Apache 1.3 patch for ProxyPreserveHost

Thursday, 09. 17. 2009  –  Category: vague

Patch against Apache 1.3.41 ((Yep, still running 1.3 around the place)) to backport the ProxyPreserveHost feature. I can’t remember where I found it now, but I’ve tweaked it through a few Apache revisions.

Useful for migrating sites from one host to another before or during DNS propagation.

That said, I’m using Varnish and HAProxy an increasing amount for such plumbing.

irssi client certificate patch

Thursday, 09. 17. 2009  –  Category: sw

Patch for irssi so it can prompt for your X509 client certificate correctly.

Casual Firewall / VPN benchmarking

Wednesday, 08. 12. 2009  –  Category: vague

Two datacentres, each with a pair of 2.5GHz Xeon firewalls running OpenBSD. Benching with iperf yielded the following:

  • Between firewall pair, LAN

    [ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec
    [ 3] 0.0-10.0 sec 1.00 GBytes 860 Mbits/sec
    [ 3] 0.0-10.0 sec 1017 MBytes 853 Mbits/sec

  • Firewall to firewall between DCs, outside VPN, no PF

    [ 3] 0.0-10.0 sec 1.02 GBytes 873 Mbits/sec
    [ 3] 0.0-10.0 sec 992 MBytes 832 Mbits/sec
    [ 3] 0.0-10.0 sec 986 MBytes 827 Mbits/sec

  • Firewall to remote internal host, outside VPN, through PF NAT (rdr)

    [ 3] 0.0-10.0 sec 260 MBytes 218 Mbits/sec
    [ 3] 0.0-10.0 sec 202 MBytes 170 Mbits/sec
    [ 3] 0.0-12.3 sec 333 MBytes 228 Mbits/sec

  • Internal host to internal host, over IPsec VPN (ESP), through PF

    [ 3] 0.0-10.1 sec 43.9 MBytes 36.4 Mbits/sec
    [ 3] 0.0-10.1 sec 26.2 MBytes 21.8 Mbits/sec
    [ 3] 0.0-11.3 sec 28.0 MBytes 20.8 Mbits/sec

  • Internal host to internal host, over OpenVPN, through PF

    [  3]  0.0-10.0 sec    161 MBytes    134 Mbits/sec
    [  3]  0.0-10.0 sec    144 MBytes    121 Mbits/sec
    [  3]  0.0-10.0 sec    145 MBytes    121 Mbits/sec

Care was taken to use optimal ciphers, appropriate MTU / MSS and the TCP stack was tuned throughout.

  • IPsec really hurts without hardware acceleration
  • There’s a surprisingly large hit for just NAT
  • Neither VPN technologies can benefit from the multiple cores available to them
  • OpenVPN’s speed is appealing, but it lacks the smooth route to high availability of CARP + pfsync + sasync of IPsec on OpenBSD