better web performance?
-
@Sebastian-Roth I am glad to see that you took the time to investigate this setting. I am definitely a newbie here. FOG has so many thing I don’t understand yet, but I am trying. It’s a greet project which already saved me a lot of work, so I am trying to help make it even better, and I am really glad to see your positive attitude. Devs often feels attacked and decline every idea arrogantly.
I think I am going to follow your advice and install a new FOG server from the beginning.From my experience proxying and using separate ports makes these things even more complicated and prone to errors.
Of course proxying just a workaround now, and I think I complicated it unnecessarily. I try to rethink it and do it again without proxy. I keep you updated.
-
@Sebastian-Roth Well proxying was just overcomplicated. I could just copy the 443 virtualhost as 444, remove the KeepAlive and change the SSL cert.
Why I prefer this solution?- after an update I just have to check wheter the virtualhost config changed, and copy the chages, and I don’t need to touch the FOG code.
- I can left the KeepAlive on it’s place, maybe it is important.
- have the little better response time
However if it is safe to remove KeepAlive, then running just a script after upgrade is not a big deal.
-
@Gabor said in better web performance?:
if the default is to not use https, I think I turned it on. I didn’t know that clients use encryption over http.
So if you run into a road block on your current path, what I’m recommending is that you think about resetting the FOG server back to default settings (your existing fog client installs will need to be address to fix the certificates) then do what you suggested in your post "I could just copy the 443 virtualhost as 444"but instead of creating a virtual host just setup https on your fog server. There is really 2 sides to this equation. First you have all of the fog inner workings of pxe booting and fog clients. Leave them on port 80. Second use your enterprise ssl certificates on the https port. (actually I’m going to be doing something similar in about a week to our fog server because more browsers are complaining about http sites.)
The fog clients use the certificate of the fog install to communicate over http. If you reinstall your fog server new certificates are created. The fog clients out in the wild will not be able to communicate with the fog server if this happens. On a fresh fog client install the fog client reaches out to the fog server and downloads the certificate, so in a way the fog client tattoos itself to the FOG server. The intent is to keep rogue fog servers from doing bad things to your target computers via the FOG client communications.
The server by the way is an Intel i3 540@3GHz (4core) with 8G RAM. (but I can change it later if it’s needed)
So in regards to performance: your CPU is sufficient. In my home lab I have fog (still 1.4.4) running on a raspberry PI. So the CPU performance is not really a factor. For disclosure I don’t have any fog clients hitting the Raspberry PI either. What disk subsystem does your FOG server have in it? Is it a single spinning disk, SSD or a raid array? As for the network a single 1GbE interface is sufficient for 100 clients. You can saturate a 1GbE link with 3 simultaneous unicast imaging, just be aware. Adding additional network adapter and setting up a LAG group will help here but only under heavy network traffic. I think I would focus on disk subsystem and the top processes in
topto start to understand why the server appears slow.Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
-
@george1421 I think I will give it a try. Really fog clients and pxe boot is secure even on http? I will try it in a test environment with a new vm server , then I just have to figure out how to reinstall the FOG clients to connect them to the new server. What do you think is it possible with a snippet? So the clients basically reinstall themselves?
If you reinstall your fog server new certificates are created
What if I inject my own key,crt,ca files at this point of the installation and enable https as in the first install?
The “server” by the way just a desktop computer I picked up from a storeroom of old stuff when I heard about FOG, and wanted to try it out. Running debian on a 1TB sata software RAID1, and as I monitored with iostat it is performing well.
-
@Gabor said in better web performance?:
I think I will give it a try. Really fog clients and pxe boot is secure even on http?
As I said before the fog clients communicate using the ssl certificate over http. So the communications is encrypted and protected from remote command injection. You have to think about what pxe booting is really doing. pxe booting involves moving bzImage and init.xz between the FOG Server and target computer. There is nothing in bzImage/init.xz (FOS Linux) that is not publicly available to download. There is no PII or really any data that you need to protect.
I will try it in a test environment with a new vm server , then I just have to figure out how to reinstall the FOG clients to connect them to the new server.
I don’t use the fog client in my environment, but if you were to look into the fog client directory on the target computer, I bet you would find the certificate it downloads from the FOG server. One might think you could swap that certificate with one from the new fog server and live happily.
What if I inject my own key,crt,ca files at this point of the installation and enable https as in the first install?
I haven’t looked at the installer scirpt, but I bet it calls openssl to create the certificates. If one would short circuit that code and slip his/her enterprise certificates in its place, would the fog installer know any difference?
The “server” by the way just a desktop computer I picked up from a storeroom of old stuff when I heard about FOG, and wanted to try it out. Running debian on a 1TB sata software RAID1, and as I monitored with iostat it is performing well.
I was kind of figuring your disk subsystem might be the slowness in your environment. If you were to rebuild your fog server OS again on a 128GB SSD and then before installing FOG mount that 1TB software raid onto /images then install FOG that would help with your performance. All of the images will be kept on the slower 1TB array with the OS on the SSD. That single disk spindle will hurt you if you try to deploy 2 images at the same time, but for a single deployment it will work just OK.
