endless loop trying to create ssl_scache (2.0.54)

[Jeroen Massar]

Hi,

I had just killed off my apache2 and tried to restart it when the
following kept apache running at ~100% cpu usage, trying to create the
file but failing. Attaching a strace resulted in an endless loop of:

stat64(/var/run/apache2/ssl_scache, 0xb8a0) = -1 ENOENT (No such
file or directory)
open(/var/run/apache2/__db.ssl_scache, O_RDWR|O_CREAT|O_EXCL|
O_LARGEFILE, 0644) = -1 EEXIST (File exists)
open(/var/run/apache2/__db.ssl_scache, O_RDWR|O_CREAT|O_EXCL|
O_LARGEFILE, 0644) = -1 EEXIST (File exists)
open(/var/run/apache2/__db.ssl_scache, O_RDWR|O_CREAT|O_EXCL|
O_LARGEFILE, 0644) = -1 EEXIST (File exists)

Removing the files from /var/run/apache2/ resolved the issue and apache
is happily serving again :)

Could it be a locking issue? (O_EXCL)

IMHO it should simply abort after trying the above for n (say 50?) times
and at least log it then.

Greets,
 Jeroen

--

related version info:
ii  apache2-common  2.0.54-4next
generation, scalable, extendable web server
ii  apache2-mpm-prefork 2.0.54-4traditional
model for Apache2
ii  apache2-utils   2.0.54-4utility
programs for webservers
ii  libapache2-mod-php4 4.3.10-15   server-side,
HTML-embedded scripting language (apache 2.0 module)



signature.asc
Description: This is a digitally signed message part

RE: Spam Using SMTP Over HTTP-Proxy

[Jeroen Massar]

-BEGIN PGP SIGNED MESSAGE-

Joshua Slive [mailto:[EMAIL PROTECTED] wrote:

 On Thu, 4 Sep 2003, Jeroen Massar wrote:
  Requiring a IKnowIAmOperatingAOpenProxy flag that needs to
  be set explicitly would be a better idea then :)
 
 That's what the ProxyRequests directive does.  Giving it a silly name
 isn't going to help ;-)

True, nothing much we can do about people not reading the docs :(

  Seriously, we could add a default deny for outgoing port
  25 (smtp) and 6660-6670 (irc) proxied connections.
  This won't really hurt anyone as I don't see any reasons
  why anybody would want that. A special AllowProxyPorts 25 6660-6670
  directive could then turn those ports open too.
  We could even try to limit it to defaultly allowing only
  the proxying of port 80 and 443 and denying the rest for instance.
 
 Bill Wrowe is a fan of the last idea.  I'm neutral about making it the
 default, but I think it would be good to make it configurable.
 
 You should be specific here, however.  We are talking about a 
 directive that would allow *outgoing* proxy connections only on 
 specific ports.  For example
 AllowForwardProxy 80 8080 

That could be the default then, if people would require other
ports they would either need to add them or specify All if
they are really sure of what they are doing.

We should also convince packagers that they never include the
All option per default or as a simple configuration option.
If someone wants it, let them read the doc, which should contain
the you are opening up as an open relay warning.

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP1hHximqKFIzPnwjEQK6VgCfSJkykyhb+jvWp/ShzWrDcflhFxgAn26c
RKAczDl/QqHK5kk8w8Mcvtqb
=NT/J
-END PGP SIGNATURE-

RE: Spam Using SMTP Over HTTP-Proxy

[Jeroen Massar]

-BEGIN PGP SIGNED MESSAGE-

Joshua Slive [mailto:[EMAIL PROTECTED] wrote:

 I don't think that is feasible.  There are MANY ways to do 
 access control in apache.
 
 Sending a message along the lines of Your server is 
 configured to proxy requests to arbitrary servers. whenever ProxyRequests is On 
 would be a possibility.

That would indeed help, but how many redhat/debian/... read
the logs when it works ?

