Whatever you might think of Internet Explorer, unless you want IE users to experience extra-slow browsing on OS X-hosted websites — and unless you’re happy with those users placing unnecessary extra load on OS X Server — there’s an important change that needs to be made to Apple’s default Apache configuration.
Early on in the process of configuring your shiny new Mac OS X Server, there’s an important change which needs to be made to Apple’s default configuration so as to ensure decent performance for Microsoft browsers. OS X Server ships with Apache’s
Keep-Alive switched on, so as to enable persistent connections — meaning that when a visitor loads a page in their browser, they don’t have to re-negotiate a brand new connection for every element on the page, and when they move to a new page, they can also use the same connection, provided it is within an allowed period of time. (See “Essential Performance Tweaks for Your New OS X Server”.)
However, way back in the Dark Ages, prior to IE6, Internet Explorer had problems with SSL connections when persistent connections were enabled. Although this was fixed a long time ago, standard advice from the last century was to disable persistent connections specifically over SSL when talking to browsers with “MSIE” in the User-Agent string. Eventually, in 2010, the default recommendation became to add a check for version numbers starting with 1-5, so as only to disable persistent connections for those older browsers. Not only are many Apache installations — including Apple’s default configuration — running without this update, but even this update is an unfortunately outdated choice for the modern era, given that ’10’ (as in IE 10) starts with ‘1’ and will therefore be served up SSL pages in the old way.
But wait, there’s more!
Apple’s default configuration, stored in
httpd_server_app.conf, makes the old, last-century MSIE code active all the time, provided that
mod_ssl.c is available at all:
# Secure (SSL/TLS) connections <IfModule mod_ssl.c> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown SSLPassPhraseDialog exec:/Library/Server/Web/Config/apache2/getsslpassphrase SSLSessionCache shmcb:/var/run/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin AddType application/x-x509-ca-cert crt AddType application/x-pkcs7-crl crl </IfModule>
In other words, the code in that
IfModule doesn’t just apply when using SSL connections, it applies all the time. This is fairly disastrous.
Try it yourself: head over to webpagetest.org or any other testing service that enables you to watch in detail what happens when a given browser connects to one of your sites, and you’ll find that tests with any version of IE report that
Keep-Alive is off, while tests with other browsers report that it is on.
The solution? Comment out the MSIE line entirely (as suggested by a Microsoft blog post on the topic), restart Apache and the web service, and be done with it.
Unless you’re really really keen to support pre-IE6 versions of Microsoft’s browser, that is, in which case you’re on your own.
(Update, 25 March 2016: See “Server 5.1 Brings TLS 1.2 at Last” for more on how this hack is present in two different files, with two occurrences each, in Server 5.1.)
Note that you’ll need to keep an eye for other modifications to the default
httpd_server_app.conf after software updates, in case something gets changed. This type of edit to the supplied
.conf file unfortunately is not suitable for an include file of the type I described in the performance tweaks article, because we’re specifically trying to remove something that cannot be straightforwardly overridden.
All material on this site is carefully reviewed, but its accuracy cannot be guaranteed, and some suggestions offered here might just be silly ideas. For best results, please do your own checking and verifying. This specific article was last reviewed or updated by Greg on .