We use mod_proxy and mod_ssl in a reverse proxy configuration; traffic
is accepted by the proxy through SSL, and then proxied backwards to
another server over SSL. Unfortunately, for application reasons, we
*must* proxy backwards via SSL, even through the proxy and the
back-end web server are located on the same rack (!)

My question is: are there any ways we can tune our configuration to
reduce SSL handshake overhead when connecting to the back-end web
server? Perhaps constraining the available ciphers to weaker ones
through SSLProxyCipherSuite? (I'm not sure if the SSLProxy*
directives affect the front-end and/or back-end of mod_proxy...) Note
that we don't have alot of control over the back-end web server
config, so I'm looking for software/config suggestions we can implement on
the proxy side.

thanks,
JB
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Hi Georg,

after I emailed the list, I found this info:

http://www.covalent.net/resource/documentation/faststart/2.0 .0/userguide/ht=
ml/sslconfigure.php#1176550

It appears that the Apache/mod_ssl "SSLProxyProtocol" directive lets
you limit the ciphers that the proxy will use (as a client) to the
back-end server. I also found the following research report, which
talks about performance of SSL protocol and various ciphers:

http://www.cs.ucr.edu/~bhuyan/papers/ssl.pdf

I'll continue to work on this and report back to the list if/when I
find something conclusive. In the meantime, if anyone on the mod_ssl
list has further suggestions, I'm all ears :)

thanks
JB


On 10/19/05, Georg Oppenberg <georg.oppenberg [at] deu.*.com> wrote:
> Hi,
>
> by chance I stumbled over the same problem here today. I'm very
> interested in answers you receive. Maybe you can write some sort of
> summary for the mailing list.
[...]
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

You could possibly use stunnel to set up a persistent
ssl connection. Connecting up to a local port with
just http (only listen on localhost). I believe the
sessions are reused with stunnel. It's extra config
but quick to setup.

Regards
Matt

--- Jeff Ambrosino <jbambrosino [at] gmail.com> wrote:

> Hi Georg,
>
> after I emailed the list, I found this info:
>
>
http://www.covalent.net/resource/documentation/faststart/2.0 .0/userguide/=
html/sslconfigure.php#1176550
>
> It appears that the Apache/mod_ssl
> "SSLProxyProtocol" directive lets
> you limit the ciphers that the proxy will use (as a
> client) to the
> back-end server. I also found the following
> research report, which
> talks about performance of SSL protocol and various
> ciphers:
>
> http://www.cs.ucr.edu/~bhuyan/papers/ssl.pdf
>
> I'll continue to work on this and report back to the
> list if/when I
> find something conclusive. In the meantime, if
> anyone on the mod_ssl
> list has further suggestions, I'm all ears :)
>
> thanks
> JB
>
>
> On 10/19/05, Georg Oppenberg
> <georg.oppenberg [at] deu.*.com> wrote:
> > Hi,
> >
> > by chance I stumbled over the same problem here
> today. I'm very
> > interested in answers you receive. Maybe you can
> write some sort of
> > summary for the mailing list.
> [...]
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> modssl-users [at] modssl.org
> Automated List Manager
> majordomo [at] modssl.org
>



=09
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Interesting idea... but that would require HTTP keepalive support by
the back-end, right? (unfortunately keepalive isn't supported by our
back-end www server...)

JB

On 10/20/05, Matt Stevenson <mavricknzwork [at] yahoo.com> wrote:
> You could possibly use stunnel to set up a persistent
> ssl connection. Connecting up to a local port with
> just http (only listen on localhost). I believe the
> sessions are reused with stunnel. It's extra config
> but quick to setup.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org