RE: Problems with Apache SSL under load

[Dale Weaver]

THANK YOU!!  I just missed it!  It was still set to the default (450).  

Should work much better now.  

Thanks again to all who responded.  I think this is the solution.
Won't know for sure until the next wave hits.

I guess I should be nominated for a bonehead award. ;)

-

Dale Weaver   [EMAIL PROTECTED]
UNIX Systems Administrator(919) 662-3508
Wake Technical Community College  fax (919) 662-3504

On Fri, 12 Dec 2003, [iso-8859-1] Jorge Carrizo wrote:

 changing max proc per user might help, say to 1000
 
 chdev -l sys0 -a maxuproc='1000'
 
 for AIX 4.3.3.0
 
 HTH
 jorge
 
  --- Boyle Owen [EMAIL PROTECTED] escribió:  
 -Original Message-
   From: Dale Weaver
  [mailto:[EMAIL PROTECTED]
   
   I have Apache 1.3.27 compiled with mod SSL using
  openssl 0.9.6.g
   OS=AIX 5.1.
   
   The SSL site stops executing CGI scripts when load
  gets a little 
   high.  I checked the process list and found 106
  httpd servers running.
   System loads at the UNIX level were nominal (
  0.8).
   
   I get tons of the following error in my error
  logs:
   
   [Thu Dec 11 06:00:00 2003] [error] [client ]
  (11)Resource 
   temporarily unavailable: couldn't spawn child
  process: 
   /usr/local/apache/sslcgi/navbar1
   [Thu Dec 11 06:00:00 2003] [error] [client ]
  (11)Resource 
   temporarily unavailable: couldn't spawn child
  process: 
   /usr/local/apache/sslcgi/navbar2
   [Thu Dec 11 06:00:00 2003] [error] [client ]
  (11)Resource 
   temporarily unavailable: couldn't spawn child
  process: 
   /usr/local/apache/sslcgi/register.cgi
  
  Might be to do with system resources like file
  descriptors or
  semaphores. I'm afraid I don't know where to check
  these on AIX...
  
  Rgds,
  Owen Boyle
  Disclaimer: Any disclaimer attached to this message
  may be ignored. 
  
   
   HTML page responses are still very fast even with
  the errors.
   
   Problem does not occur when number of Apache
  servers  70.
   
   This is not a great deal of load.  The hardware is
  capable of handling
   a lot more than that.
   
   Can someone point me in the right direction?  Help
  is greatly 
   appreciated.
   Server configs availble on request.  Don't want to
  send large 
   stuff over
   the list.
   
   Thanks.
   
  
 
 -
   
   Dale Weaver  
  [EMAIL PROTECTED]
   UNIX Systems Administrator(919)
  662-3508
   Wake Technical Community College  fax
  (919) 662-3504
   
  
 
 __
   Apache Interface to OpenSSL (mod_ssl) 
   www.modssl.org
   User Support Mailing List 
  [EMAIL PROTECTED]
   Automated List Manager   
  [EMAIL PROTECTED]
   
  Diese E-mail ist eine private und persönliche
  Kommunikation. Sie hat
  keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der
  SWX Gruppe. This
  e-mail is of a private and personal nature. It is
  not related to the
  exchange or business activities of the SWX Group. Le
  présent e-mail est
  un message privé et personnel, sans rapport avec
  l'activité boursière du
  Groupe SWX.
  
  This message is for the named person's use only. It
  may contain
  confidential, proprietary or legally privileged
  information. No
  confidentiality or privilege is waived or lost by
  any mistransmission.
  If you receive this message in error, please notify
  the sender urgently
  and then immediately delete the message and any
  copies of it from your
  system. Please also immediately destroy any
  hardcopies of the message.
  You must not, directly or indirectly, use, disclose,
  distribute, print,
  or copy any part of this message if you are not the
  intended recipient.
  The sender's company reserves the right to monitor
  all e-mail
  communications through their networks. Any views
  expressed in this
  message are those of the individual sender, except
  where the message
  states otherwise and the sender is authorised to
  state them to be the
  views of the sender's company. 
  
  
 
 __
  Apache Interface to OpenSSL (mod_ssl)   
 www.modssl.org
  User Support Mailing List 
  [EMAIL PROTECTED]
  Automated List Manager   
 [EMAIL PROTECTED] 
 
 
 Los mejores usados y las más tentadoras 
 ofertas de 0km están en Yahoo! Autos.
 Comprá o vendé tu auto en
 http://autos.yahoo.com.ar
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED

Problems with Apache SSL under load

[Dale Weaver]

I have Apache 1.3.27 compiled with mod SSL using openssl 0.9.6.g
OS=AIX 5.1.