-
@Gabor said in better web performance?:
Really fog clients and pxe boot is secure even on http?
As George already said, fog-client communication is encrypted and save but PXE boot over HTTP is not. So unless you use join multicast sessions or other PXE menu things that ask FOG credentials you don’t need to worry.
I will try it in a test environment with a new vm server , then I just have to figure out how to reinstall the FOG clients to connect them to the new server.
I don’t use the fog client in my environment, but if you were to look into the fog client directory on the target computer, I bet you would find the certificate it downloads from the FOG server. One might think you could swap that certificate with one from the new fog server and live happily.
Not that easy, sorry. The cert is being installed into the Windows certificate store. So you’d need to find a way to remove and install certs from that using some kind of automated way. Doing it manually for 100 clients is a nightmare. There have been a few people in the forums trying to automate this but I think we never got any detailed feedback on how they did it, see 1, 2, 3. I have too many other things on my list and never really looked into this myself.
What if I inject my own key,crt,ca files at this point of the installation and enable https as in the first install?
I haven’t looked at the installer scirpt, but I bet it calls openssl to create the certificates. If one would short circuit that code and slip his/her enterprise certificates in its place, would the fog installer know any difference?
While it might work for PXE boot this would surely break the fog-client communication. As described in the wiki the current fog-client code checks the common name of the certificate to be
FOG Server CA. I am fairly sure not too many CAs will allow you to generate a sub CA using that CN (common name). I know this is not good practice but it’s not me who came up with this initially and I have thought about different ways to get away from this. Sure we could remove that restriction and allow for any certificate to be used by the fog-client. I am open to discuss this with all of you. Though on the other hand I am questioning the secure encrypted communication over plain HTTP altogether with HTTPS becoming state of the art more and more. But moving FOG and the fog-client to be HTTPS only and remove the internal encryption is a major project which I don’t have the time to right now.Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Sebastian-Roth I went trough the topics you linked, and considering all the trouble just to reach the webUI trough 443 instead of 444 which I already have, I decided I am fine with 444
As described in the wiki the current fog-client code checks the common name of the certificate to be FOG Server CA […] Sure we could remove that restriction and allow for any certificate to be used by the fog-client.
Absolutely as the FOG client has a configured server address any cert which is considered secure (matching ip or domain, and signed with a known issuer) should be sufficient.
By the way I noticed that FOG client installs two CAs. Why it is needed?
-
@Sebastian-Roth said in better web performance?:
@Gabor said in better web performance?:
Not that easy, sorry. The cert is being installed into the Windows certificate store.Just for completeness, the windows
certutil.exeprogram can be used to automate adding and removing certificates from the local cert store. You can deploy the command as a snapin (with the new certificates) or with your favorite application deployment tool. I suppose you could deploy the certificates with an AD GPP too, but I haven’t looked into that. -
@Gabor said in better web performance?:
By the way I noticed that FOG client installs two CAs. Why it is needed?
The other one is for code signing.
-
The FOG Server CA was used as a way for us to verify the information being received from the server is indeed from the server it’s requesting it from. When the client gets installed, it downloads the CA from the server you configure. When it does this, the certificate is Pinned to the client. This way the client can trust the information from the server is indeed from that server.
When the client checks in, it uses the certificate to encrypt its information and sends the encryption key (reset every 30 minutes) it is looking for. This way the fog server can trust the initial authentication attempt from the client, and then you have 2 way trust, essentially.
So data being sent from the client or to the client is always encrypted.
Client -> Server (CA Cert initial authorization) -> Client uses this encryption to pass the FOG Server the key it randomly created to encrypt each message.
Server -> Client (using key sent above) 1 way trust
Client -> Server (using its encryption key) 1 way trustEach cycle the client must reauthorize at least:
Client -> Server (using ca cert and its encryption key)
Server -> Client (using the encryption key)
Both sides now trust the other until the 30 minute timeout at least.If at any point, the authorization process fails, no information is stored on the server and the client will keep trying to reauthorize. No trust and the server cannot do anything with the client data.
If, say, you authorize successfully, and then reboot the client into another operating system with a client as well, the authorization will then fail and remove the ability to access for the client even on the “working OS”. (Invalid Security Token) You can fix this by resetting encryption data, but it can also be a good indicator of attack.
This all works regardless of the http/https debate going on here. All the data passed between client and server is encrypted in some way. The key in use for regular connections is never passed in clear text. The data is never passed in clear text.
-
@george1421 said in better web performance?:
… "I could just copy the 443 virtualhost as 444"but instead of creating a virtual host just setup https on your fog server. There is really 2 sides to this equation. First you have all of the fog inner workings of pxe booting and fog clients. Leave them on port 80. Second use your enterprise ssl certificates on the https port. (actually I’m going to be doing something similar in about a week to our fog server because more browsers are complaining about http sites.)
I’ve started outlining a basic (hack) configuration here to add ssl support to the FOG sever without much pain or messing with PXE or FOG Clients. https://forums.fogproject.org/topic/14464/adding-https-support-to-fog-server-with-centos-7
So far its working.
