[users@httpd] a lot of 502 error with using mod_proxy_http after upgrading tomcat

[Kenichi MASUDA]

Hi,

I posted the tomcat-users mailing list about my situation, so I was
recommended to post httpd-user mailing list,
so that I ask here too (I apologize for posting like multi-post).

Our system is httpd and tomcat, and a client sends a request to httpd which
listens as 80, after that httpd throw it like this to the tomcat which
exists in backend and serves as 8080 port with the rewrite rule though,

RewriteCond %{REQUEST_URI}
!\.(png|jpe?g|gif|css|js|xml|json|jsonp|ico|html?|swf|txt)$
RewriteRule ^/(.*)$ http://localhost:8080/core/$1 [P,L]


these errors were occurred after upgrading tomcat from 7.0.39-1 to 7.0.68-1.

httpd log say that "proxy: Error reading from remote server returned by"

and

a client say that "502 proxy error. The proxy server received an invalid
response from an upstream server. The proxy server could not handle the
request POST /foo/bar"


I downgraded tomcat to 7.0.39-1, so that these errors disappeared.

Is there any way or solution to trace this situation?
Is there anyone know or encounter this error?



-- 
mailto:masu...@gmail.com

[users@httpd] Re: Apache::ASP question

[Good guy]

On 10/03/2016 20:21, Rose, John B wrote:

Some users are wanting to access a Microsoft Access database from Apache.

They want to use this …

Apache::ASP

Is that possible within Apache on a linux server?

What are the options for accessing Access databases from Apache?

Thanks




Yes it is possible.  You need to install binaries for Linux  (or other 
means).  See this official document:




Microsoft has made ASP.net open source and so it can be installed on 
Linux as well as Mac.  You can aslo use C# on linux because of this new 
Microsoft policy!


Good luck.




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache::ASP question

[Rose, John B]

Some users are wanting to access a Microsoft Access database from Apache.

They want to use this ...

Apache::ASP

Is that possible within Apache on a linux server?

What are the options for accessing Access databases from Apache?

Thanks

Re: Re: [users@httpd] Lots of messages "[ssl:warn] Resource deadlock avoided: AH02026: Failed to acquire SSL session cache lock"

[Yann Ylavic]

On Thu, Mar 10, 2016 at 4:14 PM, Hildegard Meier  wrote:
>
>> > Mutex file:${APACHE_LOCK_DIR} default
>>
>> Does it come from Ubuntu?
>> If so, I don't any modern Linux should configure the "file" mutex
>> mechanism by default, and you could possibly report it...
>
> Yes, that is the entry of Ubuntu 14 ("Trusty") default apache2.conf file, see
> http://packages.ubuntu.com/de/trusty/apache2
> there the linked file
> http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.7-1ubuntu4.5.debian.tar.gz
> in the tarball the file
> /debian/config-dir/apache2.conf

That does not look very sensible to me...

>
> Great, thanks, I think we will try without Mutex directive. So if apache2ctl 
> -V gives
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
> then the first is taken as default?

The former mechanism is about synchronization between processus
(apr_proc_mutex), whereas the latter is about synchronization between
threads (apr_thread_mutex).
Actually the "pthread" mechanism used to synchronize processes is
defined as APR_USE_PROC_PTHREAD_SERIALIZE, not very easy to guess, but
that's for historical reasons (proc-pthreads were added later...).

>
> I just checked what is the active Mutex:
>
> #apache2ctl -t -D DUMP_RUN_CFG
> ServerRoot: "/etc/apache2"
> Main DocumentRoot: "/var/www"
> Main ErrorLog: "/var/log/apache2/error.log"
> Mutex watchdog-callback: using_defaults
> Mutex rewrite-map: using_defaults
> Mutex ssl-stapling: using_defaults
> Mutex proxy: using_defaults
> Mutex ssl-cache: using_defaults
> Mutex default: dir="/var/lock/apache2" mechanism=fcntl

That's when you configure "Mutex fcntl:/var/lock/apache2" right, not
by default (no Mutex)?

> Mutex mpm-accept: using_defaults
> PidFile: "/var/run/apache2/apache2.pid"
> Define: DUMP_RUN_CFG
> Define: ENABLE_USR_LIB_CGI_BIN
> User: name="www-data" id=33
> Group: name="www-data" id=33
>
> It looks strange to me that fcntl is used but no files exist in 
> /var/lock/apache2

That's because the file is immediately unlinked after being opened
(still the inode remains until the last file descriptor is closed).
Since httpd's children processes inherit the descriptor when created,
it works (no process needs to open that file later).

>
>> Hopefully, the "file" mechanism is not suitable anyway or modern OS.
> Thanks for the info!

As Eric mentioned, "fcntl" may not be suitable either, which lets no
Mutex, if the above command reports "Mutex default: mechanism=[sysvsem
or pthread]", or explicitly "Mutex [sysvsem or pthread] default"...

