[Mod_gzip] SSL <-> mod_gzip proxy error - can't stat cgi file

Nigel Hamilton mod_gzip@lists.over.net
Mon, 14 Oct 2002 21:50:10 -0500 (CDT) 

Hi,

	I'm trying to implement the SSL<->mod_gzip compression trick of 
using a proxy server to handle the compression (as described in the SSL 
GZIP Compression Mini-HowTo - see below).

	Whenever I execute a CGI script via https the browser returns a 
404 error and the error log reports:

[Mon Oct 14 21:33:25 2002] [error] 
proxy:http://turbo10.com:44300/cgi-bin/splashpage1.cgi not found or unable 
to stat 

	However when I access the proxy directly the CGI script works fine
(no access restrictions just yet):
	
	http://turbo10.com:44300/cgi-bin/splashpage1.cgi
	
	When I ask for a simple HTML file using SSL everything still works 
fine:

	https://turbo10.com:446/ourtechnology.html

	It seems simple HTML is being compressed and encrypted correctly.
 
	However, when I access the CGI script via SSL I get the above 
404 error .. can't find or stat error. 

	https://turbo10.com:446/cgi-bin/splashpage1.cgi

	Any ideas? 

Kind Regards


NIgel 
	


MOD_GZIP WITH SSL MINI HOWTO

Version 0.2 February 23, 2002
Tim Behrendsen
This document is released into the public domain.

INTRODUCTION

This document describes how to run mod_gzip over SSL connections using
mod_ssl. The method described has been tested with Apache 1.3.22 under
RedHat 7.2 (Kernel 2.4.13), mod_gzip 1.3.19.1a, mod_ssl 2.8.5 and OpenSSL
0.9.6b.

THE PROBLEM

One would expect to be able to just plug in mod_gzip into Apache in the
normal way, and have it work with SSL. Unfortunately, due to technical
issues with mod_ssl beyond the scope of this document (apparently mod_ssl
greedily grabs the result before anyone else has a chance), the easy
solution doesn't work.

There are workarounds, however, that give the desired result.

THE SOLUTION

A workaround solution is to use mod_proxy. A front-end SSL-enabled Virtual
Host receives the request, and then uses mod_proxy to pass the result to a
back-end non-SSL virtual host that processes the request, compresses the
content and passes it back. The front-end then happily forwards the data
through the SSL connection.

CONFIGURATION

Install and test mod_gzip. Insallation information and sample configuration
may be found on the home page of mod_gzip at
http://www.remotecommunications.com/apache/mod_gzip. It's recommended to get
mod_gzip completely working before adding SSL.

After installing mod_gzip, enable mod_proxy in the configuration file by
adding or uncommenting the following lines to the appropriate areas (near
directives of the same form would be a good place). Note that the mod_gzip
module needs to be the last one in the chain, so activate these before the
mod_gzip module.

    LoadModule proxy_module modules/libproxy.so

    AddModule mod_proxy.c

Some mod_gzip configurations apparently need the following line. Add it to
your "item_include" sections:

    mod_gzip_item_include handler ^proxy-server$

Add the following lines to your SSL VirtualHost:

    ProxyRequests On
    ProxyPass / http://localhost:44300/
    ProxyPassReverse / http://localhost:44300/
    mod_gzip_on No

This directs mod_proxy to send all requests to a back-end virtual host on
port 44300. Note that the "http" is required.

Finally add a virtual host section similar to your primary SSL section, but
without the SSL set-up. Note the security clause disabling access from
anywhere but localhost (127.0.0.1), which prevents a non-SSL "backdoor" into
your web server. This is optional, but recommended. It might also be a good
idea to make sure your firewall blocks requests to 44300 (or whatever port
you choose) just in case.

    Listen 44300
    <VirtualHost _default_:44300>
        <Directory />
            order deny,allow
            deny from all
            allow from 127.0.0.1
        </Directory>
        ...host information...
    </VirtualHost>

Restart Apache, and that should be it!

PROBLEMS

Q: Error log gives:
mod_gzip: EMPTY FILE [/tmp/_3630_118_19.wrk] in sendfile2
mod_gzip: Make sure all named directories exist and have the correct
permissions.

A: There are a number of causes for this error, but in the context of SSL,
this can be caused when mod_gzip is enabled for the SSL section. Make sure
it's either disabled using "mod_gzip_on No" or by specifying the mod_gzip
parameters only within the virtual host.

Q: I'm getting redirected to the non-SSL page!

A: Are you using mod_rewrite to fix trailing slashes or other mods? Try
removing it in the back-end non-SSL virtual host. Keep the rewrites on the
front-end.

Q: When I press "refresh" on my browser, the page is getting corrupted!

A: Unfortunately, IE6 (and perhaps earlier versions?) appears to have a bug
with gzip over SSL where the first 2048 characters are not included in the
HTML rendering of the page when refresh is pressed. It only seems to happen
on longish pages, and not when the page is first loaded. In fact, sometimes
it doesn't happen at all. The only current solution is to put a 2048
character comment at the start of your longish pages of all spaces (which
compresses pretty well, fortunately).


-- 
Nigel Hamilton
Turbo10 Metasearch Engine

email:	nigel@turbo10.com
tel:	+44 (0) 207 987 5460
fax:	+44 (0) 207 987 5468
________________________________________________________________________________
http://turbo10.com		Search Deeper. Browse Faster.