You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/08/29 14:44:20 UTC

DO NOT REPLY [Bug 43238] New: - No KeepAlive for Reverse proxy to HTTPS - very poor performance

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43238>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43238

           Summary: No KeepAlive for Reverse proxy to HTTPS - very poor
                    performance
           Product: Apache httpd-2
           Version: 2.2.4
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_proxy
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: yair.lenga@citi.com


I'm using Apache as a reverse proxy. The request contain important information
that can not be passed in clear text between machines. I tried to use the
connect to the backend server using https.

<virtualHost _default:443>

SSLProxyEngine on
ProxyPass /proxy-s/ https://realserver/app/ max=5
</virtual>

We benchmarked the performance, and found noticable slowness on the proxy-s
path, compared with accessing the "realserver" app over HTTPS. The delay is ~0.1
seconds/request. It turned out that regardless of any setting, Apache does not
use KeepAlive connections to connect to https backends. Each request require an
HTTPS connection setup.

When using HTTP to connect to the real server, the cost of running the requests
through the proxy was < 0.01 second/request, and significantly less with
Keep-Alive & connection pooling.

For my application, direct https connection (with Keep-Alive) takes ~1.5
seconds/per 100 requests (including ~0.1 seconds for the inital SSL setup). The
10 seconds delay (0.1*100) prevent high-load applications from using Apache, if
the proxied connection must be secured.

The code in mod_proxy_http.c (2.2.4) states:

    /*
     * TODO: Currently we cannot handle persistent SSL backend connections,
     * because we recreate backend->connection for each request and thus
     * try to initialize an already existing SSL connection. This does
     * not work.
     */
    if (is_ssl)
        backend->close_on_recycle = 1;


IS IT POSSIBLE TO REMOVE THIS LIMIT ?

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 43238] - No KeepAlive for Reverse proxy to HTTPS - very poor performance

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43238>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43238


yair.lenga@citi.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|DUPLICATE                   |




------- Additional Comments From yair.lenga@citi.com  2008-01-09 06:04 -------
Can you review the status of this bug. I believe 30602 applies to keep-alive 
for http connections (which have been resolved). The current bug applied to 
https (http+SSL) connection, for which no keep-alive is supported.

I checked the code for 2.2.6, and the limit is still coded in mod_proxy_http.c

Yair

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 43238] No KeepAlive for Reverse proxy to HTTPS - very poor performance

Posted by bu...@apache.org.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43238





--- Comment #4 from Jim Jagielski <ji...@apache.org>  2008-02-27 13:28:10 ---
This is likely to be proposed for backport for 2.2.9


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 43238] - No KeepAlive for Reverse proxy to HTTPS - very poor performance

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43238>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43238


asmorgrav@yahoo.no changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |DUPLICATE




------- Additional Comments From asmorgrav@yahoo.no  2008-01-09 00:08 -------


*** This bug has been marked as a duplicate of 38602 ***

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 43238] - No KeepAlive for Reverse proxy to HTTPS - very poor performance

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43238>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43238





------- Additional Comments From rpluem@apache.org  2008-01-09 11:54 -------
It can do SSL keepalives to backend in trunk. But this codes needs to settle a
bit until backported to the 2.2.x branch.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org