logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Reverse Proxy SSL session reuse
Author
Muggy



Joined: 23 May 2018
Posts: 1
Location: England

PostPosted: Wed 23 May '18 18:30    Post subject: Reverse Proxy SSL session reuse Reply with quote

Hi everyone

I am trying to setup a reverse proxy to provide optimized SSL connectivity to our API. This is the setup:-

|Client in india|--internet 10ms rtt--|reverse proxy|---internet 240ms rtt--|datacentre (Atlanta)|

The requirements are the proxy must reuse the SSL connection for as long it is active.
The reason for this is we have customers in India who are experiencing prolonged reach response time due to each request waiting for the TCP session and SSL session to establish which in some cases can take up to 1 second.

We have already applied the following from a client perspective:-
Leverage long-running HTTP connection pools with HTTP “Connection: Keep-Alive”
Include “Accept-Encoding: gzip” to enable compression on response payloads
Set customer-side TCP receive buffers to at least 500K (TCP window scaling)
Do not use “Expect: 100-continue” in HTTP request headers

But the issue is I am unable to get the apache server to honour connection reuse.
Every time I send a request to the apache revere proxy it establishes a new SSL connection although the SSL connections stay up for some time the reverse proxy will not reuse them.

First Request
tcp 0 0 proxy.test:ssh 192.168.1.203:54410 ESTABLISHED
tcp 0 0 proxy.test:43156 apac.universal-ap:https ESTABLISHED
tcp 0 0 proxy.test:ssh 192.168.1.203:54415 ESTABLISHED
tcp 0 0 proxy.test:ssh 192.168.1.203:57770 ESTABLISHED
tcp6 0 0 proxy.test:https 192.168.1.203:61846 ESTABLISHED

Seconds later
tcp 0 0 proxy.test:ssh 192.168.1.203:54410 ESTABLISHED
tcp 0 0 proxy.test:43156 apac.universal-ap:https ESTABLISHED
tcp 0 0 proxy.test:ssh 192.168.1.203:54415 ESTABLISHED
tcp 0 0 proxy.test:ssh 192.168.1.203:57770 ESTABLISHED

Second Request
tcp 0 0 proxy.test:ssh 192.168.1.203:54410 ESTABLISHED
tcp 0 0 proxy.test:43158 apac.universal-ap:https ESTABLISHED
tcp 0 0 proxy.test:43156 apac.universal-ap:https ESTABLISHED
tcp 0 0 proxy.test:ssh 192.168.1.203:54415 ESTABLISHED
tcp 0 0 proxy.test:ssh 192.168.1.203:57770 ESTABLISHED
tcp6 0 0 proxy.test:https 192.168.1.203:61855 ESTABLISHED

Seconds Later
tcp 0 0 proxy.test:ssh 192.168.1.203:54410 ESTABLISHED
tcp 0 0 proxy.test:43158 apac.universal-ap:https ESTABLISHED
tcp 0 0 proxy.test:43156 apac.universal-ap:https ESTABLISHED
tcp 0 0 proxy.test:ssh 192.168.1.203:54415 ESTABLISHED
tcp 0 0 proxy.test:ssh 192.168.1.203:57770 ESTABLISHED

As you can see the SSL conections are staying active but not being reused.

I have added the following configuration:-

ssl.conf
<VirtualHost _default_:443>
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLCertificateFile /etc/pki/tls/certs/proxy.test.crt
SSLCertificateKeyFile /etc/pki/tls/private/proxy.test.key
ProxyPreserveHost On
ProxyPass / https://apac.universal-api.travelport.com/ keepalive=on
ProxyPassReverse / https://apac.universal-api.travelport.com/ keepalive=on
ProxyRequests off
</VirtualHost _default_:443>

httpd.cong
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 100

Thanks in advanced
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 16 Oct '18 23:30    Post subject: Reply with quote

There is SSLSessionCache
Back to top


Reply to topic   Topic: Reverse Proxy SSL session reuse View previous topic :: View next topic
Post new topic   Forum Index -> Apache