Requiring a IKnowIAmOperatingAOpenProxy flag that needs to
be set explicitly would be a better idea then :)

Seriously, we could add a default deny for outgoing port
25 (smtp) and 6660-6670 (irc) proxied connections.
This won't really hurt anyone as I don't see any reasons
why anybody would want that. A special AllowProxyPorts 25 6660-6670
directive could then turn those ports open too.
We could even try to limit it to defaultly allowing only
the proxying of port 80 and 443 and denying the rest for instance.

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP1ePfCmqKFIzPnwjEQKGWACffesaa690wCAFBWKxF4ae7IjeICIAn1e5
9dvAvWU3n9iGcLFTeiYxuphu
=Aj1Q
-END PGP SIGNATURE-

RE: Fw: Spam postings via Apache to postfix on the same host

[Jeroen Massar]

André Malo [mailto:[EMAIL PROTECTED] wrote:

 * Joshua Slive wrote:
 
 [spam via proxy]
  One possible thing we could do is simply remove the sample 
 proxy config
  from our default httpd.conf.  These samples make it too 
 easy for people to
  activate a proxy without securing it properly.
 
 +1! Since proxying is not the primary purpose of the httpd I 
 won't miss it
 in the default config (commented or not).

Possibly a 'go look in the docs' type question. But for instance:

From the docs:
8-
NoProxy Directive
This directive is only useful for Apache proxy servers within intranets. The
NoProxy directive specifies a list of subnets, IP addresses, hosts and/or
domains, separated by spaces. A request to a host which matches one or more
of these is always served directly, without forwarding to the configured
ProxyRemote proxy server(s).
-8

In that the sentence:
A request to a host which matches one or more of these is always served
directly

NoProxy 2001:db8::/32
www.example.com  2001:db8::1

Is a bit dubious, at least for me. It could mean two things:
 - GET http://www.example.com/ HTTP/1.1
   Would be served 'directly' (from cache, from how?)
 - A client from 2001:db8::/32 sending GET http://www.example.com/
HTTP/1.1
   will be served 'directly'.

It could be my english understanding ofcourse, but if somebody
would like to enlighten me ;)

Then there is also:

Proxy *
Order Deny,Allow
Deny from all
Allow from 192.168.0
/Proxy 

But that is for _client's_.

We could have something similar with destination's.
Which could also be usefull for spam-ad blocking etc:

Proxy *
Order Allow,Deny
Allow to all
Deny to example.com
Deny to 2001:db8::/32
Deny to ::1
Deny to 127.0.0.1
Deny to port 25
/Proxy

Having that would be perfect ofcourse.

Next in from the document is the AllowCONNECT Directive.
Maybe at least a AllowProxyPort would be helpful, somewhat
like the above ?

Greets,
 Jeroen

RE: [ANNOUNCE] Apache 2.0.44 Released

[Jeroen Massar]

Sander Striker [mailto:[EMAIL PROTECTED]] wrote:

First, congrats with 2.0.44 ;)


  *) Introduce the EnableSendfile directive, allowing users of NFS
 shares to disable sendfile mechanics when they either fail
 outright or provide intermitantly corrupted data.  PR
 [William Rowe]

Shouldn't this also be noted as the fix for:
IPv6 enabled version doesn't output any data on some NIC's and linux

As mentioned in the following threads:
 http://groups.yahoo.com/group/new-httpd/message/41447
 http://groups.yahoo.com/group/new-httpd/message/41485

The general fix with 2.0.43 was to use --disable-sendfile too.
This option is thus also meant for Linux users who have a NIC
which behaves strange when sendfile() is enabled along with IPv6.

Also I can't find any mention of it in the docs
(http://httpd.apache.org/docs-2.0/)

Greets,
 Jeroen

RE: Linux + TCP_CORK + IPv6 = Broken [PATCH]

[Jeroen Massar]

Colm MacCárthaigh [mailto:[EMAIL PROTECTED]] wrote:

 On Thu, Dec 05, 2002 at 12:58:48PM +, Colm MacCárthaigh wrote:
  I'm using vanilla 2.4.18, from Debian kernel-source-2.4.18 
 , one machine
  has the broadcom bcm5700 module, and the the other has the intel
  e1000 module. 
 
