Re: Limiting CGIs in 2.2.0
On Wednesday 01 March 2006 11:09, Graham Leggett wrote: Hi all, I have an httpd v2.2.0 installation that from time to time is being DoS'ed by a burst of hits to a perl based CGI program (mt-comment.cgi from Moveable Type). The CGIs take up tonnes of RAM, until openldap dies, causing lots of further problems. Is there a mechanism within v2.2.0 to put resource limits onto CGI programs (maximum running simultaneously, longest time in seconds to run, that sort of thing)? Apart from limiting the CGI programs, another approach would be to use mod_load_average to return 503 when the system as a whole is under heavy load. Refusing cleanly to run the heavy CGI scripts at all has got to be better than killing them after they've munched your resources. I don't recollect the URL, but I'm pretty sure fajita has it. -- Nick Kew
Re: Limiting CGIs in 2.2.0
Nick Kew wrote: Apart from limiting the CGI programs, another approach would be to use mod_load_average to return 503 when the system as a whole is under heavy load. Refusing cleanly to run the heavy CGI scripts at all has got to be better than killing them after they've munched your resources. Would this be limited to the scripts themselves, or to the server as a whole? Will go looking... Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: Limiting CGIs in 2.2.0
Graham Leggett wrote: Nick Kew wrote: Apart from limiting the CGI programs, another approach would be to use mod_load_average to return 503 when the system as a whole is under heavy load. Refusing cleanly to run the heavy CGI scripts at all has got to be better than killing them after they've munched your resources. Would this be limited to the scripts themselves, or to the server as a whole? It can do either the entire server, or for specific handler types: http://svn.force-elite.com/svn/mod_load_average/trunk/src/mod_load_average.c This way you could disable CGI when your LA is above 10, and then disable everything when your LA is above 100: LoadAvgMaxByHandler cgi-script 10 LoadAvgMax 100 -Paul
Re: Limiting CGIs in 2.2.0
On Wednesday 01 March 2006 15:22, Paul Querna wrote: LoadAvgMaxByHandler cgi-script 10 LoadAvgMax 100 Hmmm, I recollected it as being based on a Directory context (except for the global maximum which operates in post_read_request). Has it chaned, or is my memory playing sillybuggers in the cold? -- Nick Kew
Re: Limiting CGIs in 2.2.0
Nick Kew wrote: On Wednesday 01 March 2006 15:22, Paul Querna wrote: LoadAvgMaxByHandler cgi-script 10 LoadAvgMax 100 Hmmm, I recollected it as being based on a Directory context (except for the global maximum which operates in post_read_request). Nope, its currently Vhost-only. It could be changed to be directory based pretty easily.