If you try the usual Unix log rotation strategy (rename files + `kill -s HUP`
or USR1 with `apachectl restart` or `apachectl graceful`) on an SSL-enable
httpd, the old logfile is not closed, even though a new logfile is created.
(Ralph, this bug has been around for some time now. I reported it through BugDB
on 1999-07-21 2:57:41.)
Contrast the normal (correct) functioning on an non-ssl-enabled httpd vs. a
mod_ssl-enabled daemon:
1.- First case: Normal httpd (non-mod_ssl) works OK:
Configuration directives in effect:
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/extended_log extended
Normal case demonstration:
cd /var/log/httpd
/opt/apache/bin/apachectl stop
rm *_log
/opt/apache/bin/apachectl start
lsof *
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
httpd 5823 root 2w VREG 64,0x8 111 72922 error_log
httpd 5823 root 15w VREG 64,0x8 111 72922 error_log
httpd 5823 root 17w VREG 64,0x8 0 72924 extended_log
...(same for all children of main httpd)...
mv error_log error_log.1
mv extended_log extended_log.1
/opt/apache/bin/apachectl graceful ; sleep 2
lsof *
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
httpd 5823 root 2w VREG 64,0x8 111 72928 error_log
httpd 5823 root 15w VREG 64,0x8 111 72928 error_log
httpd 5823 root 17w VREG 64,0x8 0 72929 extended_log
...(ditto)...
Notice that it correctly closed the old (renamed) files and created new ones
2.- Second case: SSL-enabled httpd keeps old error_log open:
Configuration directives in effect:
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/extended_log extended
<IfModule mod_ssl.c>
SSLLog /var/log/httpd/ssl_engine_log
</IfModule>
<IfDefine SSL>
<VirtualHost _default_:443>
ErrorLog /var/log/httpd/error_log.ssl
CustomLog /var/log/httpd/extended_log extended
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b"
</VirtualHost>
</IfDefine>
Buggy case demonstration:
cd /var/log/httpd
/opt/apache/bin/apachectl stop
rm *_log *_log.1
/opt/apache/bin/apachectl startssl
lsof *
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
httpd 5907 root 2w VREG 64,0x8 140 72922 error_log
httpd 5907 root 10w VREG 64,0x8 140 72922 error_log
httpd 5907 root 15w VREG 64,0x8 140 72922 error_log
httpd 5907 root 16w VREG 64,0x8 0 72924 error_log.ssl
httpd 5907 root 19w VREG 64,0x8 1550 72928 ssl_engine_log
httpd 5907 root 21w VREG 64,0x8 0 72929 extended_log
httpd 5907 root 22w VREG 64,0x8 0 72929 extended_log
httpd 5907 root 23w VREG 64,0x8 0 72930 ssl_request_log
...(ditto)...
for i in *_log *_log.ssl; do mv $i $i.1; done
/opt/apache/bin/apachectl graceful ; sleep 2
lsof *
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
httpd 5907 root 2w VREG 64,0x8 140 72931 error_log
-----> httpd 5907 root 10w VREG 64,0x8 218 72922 error_log.1
httpd 5907 root 15w VREG 64,0x8 140 72931 error_log
httpd 5907 root 16w VREG 64,0x8 0 72932 error_log.ssl
httpd 5907 root 19w VREG 64,0x8 787 72935 ssl_engine_log
httpd 5907 root 21w VREG 64,0x8 0 72939 extended_log
httpd 5907 root 22w VREG 64,0x8 0 72939 extended_log
httpd 5907 root 23w VREG 64,0x8 0 72940 ssl_request_log
...(ditto)...
Notice that file descriptor 10 --open for writing-- did not close and re-open
(it's still on the old renamed file). Presumably, it corresponds to a
"stderr"(?) file handle opened/dup-ed(?) by mod_ssl code somewhere.
Ralph, shouldn't mod_ssl write to some Apache API instead of opening/dup-ing a
file directly?
Any workarounds/fixes/patches? Stopping and restarting the server is really not
very workable because of the cert passphrase dialog (which I *don't* want to
put in a command pipe).
Cheers... Marco Zamora
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