 O.k., more testing, I've tried it out on another box, which has
 a 3com network card and IDE disks, and it *doesnt* happen there.
 
 Things the vulnerable machines have in common:
 
  SCSI hard-disks
  Software RAID 1 set-up
  GigE cards (bcm5700 , e1000)
  Dell (2650, and 1650)
 
 Things unaffected machine has:
 
  IDE disks
  no RAID
  3c905 network card.

I just recompiled the debian's 2.0.43 with --without-sendfile (push it
in the args list of debian/rules) and now www.sixxs.net works fully on
IPv4/IPv6 and IPv4-SSL and IPv6-SSL.

As for the hardware in that box, Linux 2.4.18, Celeron, IDE, ext3 fs's
and a:

eth0: RealTek RTL8139 Fast Ethernet at 0xd080, 00:10:dc:20:7c:7c,
IRQ 11
eth0:  Identified 8139 chip type 'RTL-8139B'

purgatory.unfix.org has 2.4.18, p100, IDE, ext3 and a Intel and DEC, but
IPv6 is tunneled and doesn't have that problem.
games.concepts.nl box has 2.4.19-pre5-ac3, Athlon, SCSI, ext3 and a
3c905C, this one doesn't have any problems.

I'll be running that first box with --without-sendfile :)

If you need extra informations don't mind to speak up.

Greets,
 Jeroen

RE: Linux + TCP_CORK + IPv6 = Broken

[Jeroen Massar]

Colm MacCarthaigh [mailto:[EMAIL PROTECTED]] wrote:

 On Mon, Dec 02, 2002 at 02:48:53PM -0500, Jeff Trawick wrote:
  Colm MacCarthaigh [EMAIL PROTECTED] writes:
  
   Linux (2.4.18 and 2.4.19, for me anyway) with apache versions
   2.0.40 to 2.0.43 (that I've tested anyways) is broken with
   TCP_CORK and IPv6. Bizarrely v6 requests will work the first
   few times and then start failing, typically you just wont get
   a response from the server. Though strace shows that it did
   try to send one.

Another 'fun' thing:
 - Linux 2.4.18
 - Apache 2.0.43 (preforked)
 - Debian unstable

http://www.sixxs.net
 - IPv4 works
 - IPv6 doesn't work

https://www.sixxs.net
 - IPv4 works
 - IPv6 works

So I have currently installed a default reroute on http://www.sixxs.net
for IPv6 requests
to redirect them to the https:// variant. Try
http://www.ipv6.sixxs.net/news/ for example
to not get redirected (only a IPv6 non-ssl / request redirs).
btw www.ipv4.sixxs.net has only A, www.ipv6.sixxs.net has only .

The IPv6 doesn't work actually means: request comes in, answer comes
out partially.
A first request gets returned correctly any pipelined request coming in
next fail.
That's why the / works (as it's only 1 answer, not pipelined) some other
pages without
pictures show this too.

Odd that IPv4 and SSL'd IPv4/IPv6 do work.

Another thing is that I do got it working on other boxes with 2.4.18 :)
Same build of apache on those, other NIC's though:
2.4.18 - purgatory.unfix.org (HTTP and HTTPS IPv4 and IPv6 ofcourse)
2.4.19-pre5-ac3 - games.concepts.nl (HTTP IPv4 and IPv6)

Oddness all around, but maybe that problem is related?

Greets,
 Jeroen

RE: new download page

[Jeroen Massar]

Joshua Slive [mailto:joshua;slive.ca] wrote:
 Pier Fumagalli wrote:
 
  I looked into it back in the days, but the only way would 
  be to go down to
  RIPE (IANA in the US) to see where that IP is coming from, 
  doing some 
  weirdo
  WHOIS parsing and stuff... _WAY_ overkilling... Anyhow this 
  is going waaay
  offtopic! :-)
 
 See: http://maxmind.com/geoip/
 
 If someone wants a little project, it shouldn't be too hard 
 to integrate this into the existing closer.cgi script.

