RE: better web performance?

@Sebastian-Roth I am glad to see that you took the time to investigate this setting. I am definitely a newbie here. FOG has so many thing I don’t understand yet, but I am trying. It’s a greet project which already saved me a lot of work, so I am trying to help make it even better, and I am really glad to see your positive attitude. Devs often feels attacked and decline every idea arrogantly.
I think I am going to follow your advice and install a new FOG server from the beginning.

From my experience proxying and using separate ports makes these things even more complicated and prone to errors.

Of course proxying just a workaround now, and I think I complicated it unnecessarily. I try to rethink it and do it again without proxy. I keep you updated.

@Sebastian-Roth I went trough the topics you linked, and considering all the trouble just to reach the webUI trough 443 instead of 444 which I already have, I decided I am fine with 444

As described in the wiki the current fog-client code checks the common name of the certificate to be FOG Server CA […] Sure we could remove that restriction and allow for any certificate to be used by the fog-client.

Absolutely as the FOG client has a configured server address any cert which is considered secure (matching ip or domain, and signed with a known issuer) should be sufficient.

By the way I noticed that FOG client installs two CAs. Why it is needed?

@george1421 I think I will give it a try. Really fog clients and pxe boot is secure even on http? I will try it in a test environment with a new vm server , then I just have to figure out how to reinstall the FOG clients to connect them to the new server. What do you think is it possible with a snippet? So the clients basically reinstall themselves?

If you reinstall your fog server new certificates are created

What if I inject my own key,crt,ca files at this point of the installation and enable https as in the first install?

The “server” by the way just a desktop computer I picked up from a storeroom of old stuff when I heard about FOG, and wanted to try it out. Running debian on a 1TB sata software RAID1, and as I monitored with iostat it is performing well.

@Sebastian-Roth Well proxying was just overcomplicated. I could just copy the 443 virtualhost as 444, remove the KeepAlive and change the SSL cert.
Why I prefer this solution?

• after an update I just have to check wheter the virtualhost config changed, and copy the chages, and I don’t need to touch the FOG code.
• I can left the KeepAlive on it’s place, maybe it is important.
• have the little better response time

However if it is safe to remove KeepAlive, then running just a script after upgrade is not a big deal.

@Sebastian-Roth I am glad to see that you took the time to investigate this setting. I am definitely a newbie here. FOG has so many thing I don’t understand yet, but I am trying. It’s a greet project which already saved me a lot of work, so I am trying to help make it even better, and I am really glad to see your positive attitude. Devs often feels attacked and decline every idea arrogantly.
I think I am going to follow your advice and install a new FOG server from the beginning.

From my experience proxying and using separate ports makes these things even more complicated and prone to errors.

Of course proxying just a workaround now, and I think I complicated it unnecessarily. I try to rethink it and do it again without proxy. I keep you updated.

@george1421 if the default is to not use https, I think I turned it on. I didn’t know that clients use encryption over http.
The server by the way is an Intel i3 540@3GHz (4core) with 8G RAM. (but I can change it later if it’s needed)

@george1421 said in better web performance?:

I guess I have a few comments here.

1. Where are you seeing a slow web interface?

Not slow but rather lagging its about 1-2 tenth of a second, which is enough to feel that is not responding well.

2. What version of FOG are you using?

1.5.8

3. How many computers in your environment have the FOG client installed?

about a hundred, but i feel the lag even if they all turned off.

4. What is your FOG client check in period (time interval)?

I don’t know, default.

There are some things that can be done post install to help improve performance quite a bit.

Now this is just a suspicion, but with apache why not just create a new virtual site on http port 443 and use your enterprise certs here? PXE booting and fog client will continue to use port 80 which will not have ssl turned on.

I don’t know about pxe booting, but my fog clients uses https, and I think they should as a security reason.

If your goal is to use your company signed certs for just the web interface then do that. You may have to play with the default (index.php/index.html) so if people land without a path it redirects to the https interface. I would think both the fog client and pxe booting would know the fully defined path to the files they want.

As I mentioned I have tried to change the default cert, but it is not so easy. And my point here is that with this proxy I ended up an overall better situation, where I even got rid off the lag. Maybe this doesn’t annoys others as me, but I am really happy that it’s gone. And it would be even better if I could turn off ssl and enable Keepalive behind the proxy. And I think some modification would be enogh on port 80 virtualhost, but as I don’t understand the mechanisms I am afraid to toch that settings.

Personally I’ve wanted the developers to move the fog client target port to something other than 80 so the current ssl certs and methodology can continue for the fog client without changing much code. Performance wise its still the same since its the fog server as a whole that has the impact on performance.

I don’t completely understand, how fog works, so if it’s stupid I am sorry

As I understand now the https server works as a user interface, and also used when booting machines and communicate with fog clients and how knows for what else. I always felt the web interface laggy, and now I think it is because of the “KeepAlive Off” in the apache config, which I think is needed because of the pxe boot (or whatever).

I wanted to reach the fog web ui with company signed cert. Thanks @Sebastian-Roth for trying to help me,
but it was too complicated, and I messed it up.

So I decided that I will use my cert on tcp 444 and proxying the requests to the original site locally or a same virtualhost what fog generated but on different port (81) without ssl (why use ssl locally?) and also removed the KeepAlive Off setting. Unfortunately this doesn’t work because the program doesn’t handle the different port number and as I see some requests are “missrouted”. But if I use the original 443 instead of 81, it works (not tested too much yet), and I still notice that the site response time is better (on 444 than on 443).

So if it possible I think it worth considering to separate the web and this way gain some speed on the ui, and also would easier to install custom certs.

What do you think?

@Gabor Ok I definitely can’t understand how this forum works

@Sebastian-Roth UPDATE2: I tried again with correct apache config this time, but doesn’t work. no pxe boot, no fog client

@Sebastian-Roth Thank you for your reply.
I only want to reach the website with own cert, so I followed the steps from wiki from this section “Use your custom CA for Apache configuration only but stick to FOG CA…”

I generated and signed a cert with the same data (CN=<IP>, subjAltname=IP:<IP>,DNS:<domain>) as in the original and did everything exactly as in the wiki.

The only thing is working now with the new cert is the website.
I am not at my workplace but because of the long booting time I can tell that something wrong with the pxe boot as well as with fog client, because I can’t send a shutdown command to the clients. (I can login via RDP)
Fog client doesn’t work even after reinstall.

I see know it is too complicated (as you mentioned) so I rather rollback everything and wait until this custom ca will be supported by the project.

Now I am thinking on some reverse proxy solution to reach the fog web with company cert.
UPDATE: I messed up the apache config, maybe that’s why the pxe and fog client doesnt worked. sorry, I’ll try it again