The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL and keepalive (...do we really care about IE< 6?)

Discussion in 'Workarounds and Optimization' started by alphawolf50, Feb 24, 2013.

  1. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I think this is part "feature request", part "optimization workaround"..

    I've been optimizing a server for best performance when a site desires to always serve content via HTTPS. HTTP keep-alive is especially important to HTTPS, as the TLS handshake can add an additional 200-300ms per request (based on my unscientific tests). During this optimization, I noticed this default code in httpd.conf for SSL hosts:
    Code:
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    I did a bit of searching... and it appears this is a hack to solve an issue with IE 5 and earlier. (Correct me if that's wrong, please.) The problem is that this affects *ALL* versions of IE. Now, I'm of the mind that people using even IE 6 shouldn't be on the internet, so using a hack that hurts performance for every IE user for the sake of IE 5 users just seems asinine. But perhaps my assumptions are wrong, in which case I stand corrected...

    Anyway, if we *must* have this code for every SSL host by default, could it be a bit more specific, so as not to negatively effect the performance of *every* IE user? I found this suggested replacement at the following site:https://blogs.msdn.com/b/ieinternals/archive/2011/03/26/https-and-connection-close-is-your-apache-modssl-server-configuration-set-to-slow.aspx?Redirected=true
    Code:
    BrowserMatch ".*MSIE [2-5]\..*" nokeepalive ssl-unclean-shutdown
    It looks like cPanelTristan's instructions in the following post would also be a suitable workaround for those who don't care about IE 5 users at all. Just don't do step #3 unless you really mean to disable mod_setenvif.
    https://forums.cpanel.net/f5/disable-mod_setenvif-254932.html#post1076032

    **EDIT** Better instructions!:
    I realized after posting this that the instructions I linked are suboptimal, since they require rebuilding Apache (and were written for a different purpose). We only need to rebuild httpd.conf. Stealing the first couple steps from cPanelTristan's post, here is what I actually did:

    1. Copy ssl_vhost.default to ssl_vhost.local
    Code:
    cd /var/cpanel/templates/apache2
    cp ssl_vhost.default ssl_vhost.local
    2. Comment out the SetEnvIf line in ssl_vhost.local file
    Code:
    sed -i 's/SetEnvIf/#SetEnvIf/g' /var/cpanel/templates/apache2/ssl_vhost.local
    3. Rebuild httpd.conf
    Code:
    /usr/local/cpanel/bin/apache_conf_distiller --update
    /usr/local/cpanel/bin/build_apache_conf
    4. Gracefully restart Apache:
    Code:
    service httpd graceful
     
    #1 alphawolf50, Feb 24, 2013
    Last edited: Feb 24, 2013
  2. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I thought I should share the performance results of my above "fix". This is an extreme case, but the load time for a particular PHP page dropped from ~690ms to ~125ms in IE 9. This is for the PHP page alone (not the other resources on the page), and only if the page is retrieved before the keep-alive timeout. I've set the timeout to 15 seconds rather than 5 to increase the likelihood that his will happen. You should do your own research before increasing the keep-alive timeout, as it can have negative consequences if you are lacking in RAM. YMMV, but this adjustment is definitely shaving several tenths of a second off of subsequent page views. I wish I would have timed the complete page load time (all resources) before and after... oh well. Someone else is welcome to do so and share the results :)
     
Loading...

Share This Page