• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

IHS, SSL & mod_gzip

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    IHS, SSL & mod_gzip

    Is this possible to make this combination work?

    #2
    which version

    of IHS/apache ?

    Comment


      #3
      Re: which version

      Server: IBM HTTP SERVER/1.3.19.3 Apache/1.3.20 (Unix)
      & IBM HTTP Server/1.3.12.6 Apache/1.3.12 (Unix)

      Comment


        #4
        Re: which version

        Sadly I think the answer is no. Half the reason is that mod_gzip doesn't like SSL (both want to be the last item on the output chain). The other half is that while the latest TSL/SSL specifications states that compression is supported it doesn't bother to say what compression methods should be supported (so most browsers haven't got the code to implement it).

        Comment


          #5
          Re: which version

          Yeah, I've heard that, but peeps do mod_gzip contents and send it out over SSL in Apache.

          I think the problem here is more fundamental than that. I have a suspicion that IBM in trying to get their version of SSL to work broke mod_gzip and even though they've patched it, it is only patched enough to compile, not to actually work.

          And then there is the thought of who in their right minds would mod_gzip data over an SSL connection anyway as it would cause cribs to be constantly generated thereby making the connection insecure.

          It is one of my clients clients and they are quite insistent that they want this to be done, well not them actually, but their Big 4 consultants, and they insist they have done this before. Personally I can't quite see how, but am open to being educated.

          Comment


            #6
            Re: which version

            The correct logic should be

            page -> gzip -> SSL -> browser .

            but I'm sure theres something in those two modules that stop them working togother. I don't want to guess what tho.

            A solution would be to add an additional apache server in the middle of the system to act as an SSL processing proxy server. This would separate the system into

            web server -> proxy server -> browser
            page -> mod_gzip -> mod_proxy -> SSL -> browser

            The web server can then also be totally firewalled allowing access to it from only a single port on a few ip addresses (internal machines and proxy servers only say).

            you can do the above on a single machine running a single instance of apache but I doubt the cost of the additional machine is going to break the bank on this project tho.

            Comment


              #7
              Re: which version

              Yes, yes, that is correct, you have to use mod_proxy between them, virtual host doing SSL on the front, through mod_proxy to the back end that has the mod_gzip. Which is nice and which works, for Apache.

              The problem is that in IHS this just don't appear to work...

              Comment


                #8
                Well, I spent a good few days reverse engineering this, and now I can see why it screws up: it is code changes to Apache to get IBMs GSK version of SSL in that changes some structures that mod_gzip uses, and then the patches to mod_gzip then don't actually fix all the problems, resulting in apparently random screw ups.:rollin

                Comment

                Working...
                X