[Bug 63687] High Memory usage after upgrade to 2.4.41
https://bz.apache.org/bugzilla/show_bug.cgi?id=63687 --- Comment #40 from Curtis Wilson --- I don't believe that .gdbinit is complete. When you use dump_all_pools, it tries to call dump_pool_and_children, which looks like it is done via the python portion but is not actually defined and does not exist. (gdb) dump_all_pools Undefined command: "dump_pool_and_children". Try "help". This is not actively happening, but I did have to install debug packages and restart httpd in order to be able to provide this info when it is. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63687] High Memory usage after upgrade to 2.4.41
https://bz.apache.org/bugzilla/show_bug.cgi?id=63687 --- Comment #39 from Yann Ylavic --- (In reply to Curtis Wilson from comment #38) Can you apply Ruediger's debugging steps from comment #13 on your system? When the memory is high enough, that would be a good way to gather informations on what happens in httpd-2.4.41 (at least) with apr-1.7, the combination that seems to matter. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63687] High Memory usage after upgrade to 2.4.41
https://bz.apache.org/bugzilla/show_bug.cgi?id=63687 --- Comment #38 from Curtis Wilson --- Due to our Apache being provided by cPanel with EasyApache4, we will not be able to custom compile different APR or Apache versions to test. Setting the LD_LIBRARY_PATH can be done in /etc/sysconfig/http . Older versions of Apache and the APR would only be able to be obtained via RPM from cPanel and those older RPM's do not exist any longer. What we have noticed is without specifying what path to use is that Apache is opening the right APR, verified by using lsof on the Apache PID's.. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 60182] SSLStaplingFakeTryLater Deviates From Documented Behavior of Only Being Effective When SSLStaplingReturnResponderErrors is On
https://bz.apache.org/bugzilla/show_bug.cgi?id=60182 --- Comment #3 from gmoni...@gmail.com --- @ Yann Ylavic , thanks for the suggestion. I think in most website hosting operation there is not really much use in delivering TryLater responses and probably not any of the other unsigned OCSP messages either. It is an example of Postel's principle, be conservative in what you send, do not send anything that might seem obscure. So, in those operations you just would want ReturnResponderErrors off. What could clients use an unsigned response for? Would a browser keep retrying a TLS connection to a webserver in the background if it got a TryLater and then immediately blank the site if it got a response with a retraction? In some dedicated enviroments it may be useful for Apache to be a 'true' proxy and then a TryLater seems to be semantically correct if Apache waited for a programmed timeout and couldn't reach the origin for that time, no need to consider that a 'fake' response. So, in both cases for ReturnResponderErrors, FakeTryLater should just be on. In the "off" case for it to be cached for a short while, but NOT returned, and keep the server from retrying too often, and in the "on" case to note that it couldn't provide a signed response after waiting for it. I commented on this Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1323141 to try and get that client to move, because they are just a bit too convervative on what is accepted, and together with the current Apache 2.4 behaviour this leads to unnecessary outage for their users. If there is any additional programming time, it would be nice to work on making it the *most* likely possible, that a staple can be returned. So, inspect the cache for soon to update OCSP responses and try one or several times in advance at different spacings to get a new OCSP response. That would be a security benefit. Or maybe provide a longer timeout option when a certificate has a Must-Staple attribute. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63687] High Memory usage after upgrade to 2.4.41
https://bz.apache.org/bugzilla/show_bug.cgi?id=63687 --- Comment #37 from Curtis Wilson --- I will be adding "SetEnv LD_LIBRARY_PATH $path" on 5 test boxes tonight the the location of the 1.7.0 APR that cPanel provides. However I do want to point out that APR 1.7.0 has had 0 issues or at least we are not seeing issues in Apache 2.4.39. It looks like we received Apache APR 1.7.0 in May of 2019 and it was already running on our servers with Apache 2.4.39 before the release of Apache 2.4.41, it seems that after Apache 2.4.41 released and was distributed whether via cPanel or normal repositories are when issues started occurring. Once I have an update on the test boxes I will update though. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63687] High Memory usage after upgrade to 2.4.41