Being geographically close says nothing about the connection.
If you really want to autodirect users to a certain mirror you
could do this based on AS number. This is for example done by
the folks at scene.org. Contact [EMAIL PROTECTED] if you want
to know more about this solution.

A easy fix for the Sourceforge syndrome grin would be :

a
href=http://www.apache.org/dyn/closer.cgi/httpd/httpd-2.0.43.tar.gzdes
c=this-points-to-a-html-with-mirrors-do-not-wget-this-urlhttpd-2.0.43.
tar.gz/a

Et tada people wanting to use wget, of which I am one, would notice
that it is not a direct link to the file, you won't need changes to the
closer.cgi as it should ignore the second param (desc).

Now you can put back that cool download page which was much better than
the current and old one.

At least thats my opinion.

Greets,
 Jeroen

RE: [ANNOUNCE] Apache 2.0.40 Released

[Jeroen Massar]

Sander Striker [mailto:[EMAIL PROTECTED]] wrote:

SNIP
 We have also included support for IPv6 on any
 platform that supports IPv6.

Hmmm Windows NT/2k/XP/.Net/98/95 supports IPv6, now where is the IPv6
capable binary (or source for that matter ;) ?
(Btw... Mac OS X sports IPv6 also in beta's and public in the coming
september updates)

Greets,
 Jeroen

RE: Auth - what should happen

[Jeroen Massar]

[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] wrote:

 Opinions - not on what happens to day in 1.3 but what should 
 happen in a
 perfect world:
 
 Given a config like this:
 
   Directory /my/secrets
   AuthTypebasic
   AuthNameRestricted area
   /Directory
 
 What should happen ? Allowed in with, or without a password ? 
 What would users feel as most logical ?
They want it to be open probably, unless you got security
savvy types, they want it closed.
In order words: Default Policy Closed

If it doesn't serve content people will notice,
people will complain, people will fix.
If it by default serves content, it could be content that
people didn't want to serve at all.

 
 Then
   Directory /my/secrets
   AuthTypebasic
   AuthNameRestricted area
   Limit POST
   require valid-user
   /Limit
   /Directory
 
 Same here when using a GET. (Note - I've not even started with 'allow
 from' or 'satisfy any complexity).

Maybe introduce a LimitPolicy Deny
But we got Order deny,allow for that.
If we take into consideration that Order defaults to deny,allow
one would end up:
 - Allowing POST to valid-user.
 - Denying anything else.

Greets,
 Jeroen

RE: [PATCH] Apache2 httpd.conf

[Jeroen Massar]

Günter Knauf [mailto:[EMAIL PROTECTED]] wrote:
 unfortunately we have symlinks only on *nix platforms, so for 
 all other platforms this isnt a solution...
 Guenter.

Unices all? have symlinks and NT supports lins too.
Then still people could instead of symlinking the data copy the configs
in and out of the enabled dir.
On debian they got the two simple commands for that, apachectl could be
made to do it to.

Greets,
 Jeroen

  Better do the configs the 'debian way' then:
 
  /etc/apache2/ containing:
 
  apache2.conf : default config for running Apache2 minimally.
  ports.conf : Port 443 etc directives
  httpd.conf :  local site extra's
  modules-available/ : containing a config file per module
  modules-enabled/ : containing symlinks to the modules-available
  directory
 
  Now if you want a module enabled; you can symlink it, easy 
 and obvious
  configging for everybody ;)
  The apache2.conf includes the ports.conf + httpd.conf +
  modules-available ofcourse.
  As for packagers, let your apache module depend on the main apache
  package and install your module's
  config into the available dir, then _ask_ the user if they want it
  enabled at once.

RE: [PATCH] Apache2 httpd.conf

[Jeroen Massar]

Günter Knauf [mailto:[EMAIL PROTECTED]] wrote:
  Ahhh, but you forget that not everyone uses DSO modules.  
 Many people
  compile the modules into the server, and for them the 
 module is active
  regardless of the LoadModule line.
 Ok, that was the point I missed and convinces me that it's 
 not such a good idea then...
 
 then let's make another suggestion:
 let's create a modules.conf and move these configs into it, 
 and perhaps also the mod_deflate config; then this conf can 
 easily be included from the httpd.conf, and httpd.conf 
 becomes simpler...

