PDA

View Full Version : IHS, SSL & mod_gzip



threaded
23rd January 2003, 13:44
Is this possible to make this combination work?

Mark Snowdon
23rd January 2003, 18:48
of IHS/apache ?

threaded
23rd January 2003, 21:30
Server: IBM HTTP SERVER/1.3.19.3 Apache/1.3.20 (Unix)
& IBM HTTP Server/1.3.12.6 Apache/1.3.12 (Unix)

eek
23rd January 2003, 21:54
Sadly I think the answer is no. Half the reason is that mod_gzip doesn't like SSL (both want to be the last item on the output chain). The other half is that while the latest TSL/SSL specifications states that compression is supported it doesn't bother to say what compression methods should be supported (so most browsers haven't got the code to implement it).

threaded
24th January 2003, 05:48
Yeah, I've heard that, but peeps do mod_gzip contents and send it out over SSL in Apache.

I think the problem here is more fundamental than that. I have a suspicion that IBM in trying to get their version of SSL to work broke mod_gzip and even though they've patched it, it is only patched enough to compile, not to actually work.

And then there is the thought of who in their right minds would mod_gzip data over an SSL connection anyway as it would cause cribs to be constantly generated thereby making the connection insecure.

It is one of my clients clients and they are quite insistent that they want this to be done, well not them actually, but their Big 4 consultants, and they insist they have done this before. Personally I can't quite see how, but am open to being educated.

eek
24th January 2003, 14:14
The correct logic should be

page -> gzip -> SSL -> browser .

but I'm sure theres something in those two modules that stop them working togother. I don't want to guess what tho.

A solution would be to add an additional apache server in the middle of the system to act as an SSL processing proxy server. This would separate the system into

web server -> proxy server -> browser
page -> mod_gzip -> mod_proxy -> SSL -> browser

The web server can then also be totally firewalled allowing access to it from only a single port on a few ip addresses (internal machines and proxy servers only say).

you can do the above on a single machine running a single instance of apache but I doubt the cost of the additional machine is going to break the bank on this project tho.

threaded
24th January 2003, 15:16
Yes, yes, that is correct, you have to use mod_proxy between them, virtual host doing SSL on the front, through mod_proxy to the back end that has the mod_gzip. Which is nice and which works, for Apache.

The problem is that in IHS this just don't appear to work...

threaded
27th January 2003, 09:51
Well, I spent a good few days reverse engineering this, and now I can see why it screws up: it is code changes to Apache to get IBMs GSK version of SSL in that changes some structures that mod_gzip uses, and then the patches to mod_gzip then don't actually fix all the problems, resulting in apparently random screw ups.:rollin