Improve OS X Server Performance for IE Browsers

Photo of Greg
Photo by U.S. National Archives -

Whatever you might think of Internet Explorer, unless you want IE users to experience extra-slow browsing on OS X-hosted websites — and unless you’re happy with those users placing unnecessary extra load on OS X Server — there’s an important change that needs to be made to Apple’s default Apache configuration.

Early on in the process of configuring your shiny new Mac OS X Server, there’s an important change which needs to be made to Apple’s default configuration so as to ensure decent performance for Microsoft browsers. OS X Server ships with Apache’s Keep-Alive switched on, so as to enable persistent connections — meaning that when a visitor loads a page in their browser, they don’t have to re-negotiate a brand new connection for every element on the page, and when they move to a new page, they can also use the same connection, provided it is within an allowed period of time. (See “Essential Performance Tweaks for Your New OS X Server”.)

However, way back in the Dark Ages, prior to IE6, Internet Explorer had problems with SSL connections when persistent connections were enabled. Although this was fixed a long time ago, standard advice from the last century was to disable persistent connections specifically over SSL when talking to browsers with “MSIE” in the User-Agent string. Eventually, in 2010, the default recommendation became to add a check for version numbers starting with 1-5, so as only to disable persistent connections for those older browsers. Not only are many Apache installations — including Apple’s default configuration — running without this update, but even this update is an unfortunately outdated choice for the modern era, given that ’10’ (as in IE 10) starts with ‘1’ and will therefore be served up SSL pages in the old way.

But wait, there’s more!

Apple’s default configuration, stored in httpd_server_app.conf, makes the old, last-century MSIE code active all the time, provided that mod_ssl.c is available at all:

# Secure (SSL/TLS) connections
<IfModule mod_ssl.c>
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
	SSLPassPhraseDialog exec:/Library/Server/Web/Config/apache2/getsslpassphrase
	SSLSessionCache shmcb:/var/run/ssl_scache(512000)
	SSLSessionCacheTimeout 300
	SSLMutex file:/var/run/ssl_mutex
	SSLRandomSeed startup builtin
	SSLRandomSeed connect builtin
	AddType application/x-x509-ca-cert crt
	AddType application/x-pkcs7-crl crl

In other words, the code in that IfModule doesn’t just apply when using SSL connections, it applies all the time. This is fairly disastrous.

Try it yourself: head over to or any other testing service that enables you to watch in detail what happens when a given browser connects to one of your sites, and you’ll find that tests with any version of IE report that Keep-Alive is off, while tests with other browsers report that it is on.

The solution? Comment out the MSIE line entirely (as suggested by a Microsoft blog post on the topic), restart Apache and the web service, and be done with it.

Unless you’re really really keen to support pre-IE6 versions of Microsoft’s browser, that is, in which case you’re on your own.

(Update, 25 March 2016: See “Server 5.1 Brings TLS 1.2 at Last” for more on how this hack is present in two different files, with two occurrences each, in Server 5.1.)

Note that you’ll need to keep an eye for other modifications to the default httpd_server_app.conf after software updates, in case something gets changed. This type of edit to the supplied .conf file unfortunately is not suitable for an include file of the type I described in the performance tweaks article, because we’re specifically trying to remove something that cannot be straightforwardly overridden.

All material on this site is carefully reviewed, but its accuracy cannot be guaranteed, and some suggestions offered here might just be silly ideas. For best results, please do your own checking and verifying. This specific article was last reviewed or updated by Greg on .

This site is provided for informational and entertainment purposes only. It is not intended to provide advice of any kind.