Better do the configs the 'debian way' then:

/etc/apache2/ containing:

apache2.conf : default config for running Apache2 minimally.
ports.conf : Port 443 etc directives
httpd.conf :  local site extra's
modules-available/ : containing a config file per module
modules-enabled/ : containing symlinks to the modules-available
directory

Now if you want a module enabled; you can symlink it, easy and obvious
configging for everybody ;)
The apache2.conf includes the ports.conf + httpd.conf +
modules-available ofcourse.
As for packagers, let your apache module depend on the main apache
package and install your module's
config into the available dir, then _ask_ the user if they want it
enabled at once.

Greets,
 Jeroen

RE: is httpd a valid way to start Apache?

[Jeroen Massar]

Jeff Trawick wrote:

 Who would be in favor of this, or parts thereof?  I'm anxious to see a
 consensus so that steps toward the goal can be filled in over time.
 
 1) httpd can't be used directly on Unix because of environment
variable settings
SNIP

Due to inheritance (export) of environment variables I usually start
Apache after doing a:
# for i in `export | cut -f3 -d' '|cut -f1 -d'='`; do export -n $i; done
Which cleans them all up nicely. One reason for doing this is so that
phpinfo() shows all these nice
Enviroment variables which could reveal one thing or the other of some
persons setup.
Maybe it's an idea to let the 'startup' program (may it be httpd or
apachectl) to filter these environment
variables too ? they also take up memory, oooh ah :)

Greets,
 Jeroen

RE: PHP and other security problems - a solution idea

[Jeroen Massar]

[EMAIL PROTECTED] wrote:

 Idea: On handling a file, setuid() to owner of file. On closing
connection,
 re-engage original uid (nobody, apache, www-data, whatever it is). PHP
will
 run under user's UID, other users are save.

The 'solution' is the perchild MPM ;)

Or a dirty hack; run apache as root and let it change uid based on the
url's owner or something like:

Directory /www/www.example.org/user/test/
 User test
 Group users
/Directory

Something like that would be quite nice too, perhost MPM only will be
able to do per-vhost uid-changes.
With some patches (which haven't been accepted yet) perchild will
actually compile, run and work.
Though the user-changes can't be made effective yet :(
But that will be some of the things for next week ;)

Greets,
 Jeroen

Re: Apache 2.0.32 beta is available

[Jeroen Massar]

On Mon, 18 Feb 2002, Bill Stoddard wrote:

  On Sun, 17 Feb 2002, Justin Erenkrantz wrote:
 
  SNIP
SNIP
  Unless someone submitted patches since the 2.0.32-alpha tarball last
  week. I don't think Win32/nt works especially as it relies on
  sockaddr_in for the mpm_winnt. I figured and fixed this, this weekend when
  I wanted too see if the IPv6 support for Apache on NT worked or not.
  It did compile but without IPv6 support. After some hours of changing
  things, enabling getaddrinfo() etc. I suddenly had a IPv6 enabled
  mpm_winnt version of Apache 2.0.32. I will be cleaning up the diff tonight
  and fixing the fact that IPv6 addresses get logged quite weirdly, which
  is a weird offset effect. You'll probably get the diff tomorrow morning CET ;)
 
 Cool! Thanks, will be looking for the patch.
 
 Bill
 

I haven't made a proper diff, nor the cleanups, but if you copy the files
from:
http://calvin.ics.hro.nl/~jeroen/apache2/apache_2.0.32-winnt-ipv6.zip

And extract them on top of the apache 2.0.32 alpha/beta tarball and
compile it should work. This _does_ however require the IPv6 headers
supplied by either the platform preview 
(http://msdn.microsoft.com/downloads/sdks/platform/tpipv6.asp)
and or the newer SDK's. Simply build with the InstallBin targets etc and
it should all work out fine. The newer IPv6 stacks by MS automatically
detect IPv6 presence and use it if possible. This allows for a IPv6
enabled build which should be able to run on most NT's. I say NT's here as
the IPv6 stack for 9x/ME is unknown  untested for me.

