System Administration Guide: Network Services

Chapter 2 Managing Web Cache Servers

This chapter provides an overview of the Solaris Network Cache and Accelerator (NCA). Procedures for using NCA and reference material about NCA are included. Also for the Solaris 10 6/06 release, an introduction to using the Secure Sockets Layer (SSL) and procedures for using the SSL kernel proxy to improve the performance of the SSL packet processing are added.

Network Cache and Accelerator (Overview)

The Solaris Network Cache and Accelerator (NCA) increases web server performance by maintaining an in-kernel cache of web pages that are accessed during HTTP requests. This in-kernel cache uses system memory to significantly increase performance for HTTP requests that are normally handled by web servers. Using system memory to hold web pages for HTTP requests increases web server performance by reducing the overhead between the kernel and the web server. NCA provides a sockets interface through which any web server can communicate with NCA with minimal modifications.

In situations where the requested page is retrieved from the in-kernel cache (cache hit), performance improves dramatically. In situations where the requested page is not in the cache (cache miss) and must be retrieved from the web server, performance is also significantly improved.

This product is intended to be run on a dedicated web server. If you run other large processes on a server that runs NCA, problems can result.

NCA provides logging support in that NCA logs all cache hits. This log is stored in binary format to increase performance. The ncab2clf command can be used to convert the log from binary format to common log format (CLF).

The Solaris release includes the following enhancements:

Web Servers Using the Secure Sockets Layer Protocol

In the Solaris 10 6/06 release, an Apache 2.0 and a Sun Java System Web Server may be configured to use the Secure Sockets Layer (SSL) Protocol. The protocol provides confidentiality, message integrity and end point authentication between two applications. The Solaris kernel has been changed to accelerate the SSL traffic.

Managing Web Cache Servers (Task Map)

The following table describes the procedures that are needed to use NCA or SSL.

Task 

Description 

For Instructions 

Planning for NCA 

A list of issues to be resolved before you enable the use of NCA. 

Planning for NCA

Enabling NCA 

Steps to enable in-kernel caching of web pages on a web server. 

How to Enable Caching of Web Pages

Disabling NCA 

Steps to disable in-kernel caching of web pages on a web server. 

How to Disable Caching of Web Pages

Administering NCA logging 

Steps to enable or disable the NCA logging process. 

How to Enable or Disable NCA Logging

Loading the NCA socket library 

Steps to use NCA if the AF_NCA socket is not supported. 

How to Load the Socket Utility Library for NCA

Using the SSL kernel proxy with an Apache 2.0 web server 

Steps to use the SSL kernel proxy with a web server to improve SSL packet processing. 

How to Configure an Apache 2.0 Web Server to Use the SSL Kernel Proxy

Using the SSL kernel proxy with a Sun Java System Web Server 

Steps to use the SSL kernel proxy with a web server to improve SSL packet processing. 

How to Configure a Sun Java System Web Server to Use the SSL Kernel Proxy

Using the SSL kernel proxy with a web server in a local zone 

Steps to use the SSL kernel proxy with a web server in a local zone. 

Using the SSL Kernel Proxy in Zones

Planning for NCA

The following sections cover the issues that need to be resolved before starting the NCA service.

System Requirements for NCA

To support NCA, the system must meet these requirements:

This product is intended to be run on a dedicated web server. The running of other large processes on a server that runs NCA can cause problems.

NCA Logging

The NCA service can be configured to log web activity. Generally, NCA logging should be enabled if the web server logging is enabled.

Interpositioning Library for Daemon Support of the Door Server

Many web servers use AF_INET sockets. By default, NCA uses AF_NCA sockets. To correct this situation, an interpositioning library is provided. The new library is loaded in front of the standard socket library, libsocket.so. The library call bind() is interposed by the new library, ncad_addr.so. Suppose that the status is enabled in /etc/nca/ncakmod.conf. The version of Apache that is included with the Solaris 9 and Solaris 10 release is already set up to call this library. If you are using IWS or Netscape servers, see How to Load the Socket Utility Library for NCA to use the new library.