The SSL site stops executing CGI scripts when load gets a little 
high.  I checked the process list and found 106 httpd servers running.
System loads at the UNIX level were nominal ( 0.8).

I get tons of the following error in my error logs:

[Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: 
couldn't spawn child process: /usr/local/apache/sslcgi/navbar1
[Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: 
couldn't spawn child process: /usr/local/apache/sslcgi/navbar2
[Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: 
couldn't spawn child process: /usr/local/apache/sslcgi/register.cgi

HTML page responses are still very fast even with the errors.

Problem does not occur when number of Apache servers  70.

This is not a great deal of load.  The hardware is capable of handling
a lot more than that.

Can someone point me in the right direction?  Help is greatly appreciated.
Server configs availble on request.  Don't want to send large stuff over
the list.

Thanks.

-

Dale Weaver   [EMAIL PROTECTED]
UNIX Systems Administrator(919) 662-3508
Wake Technical Community College  fax (919) 662-3504

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Server Load problems under heavy SSL traffic

[Dale Weaver]

We are experiencing problems under heavy traffic to our SSL site.
I have read the FAQ on performance and have decided to switch to
shmcb caching, but I don't know if that will help the problem.

With about 300 concurrent users the server loads skyrocket and the
server no longer spawns child processes for CGI scripts.  I have the
Apache 1.3.27 server set up for 4096 concurrent connections and have
made all the suggested performance tuning measures suggested on the
Apache site.  This problem does not occur on the non-ssl site which
has significantly more traffic.

Can anyone offer any insight into this problem?  Here are my specs:

AIX 4.3.3 Dual Processor F40 w/ 1GB RAM 2GB SWAP
Apache with mod_ssl (compiled in) 1.3.27-2.8.11
Openssl 0.9.6g

from http.conf:
VirtualHost hostname:443

DocumentRoot /usr/local/apache/ssldocs
ServerName hostname
ServerAdmin me
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
ScriptAlias /cgi-bin/ /usr/local/apache/sslcgi/

SSLEngine on

SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /usr/local/apache/conf/ssl.crt/public.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/private.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediate.crt
SSLVerifyClient none
SSLVerifyDepth  10

Files ~ \.(cgi|shtml|phtml|php3?)$
   SSLOptions +StdEnvVars
/Files
Directory /usr/local/apache/cgi-bin
   SSLOptions +StdEnvVars
/Directory

SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /usr/local/apache/logs/ssl_request_log \
 %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b

/VirtualHost

Any help is appreciated.

-
Dale Weaver   [EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: How to disable part of the HTTP pages?

[Dale Weaver]

I believe it is more accurate to redirect.  It causes less 
confusion:

VirtualHost *:80
ServerName  whatever
Redirect  permanent / https://whatever
/VirtualHost

Avoids confusion and irritation on the part of site visitors.

-

When a true genius appears in the world, you may know him by
this sign; that the dunces are all in confederacy against him. 
-- Jonathan Swift 
___

Dale Weaver   [EMAIL PROTECTED]
UNIX Systems Administrator(919) 662-3508
Wake Technical Community College  fax (919) 779-3360

On Sun, 9 Jun 2002, Han,Donghoon wrote:

 Put Deny from all in Directory /some_directory_to_block /Directory
 in the vhost settings where the serving port is 80.
 
 Ex)
 VirtualHost *:80
 BlahBlahBlah
 Directory /usr/docs
   Order Deny,Allow
   Deny from all
 /Directory
 /VirtualHost
 
 VirtualHost *:443
 BlahBlah
 Directory /usr/docs
   Order Allow,Deny
   Allow from all
 /Directory
 /VirtualHost
 
 Refer to the apache manual for further information.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of lin geng
 Sent: Saturday, June 08, 2002 10:44 AM
 To: [EMAIL PROTECTED]
 Subject: RE: How to disable part of the HTTP pages?
 
 Disable port 80.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Conrad Ng
 Sent: Wednesday, June 05, 2002 8:47 PM
 To: [EMAIL PROTECTED]
 Subject: How to disable part of the HTTP pages?
 
 
 Dear all
 
 After I have implemented the SSL technology in my servers, I understand
 that
 users can access securely under HTTPS://link. However, they can still
 access through HTTP://link. Is there any way to block people from
 accessing under HTTP:// ? I'm not meaning to block the whole port 80 but
 only some pages, is it belong to the settings of Apache or what? Please
 instruct. Thanks a lot!!
 
 Regards
 
 Conrad Ng
 
 
 __
 
 Scott Wilson Ltd celebrates its new name during its 50th year in Hong
 Kong!
 
