htaccess Elite

[Mod_gzip] mod_gzip with SSL mini howto
Tim Behrendsen mod_gzip@lists.over.net
Tue, 19 Feb 2002 20:59:05 -0800

Previous message: [Mod_gzip] mod_gzip / SSL HOWTO
Next message: [Mod_gzip] mod_gzip / SSL HOWTO
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------------------------------------------------------------------------------

MOD_GZIP WITH SSL MINI HOWTO

Version 0.1 February 19, 2002
Tim Behrendsen
All rights given to the public domain.

INTRODUCTION

This document describes how to run mod_gzip over SSL connections using
mod_ssl. The method described has been tested with Apache 1.3.22 under
RedHat 7.2 (Kernel 2.4.13), mod_gzip 1.3.19.1a, mod_ssl 2.8.5 and OpenSSL
0.9.6b.

THE PROBLEM

One would expect to be able to just plug in mod_gzip into Apache in the
normal way, and have it work with SSL. Unfortunately, due to technical
issues with mod_ssl beyond the scope of this document (apparently mod_ssl
greedily grabs the result before anyone else has a chance), the easy
solution doesn't work.

There are workarounds, however, that give the desired result.

THE SOLUTION

A workaround solution is to use mod_proxy. A front-end SSL-enabled Virtual
Host receives the request, and then uses mod_proxy to pass the result to a
back-end non-SSL virtual host that processes the request, compresses the
content and passes it back. The front-end then happily forwards the data
through the SSL connection.

CONFIGURATION

After installing mod_gzip, enable mod_proxy in the configuration file by
adding (or uncommenting) the following lines to the appropriate areas (after
directives of the same form would be a good place)

LoadModule proxy_module modules/libproxy.so

AddModule mod_proxy.c

The following lines are a good basic configuration for mod_gzip (mostly
taken from the mod_gzip FAQ). Add these into your configuration:

-------------------------------------------
# [ mod_gzip sample configuration ]

# mod_gzip_on [Yes/No]
#
# Use this command to turn mod_gzip 'on' or 'off'.
# The command can go into the base server configuration
# or be used to control if mod_gzip is active inside
# any particular virtual directory or host section.
#
mod_gzip_on Yes

# Size limits

mod_gzip_minimum_file_size 300
mod_gzip_maximum_file_size 0
mod_gzip_maximum_inmem_size 100000

# mod_gzip_item_include type regular_expression
# mod_gzip_item_exclude type regular_expression
#
# Use 'include' and 'exclude' commands to specify which
# items are eligible for compression.
#
# The valid values for 'type' field are...
#
# file, mime, handler, reqheader, rspheader.
#
# The 3rd parameter must be a valid 'regular expression'
# which will be used to 'match' the requested item(s).
#
mod_gzip_item_include file \.htm$
mod_gzip_item_include file \.html$
mod_gzip_item_include mime text/.*
mod_gzip_item_include handler ^perl-script$

# NOTE: The following entry was required to compress negotiated
# home pages in version 1.3.17.1a but is now only needed
# if you would like to compress your directory listings...
#
# mod_gzip_item_include mime httpd/unix-directory
# mod_gzip_dechunk [Yes/No]
#
# If a response is being generated dynamically and
# the response content generator is always using
# 'Transfer-Encoding: chunked' then that response
# cannot normally be 'compressed' since a transport layer
# encoding is already being applied. The "mod_gzip_dechunk Yes"
# option will transparently remove all 'chunked' encoding
# and allow the response to be fully compressed. Certain
# versions of mod_php will need this option set ON for the
# dynamic output to be compressed. Whenever possible just
# make sure this option and the extra step required
# are NOT needed by making sure the response generator is NOT
# using 'Transfer-encoding: chunked'.
#
mod_gzip_dechunk yes

# mod_gzip_min_http [1000/1001/etc...]
#
# Only use this to 'block' browsers that don't support a
# certain minimum level of the HTTP protocol. The option
# uses the same internal 'numeric' value(s) used by Apache
# itself to indicate certain HTTP protocol support level(s).
#
# 1000=HTTP/1.0 1001=HTTP/1.1, etc.
#
# mod_gzip_min_http 1000

# mod_gzip_temp_dir /tmp
#
# Use this option to specify the directory that mod_gzip should
# use for workfiles. Do not add a trailing 'slash' to the name.
#
# Whenever possible ( and for the best performance ) this 'temporary'
# workfile directory should be a valid RAMDISK.
#
# The directory must already exist when Apache starts.
#
# Be sure permissions are set right for whatever directory is
# used as the 'temp_dir'. The User/Group used by the Server during
# runtime ( such as 'www' or 'nobody' ) must have read/write
# access to the directory. If permissions are incorrect then the
# mod_gzip 'result' string will probably be 'RECOVERY' and your
# Apache error_log will contain messages about mod_gzip being
# unable to access work files.
#
# If no 'mod_gzip_temp_dir' is specified then the DEFAULTS are...
#
# /tmp for UNIX
# c:\temp for Win32.
#
mod_gzip_temp_dir /tmp

# mod_gzip_keep_workfiles [Yes/No]
#
# If this option is 'Yes' then mod_gzip will not delete any
# workfiles it may be generating in the 'mod_gzip_temp_dir'
# location. Use this option only for diagnostic purposes.
# The 'default' setting is 'No'.
#
mod_gzip_keep_workfiles No

# [End of mod_gzip sample config]
--------------------------------------------------

Add the following lines to your SSL VirtualHost:

ProxyRequests On
ProxyPass / myhost:4430/
ProxyPassReverse / myhost:4430/
mod_gzip_on No

This directs mod_proxy to send all requests to a back-end virtual host on
port 4430. Change "myhost" to your hostname.

Finally add a virtual host section similar to your primary SSL section, but
without the SSL set-up.

Listen 4430
<VirtualHost _default_:4430>
...host information...
</VirtualHost>

Restart Apache, and that should be it!

NOTE: Make your firewall is configured to block requests to 4430 (or
whatever port you choose), otherwise you have a potential non-SSL backdoor
into your web server.

PROBLEMS

Q: Error log gives:
mod_gzip: EMPTY FILE [/tmp/_3630_118_19.wrk] in sendfile2
mod_gzip: Make sure all named directories exist and have the correct
permissions.

A: This seems to be caused when mod_gzip is enabled for the SSL section.
Make sure it's either disabled using "mod_gzip_on No" or by specifying the
mod_gzip parameters only within the virtual host.

Q: I'm getting redirected to the non-SSL page!

A: Are you using mod_rewrite to fix trailing slashes or other mods? Try
disabling it in the back-end non-SSL virtual host. Keep the rewrites on the
front-end.