Multiple Instance Support

Systems that have NCA installed often need to run multiple instances of a web server. For instance, a single server might need to support a web server for outside access as well as a web administration server. To separate these servers, you would configure each server to use a separate port.

Administering the Caching of Web Pages (Tasks)

The following sections cover the procedures to enable or disable parts of the service.

ProcedureHow to Enable Caching of Web Pages

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Register the interfaces.

    Type the names of each of the physical interfaces in the /etc/nca/nca.if file. See the nca.if(4) man page for more information.


    # cat /etc/nca/nca.if
    hme0
    hme1

    Each interface must have an accompanying hostname.interface-name file and an entry in /etc/hosts file for the contents of hostname.interface-name. To start the NCA feature on all interfaces, place an asterisk, *, in the nca.if file.

  3. Enable the ncakmod kernel module.

    Change the status entry in /etc/nca/ncakmod.conf to enabled.


    # cat /etc/nca/ncakmod.conf
    #
    # NCA Kernel Module Configuration File
    #
    status=enabled
    httpd_door_path=/var/run/nca_httpd_1.door
    nca_active=disabled

    See the ncakmod.conf(4) man page for more information.

  4. (Optional) Enable NCA logging.

    Change the status entry in /etc/nca/ncalogd.conf to enabled.


    # cat /etc/nca/ncalogd.conf
    #
    # NCA Logging Configuration File
    #
    status=enabled
    logd_path_name="/var/nca/log"
    logd_file_size=1000000

    You can change the location of the log file by changing the path that is indicated by the logd_path_name entry. The log file can be a raw device or a file. See the following examples for samples of NCA log file paths. See the ncalogd.conf(4) man page for more information about the configuration file.

  5. (Optional) Define ports for multiple instance support.

    Add the port numbers in the /etc/nca/ncaport.conf file. This entry causes NCA to monitor port 80 on all configured IP addresses.


    # cat /etc/nca/ncaport.conf
    #
    # NCA Kernel Module Port Configuration File
    #
      .
      .
    ncaport=*/80
    
  6. For x86 only: Increase the virtual memory size.

    Use the eeprom command to set the kernelbase of the system.


    # eeprom kernelbase=0x90000000
    # eeprom kernelbase
    kernelbase=0x90000000

    The second command verifies that the parameter has been set.


    Note –

    By setting the kernelbase, you reduce the amount of virtual memory that user processes can use to less than 3 Gbytes. This restriction means that the system is not ABI compliant. When the system boots, the console displays a message that warns you about noncompliance. Most programs do not actually need the full 3–Gbyte virtual address space. If you have a program that needs more than 3 Gbytes, you need to run the program on a system that does not have NCA enabled.


  7. Reboot the server.


Example 2–1 Using a Raw Device as the NCA Log File

The logd_path_name string in ncalogd.conf can define a raw device as the place to store the NCA log file. The advantage to using a raw device is that the service can run faster because the overhead in accessing a raw device is less.

The NCA service tests any raw device that is listed in the file to ensure that no file system is in place. This test ensures that no active file systems are accidentally written over.

To prevent this test from finding a file system, run the following command. This command destroys part of the file system on any disk partition that had been configured as a file system. In this example, /dev/rdsk/c0t0d0s7 is the raw device that has an old file system in place.


# dd if=/dev/zero of=/dev/rdsk/c0t0d0s7 bs=1024 count=1

After running dd, you can then add the raw device to the ncalogd.conf file.


# cat /etc/nca/ncalogd.conf
#
# NCA Logging Configuration File
#
status=enabled
logd_path_name="/dev/rdsk/c0t0d0s7"
logd_file_size=1000000


Example 2–2 Using Multiple Files for NCA Logging

The logd_path_name string in ncalogd.conf can define multiple targets as the place to store the NCA log file. The second file is used when the first file is full. The following example shows how to select to write to the /var/nca/log file first and then use a raw partition.


