that the proxy will use (as a client) to the
back-end server. I also found the following research report, which
talks about performance of SSL protocol and various ciphers:

http://www.cs.ucr.edu/~bhuyan/papers/ssl.pdf

I'll continue to work on this and report back to the list if/when I
find something conclusive. In the meantime, if anyone on the mod_ssl
list has further suggestions, I'm all ears :)

thanks
JB


On 10/19/05, Georg Oppenberg wrote:
> Hi,
>
> by chance I stumbled over the same problem here today. I'm very
> interested in answers you receive. Maybe you can write some sort of
> summary for the mailing list.
[...]
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: reduce handshake overhead in a reverse mod_proxy (SSL front-end + SSL back-end)

am 20.10.2005 17:30:16 von Matt Stevenson

You could possibly use stunnel to set up a persistent
ssl connection. Connecting up to a local port with
just http (only listen on localhost). I believe the
sessions are reused with stunnel. It's extra config
but quick to setup.

Regards
Matt

--- Jeff Ambrosino wrote:

> Hi Georg,
>=20
> after I emailed the list, I found this info:
>=20
>
http://www.covalent.net/resource/documentation/faststart/2.0 .0/userguide/=
html/sslconfigure.php#1176550
>=20
> It appears that the Apache/mod_ssl
> "SSLProxyProtocol" directive lets
> you limit the ciphers that the proxy will use (as a
> client) to the
> back-end server. I also found the following
> research report, which
> talks about performance of SSL protocol and various
> ciphers:
>=20
> http://www.cs.ucr.edu/~bhuyan/papers/ssl.pdf
>=20
> I'll continue to work on this and report back to the
> list if/when I
> find something conclusive. In the meantime, if
> anyone on the mod_ssl
> list has further suggestions, I'm all ears :)
>=20
> thanks
> JB
>=20
>=20
> On 10/19/05, Georg Oppenberg
> wrote:
> > Hi,
> >
> > by chance I stumbled over the same problem here
> today. I'm very
> > interested in answers you receive. Maybe you can
> write some sort of
> > summary for the mailing list.
> [...]
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) =20
> www.modssl.org
> User Support Mailing List =20
> modssl-users@modssl.org
> Automated List Manager =20
> majordomo@modssl.org
>=20



=09
__________________________________=20
Yahoo! Music Unlimited=20
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: reduce handshake overhead in a reverse mod_proxy (SSL front-end + SSL back-end)

am 21.10.2005 00:08:00 von Jeff Ambrosino

Interesting idea... but that would require HTTP keepalive support by
the back-end, right? (unfortunately keepalive isn't supported by our
back-end www server...)

JB

On 10/20/05, Matt Stevenson wrote:
> You could possibly use stunnel to set up a persistent
> ssl connection. Connecting up to a local port with
> just http (only listen on localhost). I believe the
> sessions are reused with stunnel. It's extra config
> but quick to setup.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org