https://bz.apache.org/bugzilla/show_bug.cgi?id=63687 --- Comment #36 from Yann Ylavic --- (In reply to nitop from comment #35) > It does not matter in which version APR is compiled. Could you please run httpd with LD_LIBRARY_PATH including your compiled apr/lib directory or alternatively configure like: LDFLAGS="-Wl,-rpath,/usr/local/apr/lib" ./configure ... Compiling with an APR version doesn't mean httpd will link to it at runtime, unless one of the above is used. Then we can really figure out whether it's due to APR-1.7 or not. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 60182] SSLStaplingFakeTryLater Deviates From Documented Behavior of Only Being Effective When SSLStaplingReturnResponderErrors is On
https://bz.apache.org/bugzilla/show_bug.cgi?id=60182 --- Comment #2 from Yann Ylavic --- Since the fake TryLater later response will no longer be sent (cached only) unless ReturnResponderErrors is on, I wonder if we should add a new SSLStaplingReturnResponderErrors notfake (tristate off/on/notfake) to preserve compatibility. Or possibly an other way around, SSLStaplingFakeTryLater off/on/cache. Thoughts ? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63687] High Memory usage after upgrade to 2.4.41
https://bz.apache.org/bugzilla/show_bug.cgi?id=63687 --- Comment #35 from nitop --- Hello, I've also tried it again: Setting "RegexDefaultOptions -DOTALL" does not help us. The servers start overcommitting after a few hours - so we have to go back again to 2.4.39. It does not matter in which version APR is compiled. # apache2ctl -V Server version: Apache/2.4.41 (Unix) Server built: Feb 27 2020 07:54:36 Server's Module Magic Number: 20120211:88 Server loaded: APR 1.6.3, APR-UTIL 1.6.1 Compiled using: APR 1.6.3, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) # grep RegexDefaultOption /etc/apache2/apache2.conf RegexDefaultOptions -DOTALL We are not using HTTP2 or mod_md. Compiled with: APR 1.6.3: ./configure --prefix=/usr/local/apr/ make make install APR-UTIL 1.6.1: ./configure --prefix=/usr/local/apr/ --with-apr=/usr/local/apr/ make make install Apache2: ./configure --enable-layout=Debian --enable-so --with-program-name=apache2 --with-suexec-caller=www-data --with-mpm=worker --with-suexec-bin=/usr/lib/apache2/suexec --with-suexec-docroot=/var/www --with-suexec-userdir=public_html --with-suexec-logfile=/var/log/apache2/suexec.log --with-suexec-uidmin=100 --enable-suexec=shared --enable-log-config=static --enable-logio=static --enable-version=static --with-apr=/usr/local/apr/bin/apr-1-config --with-apr-uti l=/usr/local/apr/bin/apu-1-config --with-pcre=/usr/local/pcre --enable-pie --with-ssl=/usr/lib/ssl --enable-ssl=shared --enable-vhost-alias=shared --enable-module=shared --enable-authn-alias=shared \ --enable-disk-cache=shared --enable-cache=shared \ --enable-mem-cache=shared --enable-file-cache=shared \ --enable-cern-meta=shared --enable-dumpio=shared --enable-ext-filter=shared \ --enable-charset-lite=shared --enable-cgi=shared \ --enable-dav-lock=shared --enable-log-forensic=shared \ --enable-proxy=shared \ --enable-proxy-connect=shared --enable-proxy-ftp=shared \ --enable-proxy-http=shared --enable-proxy-ajp=shared \ --enable-proxy-scgi=shared \ --enable-proxy-balancer=shared \ --enable-authn-dbm=shared --enable-authn-anon=shared \ --enable-authn-dbd=shared --enable-authn-file=shared \ --enable-authn-default=shared --enable-authz-host=shared \ --enable-authz-groupfile=shared --enable-authz-user=shared \ --enable-authz-dbm=shared --enable-authz-owner=shared \ --enable-authz-default=shared \ --enable-auth-basic=shared --enable-auth-digest=shared \ --enable-dbd=shared --enable-deflate=shared \ --enable-include=shared --enable-filter=shared \ --enable-env=shared --enable-mime-magic=shared \ --enable-expires=shared --enable-headers=shared \ --enable-ident=shared --enable-usertrack=shared \ --enable-unique-id=shared --enable-setenvif=shared \ --enable-status=shared \ --enable-autoindex=shared --enable-asis=shared \ --enable-info=shared --enable-cgid=shared \ --enable-dav=shared --enable-dav-fs=shared \ --enable-vhost-alias=shared --enable-negotiation=shared \ --enable-dir=shared --enable-imagemap=shared \ --enable-actions=shared --enable-speling=shared \ --enable-userdir=shared --enable-alias=shared \ --enable-rewrite=shared --enable-mime=shared \ --enable-substitute=shared --enable-reqtimeout=shared -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org