Join Log in
Score:0
nXn avatar Server

Apache Proxypass with SSL extremely slow

ck flag
nXn

We have a server with the spec 8 vCore and 16GB RAM. At its peak, the server uses only 15 to 25% CPU and around 40% of RAM.

The issue that we face is once the number of users start increasing, the response from apache simply starts taking more and more time. And at times doesnt respond itself.

proxy pass is used to connect apache to a node application running on a particular port. At the same time when there is delay in getting response from apache, the port gives response in ms.

When I use apache for example www.mydomainname.com/abc/endpoint I get response in 5 secs.At the same time if I use www.mydomainname.com:3001/endpoint I get response in 30 ms.

Apache is running on event mode with the below configuration.

<IfModule mpm_event_module>
        StartServers            4
        MinSpareThreads         25
        MaxSpareThreads         75
        ThreadLimit             64
        ThreadsPerChild         25
        MaxRequestWorkers       800
        ServerLimit             32
        MaxConnectionsPerChild  10000
</IfModule>
KeepAlive On

MaxKeepAliveRequests 500

KeepAliveTimeout 3

The sites are configure as below :

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
    ServerName mysite.ae
    ServerAlias www.mysite.ae
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/mysite
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    SSLCertificateFile /etc/ssl/mysite/mysite.crt
    SSLCertificateKeyFile /etc/ssl/mysite/mysite.key

    ProxyPreserveHost off
    ProxyReceiveBufferSize 2048

    ProxyPass /e1/ https://127.0.0.1:4001/
    ProxyPassReverse /e1/ https://127.0.0.1:4001/

    ProxyPass /e2/ https://127.0.0.1:4002/
    ProxyPassReverse /e2/ https://127.0.0.1:4002/

    ProxyPass /e3/ https://127.0.0.1:4003/
    ProxyPassReverse /e3/ https://127.0.0.1:4003/

    ProxyPass /e4/ https://127.0.0.1:4004/
    ProxyPassReverse /e4/ https://127.0.0.1:4004/

    Alias /assets/ /var/www/e4/apis/


        </VirtualHost>
 </IfModule>

The error logs has this.

[proxy_http:error] [pid 7020:tid 140346369500864] [client 102.129.215.155:56380] AH01097: pass request body failed to 170.33.96.254:443 (wiocdsd.world) from 102.129.215.155 ()
[Mon Jun 12 12:25:36.000975 2023] [proxy:error] [pid 22976:tid 140345102825152] (20014)Internal error (specific information not available): [client 102.129.215.155:57246] AH01084: pass request body failed to 170.33.96.254:443 (wiocdsd.world)
[Mon Jun 12 12:25:36.001002 2023] [proxy:error] [pid 22976:tid 140345102825152] [client 102.129.215.155:57246] AH00898: Error during SSL Handshake with remote server returned by /api/index/getline
[Mon Jun 12 12:25:36.001007 2023] [proxy_http:error] [pid 22976:tid 140345102825152] [client 102.129.215.155:57246] AH01097: pass request body failed to 170.33.96.254:443 (wiocdsd.world) from 102.129.215.155 ()
[Mon Jun 12 12:25:36.131766 2023] [proxy:error] [pid 22905:tid 140346151388864] (20014)Internal error (specific information not available): [client 102.129.215.155:42064] AH01084: pass request body failed to 170.33.96.254:443 (wiocdsd.world)

What could be possibly wrong?

70
0 + 7
HBruijn avatar
in flag
HBruijn
Normally you don't have either a need nor any benefit or added security by using transport security for traffic between services running on the same machine, in other words, connecting to localhost with https in your `ProxyPass /e4/ https://127.0.0.1:4004/` directives does not add security and only adds unnecessary overhead. Assuming that those backend services can't be accessed directly over the internet, you can run those services without HTTPS -
1
Reply
nXn avatar
ck flag
nXn
@HBruijn it is a mandatory policy at our organization not to expose application on PORT but has to be passed from apache from SSL .
0
Reply
c4f4t0r avatar
nl flag
c4f4t0r
@nXn bot ssl on the same server? external -> server-with-ssl->proxy-pass-to-ssl-service-> on the same macchine
0
Reply
nXn avatar
ck flag
nXn
@c4f4t0r Yes, all services are on the same server
0
Reply
c4f4t0r avatar
nl flag
c4f4t0r
@There is not sense to do ssl for the traffic going through the same server
0
Reply
nXn avatar
ck flag
nXn
@c4f4t0r Noted !!! But will that cause a problem .. especially delays ?
0
Reply
c4f4t0r avatar
nl flag
c4f4t0r
@nXn yes, try to remove the encryption on the local connection
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.