You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mike -- EMAIL IGNORED <m_...@yahoo.com> on 2009/08/07 17:27:35 UTC
[users@httpd] Re: Need some SSL help please.
On Fri, 07 Aug 2009 08:40:55 -0400, Josh Gooding wrote:
> Thanks for the reply Krist,
>
> Let me give you a little background on what I did (and still doing). I
> created a video training software that is now internet based. Nothing
> inside of the training needs to be across HTTPS, except the login page.
> Client's said they would "like" to see it done. Which is were I am at
> right now. I always thought that HTTPS is noticeably slower than
> regular HTTP, which is why I would not want HTTPS on the entire site,
> since video and graphics tend to be more bandwidth and CPU intensive.
>
> In essence I am trying to keep the lag to as little as possible and only
> encrypt what needs to be encrypted.
>
> - Josh
>
[...]
Please read my recent thread "excessive DNS slows httpd".
The bottom line: I recently introduced SSL to part of my
web site, and it slowed considerably. Using iptables
(on a Linux system),I blocked all DNS, and speed of
response is better than ever, 8 meg photo files
notwithstanding.
Additionally, I thought sign-in is encrypted even when
SSL is not in use. Is this not true?
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Need some SSL help please.
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 07.08.09 15:27, Mike -- EMAIL IGNORED wrote:
> Please read my recent thread "excessive DNS slows httpd".
> The bottom line: I recently introduced SSL to part of my
> web site, and it slowed considerably. Using iptables
> (on a Linux system),I blocked all DNS, and speed of
> response is better than ever, 8 meg photo files
> notwithstanding.
It would be much better to configure apache/applications not to use DNS than
to block it. Also, it highly depends on type of blocking - using DROP rules
will cause apps to run even slower if any part of DNS works...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Need some SSL help please.
Posted by Josh Gooding <jo...@gmail.com>.
I had an idea... what about putting the domain in the configuration file and
doing a "hard" redirect upon proper authentication? Would this be
feasible? Doable in httpd?
On Fri, Aug 7, 2009 at 2:08 PM, Josh Gooding <jo...@gmail.com> wrote:
> No, my understanding is login's weren't encrypted unless SSL was used.
>
> Scott, I'm not a sysadmin, but does win2k3 server have something like
> iptables? That MIGHT be a little more helpful, I'll have to research it
> more, however, I still need to figure out how to drop SSL after the login
> screen. Let me do some more digging around the internet.
>
> The login password is encrypted with MD5 before checking the DB and stored
> in the DB as an MD5 hash, so with that being said, is SSL even neccessary on
> the login to the software?
>
> Thank you again for all the responses and advice. It is highly
> appreciated.
>
> - Josh
>
>
> On Fri, Aug 7, 2009 at 11:27 AM, Mike -- EMAIL IGNORED <
> m_d_berger_1900@yahoo.com> wrote:
>
>> On Fri, 07 Aug 2009 08:40:55 -0400, Josh Gooding wrote:
>>
>> > Thanks for the reply Krist,
>> >
>> > Let me give you a little background on what I did (and still doing). I
>> > created a video training software that is now internet based. Nothing
>> > inside of the training needs to be across HTTPS, except the login page.
>> > Client's said they would "like" to see it done. Which is were I am at
>> > right now. I always thought that HTTPS is noticeably slower than
>> > regular HTTP, which is why I would not want HTTPS on the entire site,
>> > since video and graphics tend to be more bandwidth and CPU intensive.
>> >
>> > In essence I am trying to keep the lag to as little as possible and only
>> > encrypt what needs to be encrypted.
>> >
>> > - Josh
>> >
>> [...]
>>
>> Please read my recent thread "excessive DNS slows httpd".
>> The bottom line: I recently introduced SSL to part of my
>> web site, and it slowed considerably. Using iptables
>> (on a Linux system),I blocked all DNS, and speed of
>> response is better than ever, 8 meg photo files
>> notwithstanding.
>>
>> Additionally, I thought sign-in is encrypted even when
>> SSL is not in use. Is this not true?
>>
>> Mike.
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
[users@httpd] Re: Need some SSL help please.
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Tue, 11 Aug 2009 07:50:17 +0200, Krist van Besien wrote:
> On Sat, Aug 8, 2009 at 4:19 AM, Mike -- EMAIL
> IGNORED<m_...@yahoo.com> wrote:
>
>> One additional but important point. When things slowed substantially
>> after adding SSL to part of my tree, everything slowed, even the parts
>> that were not doing SSL at all. Again, the slowness was caused by the
>> DNS, not the encryption. This was verified with WireShark.
