Category Archives: Apache

Apache 2.2′s load balancer is pretty neat. However, to get persistence to work properly, you have to be careful. Here we are setting the balancer manager to watch a client cookie called BALANCEID, and each member has a particular route string tied to it that is set in the cookie. It’s important to note that the cookie format must be: something.routestring, ie, nat.server1. If it is just server1, it will not work.

ProxyPass / balancer://mycluster/ stickysession=BALANCEID
ProxyPassReverse / http://localhost:71/
ProxyPassReverse / http://localhost:72/
<Proxy balancer://mycluster>
 BalancerMember http://localhost:71 route=server1
 BalancerMember http://localhost:72 route=server2
</Proxy> 

Now there’s the issue of the client cookie being set. What if you are load balancing a third party app or webserver and can’t easily get the cookie set on the client? No problem! While it didn’t work in 2.2.3 (in particular, the BALANCER_ROUTE_CHANGED var being set), when I tried in 2.2.11, I was able to set the cookie myself based on which balancer member was selected:

# Set session cookie if BALANCER_ROUTE_CHANGED, containing BALANCER_WORKER_ROUTE env variable, which is set to the route above
# Note that cookie value should be a session id, followed by a period, followed by the route.
# Since session id cookie usually not advised to be mutable, best create own cookie with anything you want
# for the session part, just make sure to have a period and route part last
### Used for setting cookie LoadModule headers_module modules/mod_headers.so
Header add Set-Cookie "BALANCEID=balancer.%{BALANCER_WORKER_ROUTE}e; path=/;" env=BALANCER_ROUTE_CHANGED
# Just give some debug info in the header, don't use once you have it working
Header add X-Var "BALANCER_ROUTE_CHANGED=%{BALANCER_ROUTE_CHANGED}e" env=BALANCER_ROUTE_CHANGED
Header add X-Var "BALANCER_WORKER_ROUTE=%{BALANCER_WORKER_ROUTE}e" env=BALANCER_WORKER_ROUTE
Header add X-Var "BALANCER_SESSION_ROUTE=%{BALANCER_SESSION_ROUTE}e" env=BALANCER_SESSION_ROUTE 

Presto! Session persistence, all handled at the reverse proxy load balancer level.

Normally most webservers these days that hold sensitive information allow SSL ciphers of 128 bit or higher. However, it would be nice to redirect older browsers to a different page, suggesting that they upgrade their browser to one supporting decent encryption. This can be done in Apache with mod_rewrite and enabling lower strength ciphers. Read on to see example configuration code…

The following belongs in your SSL VirtualHost:

# if the SSL key does not contain 3 characters
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE}  <128
# AND there were some arguments in the URL (it was followed by ?something)
RewriteCond %{QUERY_STRING} .
# Redirect to lowcrypt, passing the requested URL as an argument with the
# original args (QUERY_STRING) intact
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%{SERVER_NAME}%{REQUEST_URI}?%{QUERY_STRING} [R,NE,L]

# if the key does not contain 3 characters
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE} <128
# Redirect to lowcrypt, passing the requested URL as an argument
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%{SERVER_NAME}%{REQUEST_URI} [R,NE,L]

# You can tweak this to your liking, but here is a rather permissive example
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+SSLv2:+EXP:+eNULL

Note that to test this with firefox, I had to do the following to allow weak ciphers and disable strong ones:

1. Point the Firefox browser to, “about:config”
2. For filter, enter “ssl”
3. Disable SSL v3 by setting "security.enable_ssl3 = false"
4. Enable SSL v2 by setting "security.enable_ssl2 = true"
5. I found that I had to go in and actually enable an SSL V2 cipher as well: "security.ssl2.rc2_40 = true"

Works great!

Apache’s mod_rewrite can be used to do time-sensitive redirects… handy if you have to make a scheduled change at an inconvenient time. But even better, what if you need to get to the original site? This example also includes a url /backdoorthat sets a 15 min cookie, redirects to the main page, and an exclusion to not redirect anyone who has that cookie set. Cool stuff.

    RewriteEngine On
    # Start redirecting after this datetime
    RewriteCond %{TIME_YEAR}%{TIME_MON}%{TIME_DAY}%{TIME_HOUR}%{TIME_MIN} >200904040900
    # Don't redirect certain paths
    RewriteCond %{REQUEST_URI} !^/favicon.ico
    RewriteCond %{REQUEST_URI} !^/webservices
    RewriteCond %{REQUEST_URI} !^/backdoor
    # Don't redirect if backdoor cookie is active
    RewriteCond %{HTTP_COOKIE} !backdoor
    # Do the rewrite
    RewriteRule .* http://mynewhostname/ [R,L]

    # Allow back door access to old site (this site) - hit /backdoor and they get a cookie for
    # 15 mins such that they won't be redirected while it is active.
    RewriteRule ^/backdoor http://myoldhostname/ [CO=backdoor:yes:myoldhostname:15:/]

We had a requirement from a client whose windows website we were migrating to UNIX that the new site be able to handle mixed case tickers, ie, /pwc, /Pwc, /PWC, /pwC, etc. Using mod_rewrite, it was doable:

 # Take any mixed or uppercase ticker and set to lower
 RewriteMap lowercase int:tolower
 RewriteRule ^(/[A-Z]...?)$ ${lowercase:$1} [R,L]
 RewriteRule ^(/.[A-Z]..?)$ ${lowercase:$1} [R,L]
 RewriteRule ^(/..[A-Z].?)$ ${lowercase:$1} [R,L]
 RewriteRule ^(/...[A-Z])$ ${lowercase:$1} [R,L] 

This case conversion will be true for any 3 or 4 char URI with an uppercase letter. (It would probably be better to replace the “.” above with [a-zA-Z], as it’s likely intended for only chars to replace. Above will transform /a/BB as well, which is probably not desired.)

Following along in my mod_perl2 notes, I wanted to document how to get CGI::Ajax working with mod_perl2. I hit a couple of snags along the way that are worth noting. First, the generated javascript for my functions was calling httpd? + vars, rather than my URI /modperl_handler/ajax? + vars. This was frustrating, but I determined that it was grabbing httpd from $0, so I changed it locally and the script worked after that. The second snag I hit was because I was instantiating my CGImodule globally instead of locally, and I would get segfaults now and then. Instantiating it inside the handler was the right way to go. Here is a working example:

package AjaxTest;

use CGI;
use CGI::Ajax;

use Apache2::RequestRec();
use Apache2::RequestIO();
use Apache2::Const -compile => qw(OK);

sub handler {
    my ($r) = @_;

    my $cgi = new CGI;  # had this outside the handler and was getting segfaults

    # Have to redefine $0 for CGI::Ajax because it's used to call further URLs from
    # javascript ajax functions.  (otherwise it did "httpd?"...)
    local $0 = $ENV{"REQUEST_URI"};
    $0 =~ s/?.*//;

    # Start Ajax stuff
    my $pjx = new CGI::Ajax("test_ajax" => &test_ajax);
    # Don't compress javascript (1 for user fcns only, 2 for all)
    $pjx->JSDEBUG(1);
    # Send stderr to web logs
    $pjx->DEBUG(1);

    print $pjx->build_html( $cgi, &base_page);
    return Apache2::Const::OK;
}

sub base_page {
    return "Ajax mod_perl testmod_perl 2.0.2 on apache 2.2.2 rocks! <p><div id="test">Change me</div><p>nn";
}

sub test_ajax {
    my $time = time();
    return "Test successful; $time<p>";
}

1;