 This e-mail and any attachments to it are intended only for the party to
 whom they are addressed. They may contain privileged and/or confidential
 information. If you have received this transmission in error please
 notify
 the sender immediately and delete any digital copies and destroy any
 paper
 copies. Thank you.
 
 Scott Wilson accepts no contractual liabilities or commitments arising
 from
 this e-mail unless subsequently confirmed by fax or letter or as an
 e-mail
 attachment giving company name, address, registration number and
 authorized
 signatory.
 __
 
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Runs on local...but can't see it anywhere else

[Dale Weaver]

Make sure your server is set up in DNS for your domain as well.

-

Let me up to get my bat and I'll thank you.
   -- Calvin
___

Dale Weaver   [EMAIL PROTECTED]
UNIX Systems Administrator(919) 662-3508
Wake Technical Community College  fax (919) 779-3360

On Fri, 17 May 2002, DG Speekenbrink wrote:

 Hi,
 
 This sounds more like a general Apache config problem.
 is it possible to request pages with the regular http:// request?
 
 If not, some settings in your httpd.conf are the problem.
 
 Good luck,
 
 Dennis
 
 Alex Earl wrote:
  
  Hi!
  
  First off I would like to thank you for your help and knowledge! I enjoy
  this forum a lot!
  
  I have set up mod_ssl with Apache 1.3 and everything seems to run just fine
  on the local machine. I can curl https://localhost (and the actual server
  address) and get the right stuff...but when I try to access it from anywhere
  else I get a server not found error. Any ideas?!
  
  Thanks!
  
  Alex Earl
  
  __
  Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
  User Support Mailing List  [EMAIL PROTECTED]
  Automated List Manager[EMAIL PROTECTED]
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

DNS aliases modssl

[Dale Weaver]

I have got modssl  2.8.26 compiled in Apache 1.3.23.  It works fine on
my workstation where I built it to test,
however I have not put it on my production webserver.  My web server has
a fully qualified DN that is
pretty long but I have another domain that is short.  How does modssl
determine which DN it is running
under when it compares it to the cert?  Is it DNS, httpd.conf, URL
accessed, hostname, etc.?

If someone accesses my site under the www.very.very.long.domain via
https and my cert is built for
www.short.dom and the server name in httpd.conf is
www.very.very.long.domain, will it still work?
They are both the same in DNS.  Dual entries for the address and not
just an alias.

Just a little confused about how modssl handles multiple domain names
for the same server given that
the certs are domain specific.

Any clarification is appreciated.

Dale
-


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: DNS aliases modssl

[Dale Weaver]

OK.  I think I get it.  

Looks like the simple solution would be to get a CA cert for the
short domain and provide links to the SSL portion to make sure
it is accessed via the proper URL and limit access in the SSL 
section of the site to only accept from that referring page. 

Thanks.

-

Dale Weaver   [EMAIL PROTECTED]

On Thu, 28 Feb 2002, Luciano Miguel Ferreira Rocha wrote:

 On Thu, Feb 28, 2002 at 10:23:56AM -0500, Dale Weaver wrote:
  pretty long but I have another domain that is short.  How does modssl
  determine which DN it is running
  under when it compares it to the cert?  Is it DNS, httpd.conf, URL
  accessed, hostname, etc.?
 
 AFAIK modssl does *not* compare the cert with the DN. Only the browser does
 that.
 
 And if both DN point to the same IP address, how can modssl, or any server,
 know what DN the client used?
 
 modssl returns the cert as specified in httpd.conf, under a VirtualHost
 section. And that respective VirtualHost can only be calculated by the
 destination IP address (the one the client's is connecting to).
 
 So, you'll either need to use different IP addresses for each DN, or,
 in your non-ssl site and https urls, point to just one address.
 
 Regards,
 Luciano Rocha
 
 -- 
 Luciano Rocha, [EMAIL PROTECTED]
 
 The trouble with computers is that they do what you tell them, not what
 you want.
 -- D. Cohen
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

libssl.so won't load

[Dale Weaver]

I have an AIX server running 4.3.3.  I have installed openssl-0.9.6.3,

Apache 1.3.19 and mod_ssl 2.8.2.0.  All installed fine, however

when I try to start the server I get the errors:

Syntax error on line 236 of /etc/apache/httpd.conf:
Cannot load /usr/local/lib/apache/libssl.so into server:0509-022 Cannot
 load module /usr/local/lib/apache/libssl.so.
0509-150   Dependent module /usr/local/lib/libssl.a(libssl.so) could not be 
loaded.
0509-152   Member libssl.so is not found in archive
0509-022 Cannot load module /usr/local/lib/libssl.a.
0509-150   Dependent module /usr/local/lib/libssl.a could not be loaded