Things I have to do to clean it up:
 - fix the address copying (save_addrinfo goes wrong on me)
 - put in many #ifdef APR_HAVE_IPV6 lines.
 - get rid of the debug stuff :)

You'll notice that the winnt_mpm now passes the listen_rec to winnt_accept()
This was the cleanest way in my opinion for it to get the address family.

There is also some weird magic, sockaddr_in6 is normally 24 bytes, but
when returned from getaddrinfo() it's always 28 hmm ;)

I'll probably have a stab on this tomorrow and pass in a diff to you guys ;)
If I am really lucky I will have my adsl line back tomorrow, carrying
printed code and using floppydisks isn't fun ;)... I got the sync.. now
they have to turn on provisioning...

Greets,
 Jeroen

Re: Apache 2.0.32 beta is available

[Jeroen Massar]

On Sun, 17 Feb 2002, Justin Erenkrantz wrote:

SNIP
 
 Apache 2.0 offers numerous enhancements, improvements and performance
 boosts over the 1.3 codebase.  The most visible and noteworthy addition
 is the ability to run Apache in a hybrid thread/process mode on any
 platform that supports both threads and processes.  This has been shown
 to improve the scalability of the Apache HTTPD server significantly on
 some versions of Unix in our testing.  Apache 2.0 also includes support
 for filtered I/O.  This allows modules to modify the output of other
 modules before it is sent to the client.  Finally, we have included
 support for IPv6 on any platform that supports IPv6.
Unless someone submitted patches since the 2.0.32-alpha tarball last
week. I don't think Win32/nt works especially as it relies on
sockaddr_in for the mpm_winnt. I figured and fixed this, this weekend when
I wanted too see if the IPv6 support for Apache on NT worked or not.
It did compile but without IPv6 support. After some hours of changing
things, enabling getaddrinfo() etc. I suddenly had a IPv6 enabled
mpm_winnt version of Apache 2.0.32. I will be cleaning up the diff tonight
and fixing the fact that IPv6 addresses get logged quite weirdly, which
is a weird offset effect. You'll probably get the diff tomorrow morning CET ;)

Greets,
 Jeroen

PS: What makes this so cool is the fact that IIS doesn't have IPv6 support (yet, 
unless someone has a superduper development version somewhere ;)

[patch] per-child (Re: 2.0.32 has been released.)

[Jeroen Massar]

On Thu, 14 Feb 2002, Bill Stoddard wrote:

 From testing on Windows, I am +1 for beta.

First I noticed that the KEYS file is missing from the tar file.
Second perchild doesn't compile, but see attached mpm_perchild.patch for the fix ;)
It basically does a int num_sockets and add the POD definition and static.

It doesn't work then though at least it works unless I specify the
following things:
8
ChildperUserID 33 33 1
ChildperUserID 1004 1004 2
8
Numberic... otherwise it will b*tch

And per vhost:
8
AssignUserID 1004 1004
8
One vhost is using 1004 (wwwics) user, the others use the 33 (www-data) user which is 
the default.

It does start up nicely and I think it's accepting the connection at the
right client, this shows up as 'top' shows the process taking the rest of
the cputime and it does have the correct user I picked for that vhost.
But where/what it's cycling at, dunno yet ;)

Also a nice error seen in my logs while fooling around with the above settings:
[Thu Feb 14 14:39:57 2002] [alert] (2)No such file or directory: getpwuid: couldn't 
determine user name from uid 4294967295, you probably need to modify the User directive
Aka uid == 0x == -1 (32bits).

Firing up my apache now makes:
 1x apache2 running as root
22x  www-data (uid=33)
14x  wwwics (uid=1004)

www-data is also the user used in the User option.

