I'm using Apache as a reverse proxy. The request contain important information that can not be passed in clear text between machines. I tried to use the connect to the backend server using https. <virtualHost _default:443> SSLProxyEngine on ProxyPass /proxy-s/ https://realserver/app/ max=5 </virtual> We benchmarked the performance, and found noticable slowness on the proxy-s path, compared with accessing the "realserver" app over HTTPS. The delay is ~0.1 seconds/request. It turned out that regardless of any setting, Apache does not use KeepAlive connections to connect to https backends. Each request require an HTTPS connection setup. When using HTTP to connect to the real server, the cost of running the requests through the proxy was < 0.01 second/request, and significantly less with Keep-Alive & connection pooling. For my application, direct https connection (with Keep-Alive) takes ~1.5 seconds/per 100 requests (including ~0.1 seconds for the inital SSL setup). The 10 seconds delay (0.1*100) prevent high-load applications from using Apache, if the proxied connection must be secured. The code in mod_proxy_http.c (2.2.4) states: /* * TODO: Currently we cannot handle persistent SSL backend connections, * because we recreate backend->connection for each request and thus * try to initialize an already existing SSL connection. This does * not work. */ if (is_ssl) backend->close_on_recycle = 1; IS IT POSSIBLE TO REMOVE THIS LIMIT ?
*** This bug has been marked as a duplicate of 38602 ***
Can you review the status of this bug. I believe 30602 applies to keep-alive for http connections (which have been resolved). The current bug applied to https (http+SSL) connection, for which no keep-alive is supported. I checked the code for 2.2.6, and the limit is still coded in mod_proxy_http.c Yair
It can do SSL keepalives to backend in trunk. But this codes needs to settle a bit until backported to the 2.2.x branch.
This is likely to be proposed for backport for 2.2.9
Backported to 2.2.x