# cat /etc/nca/ncalogd.conf
#
# NCA Logging Configuration File
#
status=enabled
logd_path_name="/var/nca/log /dev/rdsk/c0t0d0s7"
logd_file_size=1000000

ProcedureHow to Disable Caching of Web Pages

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Disable the ncakmod kernel module.

    Change the status entry in /etc/nca/ncakmod.conf to disabled.


    # cat /etc/nca/ncakmod.conf
    # NCA Kernel Module Configuration File
    #
    status=disabled
    httpd_door_path=/var/run/nca_httpd_1.door
    nca_active=disabled

    See the ncakmod.conf(4) man page for more information.

  3. Disable NCA logging.

    Change the status entry in /etc/nca/ncalogd.conf to disabled.


    # cat /etc/nca/ncalogd.conf
    #
    # NCA Logging Configuration File
    #
    status=disabled
    logd_path_name="/var/nca/log"
    logd_file_size=1000000

    See the ncalogd.conf(4) man page for more information.

  4. Reboot the server.

ProcedureHow to Enable or Disable NCA Logging

NCA logging can be turned on or turned off, as needed, after NCA has been enabled. See How to Enable Caching of Web Pages for more information.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Change NCA logging.

    To permanently disable logging, you need to change the status in /etc/nca/ncalogd.conf to disabled and reboot the system. See the ncalogd.conf(4) man page for more information.

    1. Stop logging.


      # /etc/init.d/ncalogd stop
      
    2. Start logging.


      # /etc/init.d/ncalogd start
      

How to Load the Socket Utility Library for NCA

Follow this process only if your web server does not provide native support of the AF_NCA socket.

In the startup script for the web server, add a line that causes the library to be preloaded. The line should resemble the following:


LD_PRELOAD=/usr/lib/ncad_addr.so /usr/bin/httpd

ProcedureHow to Add a New Port to the NCA Service

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Add a new port.

    Add a new port entry to /etc/nca/ncaport.conf. This example adds port 8888 on IP address 192.168.84.71. See ncaport.conf(4) for more information.


    # cat /etc/nca/ncaport.conf
    #
    # NCA Kernel Module Port Configuration File
    #
      .
      .
    ncaport=*/80
    ncaport=192.168.84.71/8888
    
  3. Start a new web instance.

    An address needs to be in the file that contains the NCA port configurations before a web server can use the address for NCA. If the web server is running, it must be restarted after the new address is defined.

ProcedureHow to Configure an Apache 2.0 Web Server to Use the SSL Kernel Proxy

This procedure should be used to improve the performance of SSL packet process on an Apache 2.0 web server.

Before You Begin

The following procedure requires that an Apache 2.0 web server has been installed and configured. The Apache 2.0 web server is included in the Solaris 10 release.

To use the SSL kernel proxy, the server private key and the server certificate need to exist in a single file. If only the SSLCertificateFile parameter is specified in the ssl.conf file, then the specified file can be used directly for kernel SSL. If the SSLCertificateKeyFile parameter is also specified, then the certificate file and the private key file need to be combined. One way to combine the certificate and the key file is to run the following command:


# cat cert.pem key.pem >cert-and-key.pem
  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration The ksslcfg command is included in the Network Security profile.

  2. Stop the web server.

    This command will stop the web server on a system in which the server is configured to run using SMF.


    # svcadm disable svc:/network/http:apache2
    

    If the service has not be converted yet, stop the service with this command syntax: /usr/apache2/bin/apachectl stop

  3. Determine what parameters to use with the ksslcfg command.

    All of the options are listed in the ksslcfg(1M) man page. The parameters that you must have information for are:

    • key-format – Used with the -f option to define the certificate and key format. For the SSL kernel proxy the value should be either pem or pkcs12.

    • key-and-certificate-file – Used with the -i option to set the location of the file that stores to server key and the certificate.

    • password-file – Used with the -p option to select the location of the file that includes the password used to encrypt the private key. This password is used to allow unattended reboots. The permissions on the file should be 0400.

    • proxy-port – Used with the -x option to set the SSL proxy port. Select a different port than the standard port 80.