Perchild config:

IfModule perchild.c
NumServers   5
StartThreads 5
MinSpareThreads  5
MaxSpareThreads 10
MaxThreadsPerChild  20
MaxRequestsPerChild  0
/IfModule

Running it without the AssignUserID and ChildperUserID settings gives me
38x apache2 running as www-data ;)

The php/cgi-script thing was caused because of a missing mod_cgid by the way ;)

Greets,
 Jeroen


diff -u -r -N httpd-2.0.32/server/mpm/perchild/mpm.h 
../2.0.32-perchild/build-tree/httpd-2.0.32/server/mpm/perchild/mpm.h
--- httpd-2.0.32/server/mpm/perchild/mpm.h  Wed Dec 19 18:50:38 2001
+++ ../2.0.32-perchild/build-tree/httpd-2.0.32/server/mpm/perchild/mpm.hThu 
+Feb 14 13:43:07 2002
@@ -77,6 +77,7 @@
 #define AP_MPM_WANT_SET_COREDUMPDIR
 #define AP_MPM_WANT_SET_ACCEPT_LOCK_MECH

+#define AP_MPM_USES_POD 1
 #define MPM_SYNC_CHILD_TABLE()
 #define MPM_CHILD_PID(i) (ap_scoreboard_image-parent[i].pid)
 #define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0)
diff -u -r -N httpd-2.0.32/server/mpm/perchild/perchild.c 
../2.0.32-perchild/build-tree/httpd-2.0.32/server/mpm/perchild/perchild.c
--- httpd-2.0.32/server/mpm/perchild/perchild.c Tue Feb  5 23:18:49 2002
+++ ../2.0.32-perchild/build-tree/httpd-2.0.32/server/mpm/perchild/perchild.c   Thu 
+Feb 14 13:42:30 2002
@@ -78,7 +78,7 @@
 #endif

 #define CORE_PRIVATE
-
+
 #include ap_config.h
 #include httpd.h
 #include http_main.h
@@ -107,6 +107,9 @@
 #include sys/processor.h /* for bindprocessor() */
 #endif

+#include ap_mmn.h
+
+
 /*
  * Define some magic numbers that we use for the state of the incomming
  * request. These must be  0 so they don't collide with a file descriptor.
@@ -175,6 +178,8 @@
 static int num_listenfds = 0;
 static apr_socket_t **listenfds;
 static jmp_buf jmpbuffer;
+static ap_pod_t *pod;
+

 struct child_info_t {
 uid_t uid;
@@ -1429,6 +1434,7 @@
 static int perchild_open_logs(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, 
server_rec *s)
 {
 apr_status_t rv;
+int num_listensocks;

 pconf = p;
 ap_server_conf = s;

Apache 20020213 anonCVS perchild

[Jeroen Massar]

I compiled a 20020213 httpd anoncvs today to try the perchild module.

And I think that:
8-
Out of Memory: Killed process 4768 (apache2).
Out of Memory: Killed process 4774 (apache2).
Out of Memory: Killed process 4775 (apache2).
Out of Memory: Killed process 4783 (apache2).
Out of Memory: Killed process 4790 (apache2).
Out of Memory: Killed process 4791 (apache2).
Out of Memory: Killed process 4798 (apache2).
-8

Kinda show that it's not entirely okay on my machine ;)
I also tried the 2.0.28-beta which is found on the distribution site.

The system is a mere p3 750 with 128mb running linux 2.5.1
Linux calvin 2.5.1 #1 Mon Jan 14 15:08:00 CET 2002 i686 unknown

The effect seen is that mozilla (nope not only apache is bad ;)
8---
Out of Memory: Killed process 4713 (mozilla-bin-cvs).
Out of Memory: Killed process 4728 (mozilla-bin-cvs).
Out of Memory: Killed process 4729 (mozilla-bin-cvs).
Out of Memory: Killed process 4730 (mozilla-bin-cvs).
Out of Memory: Killed process 4731 (mozilla-bin-cvs).
---8

At least something is filling the memory ;)
Well it's apache aparently because a simple:

root@calvin:/home/staff/jeroen/data/apache2/deb/2.0.28-perchild/apache2-2.0.28#
telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1
Host: calvin.ics.hro.nl

^]q

telnet Connection closed.