>
> Enabling SSL in itself should not lead to increased DNS traffic from
> Apache. You might have made other changes that caused Apache to do name
> lookups.
>
> Krist
>
[...]
Unfortunately, I did make numerous changes. While I do not
see that they should increase DNS, I could easily be
missing something. See my new suggestion I am about to post.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Need some SSL help please.
Posted by Krist van Besien <kr...@gmail.com>.
On Sat, Aug 8, 2009 at 4:19 AM, Mike -- EMAIL
IGNORED<m_...@yahoo.com> wrote:
> One additional but important point. When things slowed substantially
> after adding SSL to part of my tree, everything slowed, even the parts
> that were not doing SSL at all. Again, the slowness was caused by the
> DNS, not the encryption. This was verified with WireShark.
Enabling SSL in itself should not lead to increased DNS traffic from
Apache. You might have made other changes that caused Apache to do
name lookups.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Need some SSL help please.
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Sat, 08 Aug 2009 01:59:34 +0000, Mike -- EMAIL IGNORED wrote:
> On Fri, 07 Aug 2009 20:46:35 -0400, Josh Gooding wrote:
>
>> Mike,
>>
>> If it was up to me, I wouldn't use a Windows based server either,
>> however, what the client bought is what I had to use. KWIM? I can't
>> block DNS on this server due to it having a .com tied to it. I looked
>> this afternoon and no dice. I can look into it more in depth on the
>> httpd site. What a perplexing thing I'm trying to do.
>>
>> - Josh
>>
> [...]
>
> I think the Rewrite example I gave is like:
> Require valid-user
>
> I still do not see the way but note:
> 1 . I think t is possible to construct a directory tree where
> the root uses SSL but the others do not.
> 2. Maybe non-SSL directories can be made to reject in there
> is no valid user, but not with a login request.
> 3. The root directory would respond with the normal login.
> This is how I would start. It places a restriction on the user to first
> access the root directory.
>
> FWIW, this is all I can think of now. It might require the use of
> environment variables. (See Apache "Access Control").
>
> This is an interesting problem but after this post, I go on travel and
> will have little or no Internet access for a week. I will look back when
> I return, hoping to see what was finally done.
>
> Mike.
>
One additional but important point. When things slowed substantially
after adding SSL to part of my tree, everything slowed, even the parts
that were not doing SSL at all. Again, the slowness was caused by the
DNS, not the encryption. This was verified with WireShark.
Long ago I learned that it is often cheaper to buy another piece
of hardware, than to solve a subtle problem with software. In
this case, a Linux box wherein you could easily block DNS is probably
the cheapest and most user-friendly solution.
Bedtime at -0400.
HTH.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Need some SSL help please.
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Fri, 07 Aug 2009 20:46:35 -0400, Josh Gooding wrote:
> Mike,
>
> If it was up to me, I wouldn't use a Windows based server either,
> however, what the client bought is what I had to use. KWIM? I can't
> block DNS on this server due to it having a .com tied to it. I looked
> this afternoon and no dice. I can look into it more in depth on the
> httpd site. What a perplexing thing I'm trying to do.
>
> - Josh
>
[...]
I think the Rewrite example I gave is like:
Require valid-user
I still do not see the way but note:
1 . I think t is possible to construct a directory tree where
the root uses SSL but the others do not.
2. Maybe non-SSL directories can be made to reject in there
is no valid user, but not with a login request.
3. The root directory would respond with the normal login.
This is how I would start. It places a restriction on the user to
first access the root directory.
FWIW, this is all I can think of now. It might require the use of
environment variables. (See Apache "Access Control").
This is an interesting problem but after this post, I go on
travel and will have little or no Internet access for a week.
I will look back when I return, hoping to see what was finally
done.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Need some SSL help please.
Posted by Josh Gooding <jo...@gmail.com>.
Mike,
If it was up to me, I wouldn't use a Windows based server either, however,
what the client bought is what I had to use. KWIM?
I can't block DNS on this server due to it having a .com tied to it. I
looked this afternoon and no dice. I can look into it more in depth on the
httpd site. What a perplexing thing I'm trying to do.
- Josh
On Fri, Aug 7, 2009 at 5:47 PM, Mike -- EMAIL IGNORED <
m_d_berger_1900@yahoo.com> wrote:
> On Fri, 07 Aug 2009 14:08:27 -0400, Josh Gooding wrote:
>
> > No, my understanding is login's weren't encrypted unless SSL was used.
