Mark Ferlatte: the quest for foo, except when distracted by shiny things.

Tue, 25 May 2004

mod_gzip with mod_ssl

Unfortunately, there’s an incompatibility with mod_ssl and mod_gzip when running on Apache 1.3. In order to get them to work, you need to setup the proxy hack.

The general idea is that you split your SSL host into two virtual hosts: the frontend does the SSL, and the backend virtual host that does the compression.

First, load the Apache proxy module:

LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so

It should go after your auth modules, but prior to ssl or gzip.

Tell Apache to listen on a high port:

Listen 10443

Setup the proxied vhost. :

<VirtualHost _default_:10443>
    ServerName secure.example.com
    # Whatever other config you need for this host...
</VirtualHost>

Then, setup the front-end. You should apply any mod_rewrite rules here, not in the backend. :

<VirtualHost 10.0.0.1:443>
    ServerName secure.example.com
    SSLEngine On
    # Whatever other SSL config you need for this vhost.
    ProxyRequests Off
    ProxyPass / http://secure.example.com:10443/
    ProxyPassReverse / http://secure.example.com:10443/
    mod_gzip_on No
</VirtualHost>

It works pretty well, although you will see two entries in your access log per HTTPS request. You can strip the duplicates by removing entries from your webserver’s IP address prior to log processing.

Note that the backend virtual host should not be accessible externally, so you should use a per-host firewall or set Apache access restrictions on it to limit access to localhost only.

[/config/libapache-mod-gzip] permanent link

• ferlatte@cryptio.net
• mark@lindenlab.com
• mark@secondlife.com
• ferlatte@sendmail.com
• ferlatte@rescomp.berkeley.edu
• ferlatte@uclink4.berkeley.edu

• Atom Feed
• RSS Feed