Wellps that makes apache2 go rogue too and no response ;(

The configlines which when removed make it work, but when added make it break:
ChildperUserID wwwics wwwics 1

and in one of the 3 vhosts:
AssignUserID wwwics wwwics

(little background, the idea is to secure every vhost so that it runs
under a seperate user and that there is no way that some random user reads
the cleartext passwords for databases etc through something like a php.
Every vhost will be seperate... )

The host: http://calvin.ics.hro.nl

Server Info at http://calvin.ics.hro.nl/server-info
Server Stats at http://calvin.ics.hro.nl/server-status
Currently running without assignuserid and childperuserid, otherwise it simply doesn't 
respond :(
The debian tag is because I built it using the debian build rules:

The configure options:
AP2_CONFARGS =  --enable-layout=Debian --enable-so \
--with-program-name=apache2 --enable-speling=shared \
--enable-rewrite=shared --enable-cgid=shared \
--enable-vhost-alias=shared --enable-info=shared \
--enable-suexec=shared --enable-ssl=shared \
--enable-unique-id=shared --enable-usertrack=shared \
--enable-expires=shared --enable-cern-meta=shared \
--enable-mime-magic=shared --enable-headers=shared \
--enable-auth-anon=shared --enable-proxy=shared \
--enable-dav=shared --with-suexec-caller=www-data 
--with-suexec-docroot=/www --with-suexec-logfile=/var/log/apache2/ \
--with-mpm=perchild

Something else broke the php handling through a cgi using the trick:
Action application/x-httpd-php /cgi-bin/php4

Which results in a:
[Wed Feb 13 16:37:56 2002] [warn] [client 145.24.239.47] handler cgi-script not 
found for: /usr/lib/cgi-bin/php4

Every query but that's prolly something different and not related to mpm_perchild

If somebody can give me some clue... I welcome it ;)

Greets,
 Jeroen

OpenSSL 0.9.6 (Was: RE: ssl is broken)

[Jeroen Massar]

Boo,

First I'll twack myself for the fact that I didn't look at the openssl
version any sooner...
This is prolly at least one nice for the archives for other donkeys
hitting their heads against this brick...

I wanted a newer version than the 2.0.16 beta's to experiment some more
with Apache 2.0..
so I pulled down http://dev.apache.org/dist/httpd-2_0_25-alpha.tar.gz
and tried to compile it with
--enable-ssl --with-openssl=/usr/include/openssl/ and such on a almost
standard FreeBSD 4.2 box which
comes with the old OpenSSL 0.9.5a, ./configure etc go just fine untill
the make pops up the following error:
8---
modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function
`bio_hook_set':
/usr/home/www/compile/httpd-2_0_25/modules/ssl/ssl_engine_kernel.c:264:
undefined reference to `BIO_next'
---8
And after some more tries and peeking at google I finally noticed that
my old OpenSSL version (twack me :)
Also http://www.openssl.org/docs/crypto/BIO_find_type.html nicely
states:

8--
NOTES
BIO_next() was added to OpenSSL 0.9.6 to provide a 'clean' way to
traverse a BIO chain or find multiple matches using BIO_find_type().
Previous versions had to use:  next = bio-next_bio;
--8

Then added the following after the #include openssl/ssl.h in
modules/ssl/ssl_engine_kernel.c:
8
#ifndef BIO_next
#define BIO_next(b) b-next_bio;
#endif
--8
Ran another make. et tada it compiled :)

I'd better upgrade my OpenSSL sooner or later though :)

[03/Oct/2001 01:37:59 91292] [info]  Connection: Client IP:
3ffe:8114:2000:240:2d0:b7ff:fe8f:5d42, Protocol: SSLv3, Cipher: RC4-MD5
(128/128 bits)

But it works ;)
Next-stop... stability tests  mod_proxy grin

Greets,
 Jeroen