> >
> > Scott, I'm not a sysadmin, but does win2k3 server have something like
> > iptables? That MIGHT be a little more helpful, I'll have to research it
> > more, however, I still need to figure out how to drop SSL after the
> > login screen. Let me do some more digging around the internet.
> >
> > The login password is encrypted with MD5 before checking the DB and
> > stored in the DB as an MD5 hash, so with that being said, is SSL even
> > neccessary on the login to the software?
> >
> > Thank you again for all the responses and advice. It is highly
> > appreciated.
> >
> > - Josh
> >
> [...]
>
> I'm not sure I would block DNS on a Windows system, certainly
> if it is doing anything else but being a server. But then
> I would not use a Windows system for a server.
>
> I suspect that what you want to do can be accomplished
> with mod_ssl, mod_rewrite, <Directory> and <VirtualHost>.
> I don't see my way right to it, but, for example,
> RewriteCond %{REMOTE_USER} !^.+$
> RewriteRule $.*$ - [F]
> or some such thing properly placed might be useful.
>
> Detailed tutorials for these capabilities can be found on
> the Apache web site. Some study would be required.
>
> HTH.
> Mike.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
[users@httpd] Re: Need some SSL help please.
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Fri, 07 Aug 2009 14:08:27 -0400, Josh Gooding wrote:
> No, my understanding is login's weren't encrypted unless SSL was used.
>
> Scott, I'm not a sysadmin, but does win2k3 server have something like
> iptables? That MIGHT be a little more helpful, I'll have to research it
> more, however, I still need to figure out how to drop SSL after the
> login screen. Let me do some more digging around the internet.
>
> The login password is encrypted with MD5 before checking the DB and
> stored in the DB as an MD5 hash, so with that being said, is SSL even
> neccessary on the login to the software?
>
> Thank you again for all the responses and advice. It is highly
> appreciated.
>
> - Josh
>
[...]
I'm not sure I would block DNS on a Windows system, certainly
if it is doing anything else but being a server. But then
I would not use a Windows system for a server.
I suspect that what you want to do can be accomplished
with mod_ssl, mod_rewrite, <Directory> and <VirtualHost>.
I don't see my way right to it, but, for example,
RewriteCond %{REMOTE_USER} !^.+$
RewriteRule $.*$ - [F]
or some such thing properly placed might be useful.
Detailed tutorials for these capabilities can be found on
the Apache web site. Some study would be required.
HTH.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Need some SSL help please.
Posted by Josh Gooding <jo...@gmail.com>.
No, my understanding is login's weren't encrypted unless SSL was used.
Scott, I'm not a sysadmin, but does win2k3 server have something like
iptables? That MIGHT be a little more helpful, I'll have to research it
more, however, I still need to figure out how to drop SSL after the login
screen. Let me do some more digging around the internet.
The login password is encrypted with MD5 before checking the DB and stored
in the DB as an MD5 hash, so with that being said, is SSL even neccessary on
the login to the software?
Thank you again for all the responses and advice. It is highly appreciated.
- Josh
On Fri, Aug 7, 2009 at 11:27 AM, Mike -- EMAIL IGNORED <
m_d_berger_1900@yahoo.com> wrote:
> On Fri, 07 Aug 2009 08:40:55 -0400, Josh Gooding wrote:
>
> > Thanks for the reply Krist,
> >
> > Let me give you a little background on what I did (and still doing). I
> > created a video training software that is now internet based. Nothing
> > inside of the training needs to be across HTTPS, except the login page.
> > Client's said they would "like" to see it done. Which is were I am at
> > right now. I always thought that HTTPS is noticeably slower than
> > regular HTTP, which is why I would not want HTTPS on the entire site,
> > since video and graphics tend to be more bandwidth and CPU intensive.
> >
> > In essence I am trying to keep the lag to as little as possible and only
> > encrypt what needs to be encrypted.
> >
> > - Josh
> >
> [...]
>
> Please read my recent thread "excessive DNS slows httpd".
> The bottom line: I recently introduced SSL to part of my
> web site, and it slowed considerably. Using iptables
> (on a Linux system),I blocked all DNS, and speed of
> response is better than ever, 8 meg photo files
> notwithstanding.
>
> Additionally, I thought sign-in is encrypted even when
> SSL is not in use. Is this not true?
>
> Mike.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Re: Need some SSL help please.
Posted by Dan Poirier <po...@pobox.com>.
On 08/07/2009 11:27 AM, Mike -- EMAIL IGNORED wrote:
> Additionally, I thought sign-in is encrypted even when
> SSL is not in use. Is this not true?
>
That is not true. Sign-in is not encrypted unless you use SSL.
--
Dan Poirier <po...@pobox.com>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org