    • ssl-port – Selects the port of the server application. Normally this is set to 443.


    Note –

    The ssl-port and the proxy-port values can not be configured for NCA since these ports are used exclusively by the SSL kernel proxy. Usually, port 80 is used for NCA, port 8080 for the proxy-port and 443 for the ssl-port


  4. Create the service instance.

    The ksslcfg command to specify the SSL proxy port and associated parameters.


    ksslcfg create -f key-format -i key-and-certificate-file -p password-file -x proxy-port ssl-port
    
  5. Verify that the instance was created properly.

    The service state reported by the following command should be “online”.


    # svcs svc:/network/ssl/proxy
    
  6. Configure the web server to listen on the SSL proxy port.

    Edit the /etc/apache2/http.conf file and add a line to define the SSL proxy port. If you use the servers IP address, then the web server will only listen on that interface. The line should look like:


    Listen 0.0.0.0:proxy-port
    
  7. Set an SMF dependency for the web server.

    The web server should only be started after the SSL kernel proxy instance. The following commands establish that dependency.


    # svccfg -s svc:/network/http:apache2
    svc:/network/http:apache2> addpg kssl dependency
    svc:/network/http:apache2> setprop kssl/entities = fmri:svc:/network/ssl/proxy:kssl-INADDR_ANY-443
    svc:/network/http:apache2> setprop kssl/grouping = astring: require_all
    svc:/network/http:apache2> setprop kssl/restart_on = astring: refresh
    svc:/network/http:apache2> setprop kssl/type = astring: service
    svc:/network/http:apache2> end
    
  8. Enable the web server.


    # svcadm enable svc:/network/http:apache2
    

    If the service is not started using SMF, use the following command: /usr/apache2/bin/apachectl startssl


Example 2–3 Configuring an Apache 2.0 Web Server to Use the SSL Kernel Proxy

The following command creates an instance using the pem key format.


# ksslcfg create -f pem -i cert-and-key.pem -p file -x 8080 443

ProcedureHow to Configure a Sun Java System Web Server to Use the SSL Kernel Proxy

This procedure should be used to improve the performance of SSL packet process on a Sun Java System Web Server. See the Sun Java System Web Server 7.0 Update 1 Administrator’s Guide for information about this web server.

Before You Begin

The following procedure requires that a Sun Java System Web Server has been installed and configured.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration The ksslcfg command is included in the Network Security profile.

  2. Stop the web server.

    Use the administrator web interface to stop the server. See Starting and Stopping the Server in the Sun Java System Web Server 7.0 Update 1 Administrator’s Guidefor more information.

  3. Determine what parameters to use with the ksslcfg command.

    All of the options are listed in the ksslcfg(1M) man page. The parameters that you must have information for are:

    • key-format – Used with the -f option to define the certificate and key format.

    • token-label – Used with the -T option to specify the PKCS#11 token.

    • certificate-label – Used with the -C option to select the label in the certificate object in the PKCS#11 token

    • password-file – Used with the -p option to select the location of the file that includes the password used to login the user to the PKCS#11 token used by the web server.. This password is used to allow unattended reboots. The permissions on the file should be 0400.

    • proxy-port– Used with the -x option to set the SSL proxy port. Select a different port than the standard port 80.

    • ssl-port – Defines the port of the server application. This value is set in the server.xml file. Normally this value is set to 443.


    Note –

    The ssl-port and the proxy-port values can not be configured for NCA since these ports are used exclusively by the SSL kernel proxy. Usually, port 80 is used for NCA, port 8080 for the proxy-port and 443 for the ssl-port


  4. Create the service instance.

    The ksslcfg command to specify the SSL proxy port and associated parameters.


    ksslcfg create -f key-format -T PKCS#11-token -C certificate-label -p password-file -x proxy-port ssl-port
    
  5. Verify that the instance was created properly.

    The service state reported by the following command should be “online”.


