httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From MARTYR Jean-Bernard <>
Subject [users@httpd] Reverse proxy and HTTP/1.1
Date Thu, 05 Aug 2004 07:34:54 GMT

I've posting the following message last week with no reaction. Is there
anybody who could provide help, advice ?


I'm currently experiencing a problem for which I'm really hoping apache2 is
the solution.

Context :
End users access a web site hosted on IIS 5.0 on a win2K platform using a
Netscape 4.06 or 4.78 browser.
The web site is accessed in SSL v3 (client & server certificate)
The normal way of accessing the site is through a transparent proxy
(Nestcape Proxy 3.6)
End users are on an private Extranet. Proxy on the nearest DMZ and web
server on another DMZ behind the proxy
IIS 5.1 is configured to use keep-alive
Too many users to migrate to IE (almost 70000).

Issue :
It appears that Netscape browser 4.x does not implement correctly the Proxy
Keepalive standard so if a users want to access (as he should) the site via
the proxy (through a connect method) he gets as much TCP sessions as the
number of objects on the html page to download it. You can imagine the poor
performance of the result since it's not only the "normal" TCP handshake,
but also each time the SSL hanshake.

Various performance results :
I've tried a couple of thing to measure and isolate the problem : my
application home page consists of 44 objects

* IE 6 vs NS through proxy : I'm counting the number of network packet
exchanged and the number of TCP sessions.
IE = 360 to 380 packets and 5 TCP sessions to retrieve the page
NS = 930 to 1000 packets and 45 TCP sessions

=> So my understanding is clearly the lack of support for proxy keep-alive
in Netscape

* IE 6 vs NS direct access to the web server :
both NS and IE 6 = 260 to 290 packets and 5 TCP sessions to retrieve the

=> keep alive is ok in both cases.

I was suspecting also a possible naggling problem with the win 2K platform
so I've setup a win 2K3 server in the same condition cause naggling is
basically disabled there but the results were the same.

Expected solution :
Since the Netscape browser seems to implement correctly the simple HTTP 1.1
keep alive protocol my idea is to use apache as a reverse proxy facing the
browser and acting as an http client to the IIS webserver. So no proxy would
be needed to connect the NS browser to the apache web server (keepalive
should then work) and basically apache is a correct http/1.1 client.
Since the client certificate is also used to identify the UID of the users
in the application I'm also implementing the requestheader function of the
apache2 mod_header to pass it to the server.

Why I need help :
Apache2 is compiled on solaris 2.6 with these options :
--enable-cache --enable-mime-magic --enable-expires --enable-headers --enabl
e-proxy --enable-proxy-connect --enable-proxy-http --enable-ssl --enable-sta
tic-rotatelogs --enable-http --enable-rewrite --enable-so --enable-cgi

My concern is that when using this configuration of apache and accessing it
directly (no proxy) from NS I'm still having exactly the same performance as
with a forwarding proxy. I've snooped also on the reverse-proxy server the
network dialog between apache and IIS and it's the exact reflect of the NS
to apache dialog. My understanding is really that a reverse proxy should
dissociate the browser to reverse from the reverse to web server dialog and
it really does not seem to be the case.
Am I doing wrong assumptions there ?
Is there a misconfiguration here ?

I've already spent a lot of time on this issue and would be very happy if
anybody could bring some help.

Thanks to all in advance.



My apache reverse conf :


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache        shmht:/usr/local/apache2/logs/ssl_scache(512000)
SSLSessionCacheTimeout  300

CacheIgnoreCacheControl On
CacheIgnoreNoLastMod Off
CacheMaxExpire 15

SSLMutex  file:/usr/local/apache2/logs/ssl_mutex

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _Locpro_>

SSLEngine on
SSLProxyEngine on



SSLVerifyClient require
SSLVerifyDepth 2

SSLOptions +ExportCertData +CompatEnvVars +StdEnvVars

#SetEnvIf User-Agent ".*MSIE.*" \
#         nokeepalive ssl-unclean-shutdown \
#         downgrade-1.0 force-response-1.0
SetEnv proxy-keepalive On
SetEnv keepalive On

CustomLog /usr/local/apache2/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENTS_DN}x \"%r\"
CustomLog /usr/local/apache2/logs/ssl_log common

  # Enable the URL rewriting engine
  RewriteEngine        on
  RewriteLogLevel      1
  LogLevel             warn
  RewriteLog           logs/
  ErrorLog             logs/

  # make sure the status page is handled locally
  # and make sure no one uses our proxy except ourself
  RewriteRule    ^/apache-rproxy-status.*  -  [F]
  RewriteRule    ^(http|ftp)://.*          -  [F]
  RewriteRule    \.htr($|.*) / [F]
  RewriteRule    \.idc($|.*) / [F]
  RewriteRule    etc/passwd / [F]
  RewriteRule    etc/shadow / [F]
  RewriteRule    /\./ / [F]
  RewriteRule    /\.\./ / [F]
(administrators.pwd)|(authors.pwd)|(users.pwd)|(service.pwd) / [F]
  RewriteRule    (root.exe?)|(cmd.exe?)|(default.ida?) / [F]
  RewriteRule    msadcs.dll / [F]

  RequestHeader set CERT-SUBJECT %{SSL_CLIENT_S_DN}e

  RewriteRule    ^/Locpro(.*)$                  to://my.iis.server/Locpro$1
  RewriteRule    ^to://([^/]+)/Locpro(.*)       http://$1/Locpro$2      [P]

  RewriteRule    .*                    -              [F]
  ProxyRequests        Off



-- Disclaimer ------------------------------------
Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee
et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes
pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer,
il vous est signifie que toute divulgation, distribution ou copie de cette transmission est
strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en
informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer
immediatement ce message de votre systeme.
This e-mail and any attachments is a confidential correspondence intended only for use of
the individual or entity named above. If you are not the intended recipient or the agent responsible
for delivering the message to the intended recipient, you are hereby notified that any disclosure,
distribution or copying of this communication is strictly prohibited. If you have received
this communication in error, please notify the sender by phone or by replying this message,
and then delete this message from your system.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message