    # svcs svc:/network/ssl/proxy
    
  6. Configure the web server to listen on the SSL proxy port.

    See Adding and Editing Listen Sockets in the Sun Java System Web Server 7.0 Update 1 Administrator’s Guide for more information.

  7. Start the web server.


Example 2–4 Configuring a Sun Java System Web Server to Use the SSL Kernel Proxy

The following command creates an instance using the pkcs11 key format.


# ksslcfg create -f pkcs11 -T "NSS Internal PKCS #11 Module" -C "Server-Cert" -p file -x 8080 443

Using the SSL Kernel Proxy in Zones

The SSL Kernel Proxy works in zones with the following limitations:


Example 2–5 Configuring an Apache Web Server in a Local Zone to Use the SSL Kernel Proxy

In the local zone, first stop the web server. In the global zone do all of the steps to configure the service. To create a instance for a local zone called apache-zone, use the following command:


# ksslcfg create -f pem -i /zone/apache-zone/root/keypair.pem -p /zone/apache-zone/root/pass \
    -x 8080 apache-zone 443

In the local zone, run the following command to enable the service instance:


# svcadm enable svc:/network/http:apache2

Caching Web Pages (Reference)

The following sections cover the files and the components that are needed to use NCA. Also, specifics about how NCA interacts with the web server are included.

NCA Files

You need several files to support the NCA feature. Many of these files are ASCII, but some of the files are binary. The following table lists all of the files.

Table 2–1 NCA Files

File Name 

Function 

/dev/nca

The path name for the NCA device. 

/etc/hostname.*

File that lists all physical interfaces that are configured on the server. 

/etc/hosts

File that lists all host names that are associated with the server. Entries in this file must match entries in /etc/hostname.* files for NCA to function.

/etc/init.d/ncakmod

Script that starts the NCA server. This script is run when a server is booted. 

/etc/init.d/ncalogd

Script that starts NCA logging. This script is run when a server is booted. 

/etc/nca/nca.if

File that lists the interfaces on which NCA is run. See the nca.if(4) man page for more information.

/etc/nca/ncakmod.conf

File that lists configuration parameters for NCA. See the ncakmod.conf(4) man page for more information.

/etc/nca/ncalogd.conf

File that lists configuration parameters for NCA logging. See the ncalogd.conf(4) man page for more information.

/etc/nca/ncaport.conf

File that lists the IP addresses and the ports for NCA. See the ncaport.conf(4) man page for more information.

/usr/bin/ncab2clf

Command that is used to convert data in the log file to the common log format. See the ncab2clf(1) man page for more information.

/usr/lib/net/ncaconfd

Command that is used to configure NCA to run on multiple interfaces during boot. See the ncaconfd(1M) man page for more information.

/usr/lib/nca_addr.so

Library that uses AF_NCA sockets instead of AF_INET sockets. This library must be used on web servers that use AF_INET sockets. See the ncad_addr(4) man page for more information.

/var/nca/log

File that holds the log file data. The file is in binary format, so do not edit it. 

/var/run/nca_httpd_1.door

The door path name. 

NCA Architecture

The NCA feature includes the following components.

The kernel module ncakmod maintains the cache of web pages in system memory. The module communicates with a web server, httpd, through a sockets interface. The family type is PF_NCA.

The kernel module also provides a logging facility that logs all HTTP cache hits. NCA logging writes HTTP data to the disk in binary format. NCA provides a conversion utility for converting binary log files to common log format (CLF).

The following figure shows the flow of data for the conventional path and the path that is used when NCA is enabled.

Figure 2–1 Data Flow With the NCA Service

Flow diagram shows the flow of data from a client request
through the NCA layer in the kernel.

NCA to Httpd Request Flow

The following list shows the request flow between the client and the web server.

  1. An HTTP request is made from the client to the web server.

  2. If the page is in cache, the in-kernel cache web page is returned.

  3. If the page is not in cache, the request goes to the web server to retrieve or update the page.

  4. Depending on the HTTP protocol semantics that are used in the response, the page is cached or not. Then the page is returned to the client. If the Pragma: No-cache header is included in the HTTP request, the page is not cached.