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Aw: Re: [users@httpd] Lots of messages "[ssl:warn] Resource deadlock avoided: AH02026: Failed to acquire SSL session cache lock"

[Hildegard Meier]

> There is an old dev@ thread that talks about the same deadlock
> avoidance issues from fcntl
> on other platforms (at least Solaris). I think it's not really usable
> in httpd as soon as you have two mutexes.

Read that, thought it would be only special for Solaris...

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache virus scanning

[Wei-min Lee]

You can configure scheduled scans of your system with clamav. As for real
time protection, that'll take some research - might even have to consider a
commercial product. But if you end up paying for a commercial product, you
might as well get one that also supports ICAP - the popular ones do
nowadays, but it's best to confirm.

~Sent from my Google Nexus 6P~
On Mar 10, 2016 1:06 AM, "Rubén Toribio Aldeguer"  wrote:

> Thanks, This information is very ussefull for me too. What about for an
> antivirus on the server? do yo have any experiencie with it?
>
> TX.
>
> 2016-03-09 21:22 GMT+01:00 Wei-min Lee :
>
>> Using ICAP is a good way to go so that the person uploading files can be
>> notified of upload fails due to the virus scan.  Relying on filesystem
>> virus scans lacks visibility of quarantined/rejected files.
>>
>> On Wed, Mar 9, 2016 at 12:18 PM, Wei-min Lee 
>> wrote:
>>
>>> You could use clamav via ICAP with squid transparently in front of
>>> apache.
>>>
>>> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
>>> http://squidclamav.darold.net/config.html
>>>
>>> http://louwrentius.com/setting-up-a-squid-proxy-with-clamav-anti-virus-using-c-icap.html
>>>
>>> On Wed, Mar 9, 2016 at 8:12 AM, Aurélien Terrestris <
>>> aterrest...@gmail.com> wrote:
>>>
 On a large scale prod (200 000 users/day), I was using proxies working
 with antivirus through ICAP protocol (RFC 3507). The results were pretty
 good.
 I am not sure we could use this technology with Apache, and ICAP seems
 a bit old now.

 2016-03-09 16:45 GMT+01:00 Christopher Schultz <
 ch...@christopherschultz.net>:

> John,
>
> On 3/9/16 10:21 AM, Rose, John B wrote:
> > What about if your web sites allow for uploading files? Would you
> not want
> > to scan those on upload before they got on your filesystem?
>
> Sure, it would be nice to have the file scanned during upload, but I'm
> guessing that the AV can't give an opinion on a file until it's been
> completely-uploaded. In that case, do you really want to buffer the
> whole file in memory to scan it?
>
> I think the file is going to make it -- at least in part -- to the disk
> either way, unless you have other controls in place such as upload-size
> limits where you can make a good bet that in-memory scanning can be
> done
> without bringing-down your server.
>
> Anyhow, I don't have any particular experience with mod_clamav or
> anything like that. Certainly I wouldn't rely upon it solely, since
> there are other ways files can make it onto your server(s). But it
> probably couldn't hurt.
>
> Things I'd be worried about are which requests will be scanned by the
> AV? Will every single GET/POST/etc. be scanned? That might cause a
> significant impact on your response times. Also, the aforementioned
> buffering -- does the file have to remain in memory to be scanned, or
> will it be streamed to a disk somewhere first? You don't want AV-scans
> to bust your memory cap.
>
> -chris
>
> > On 3/9/16 9:49 AM, "Christopher Schultz" <
> ch...@christopherschultz.net>
> > wrote:
> >
> >> John,
> >>
> >> On 3/8/16 6:02 PM, Rose, John B wrote:
> >>> I am interested in both
> >>>
> >>> Thanks
> >>>
> >>> Sent from my iPad
> >>>
>  On Mar 8, 2016, at 3:27 PM, Christopher Schultz
>   wrote:
> 
> >>> John
> >>>
> >> On 3/8/16 2:43 PM, Rose, John B wrote:
> >> Looking for comments on mod_clamav, and any other alternative
> >> antivirus software for Apache on linux
> >>>
> >>> Are you trying to protect your clients or your servers?
> >>
> >> I would imagine that running any AV software that monitors the
> >> filesystem for changes would be sufficient. Why do you think you
> need an
> >> httpd module for this?
> >>
> >> -chris
> >>
> >>
> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

>>>
>>>
>>> --
>>> *~Wei-min Lee~*
>>>
>>
>>
>>
>> --
>> *~Wei-min Lee~*
>>
>
>
>
> --
>
> *Rubén Toribio Aldeguer*
> Técnico Sistemas DataCenter
> Informática Área Sistemas
> 

Aw: Re: [users@httpd] Lots of messages "[ssl:warn] Resource deadlock avoided: AH02026: Failed to acquire SSL session cache lock"

[Hildegard Meier]

> > Mutex file:${APACHE_LOCK_DIR} default
> 
> Does it come from Ubuntu?
> If so, I don't any modern Linux should configure the "file" mutex
> mechanism by default, and you could possibly report it...

Yes, that is the entry of Ubuntu 14 ("Trusty") default apache2.conf file, see
http://packages.ubuntu.com/de/trusty/apache2
there the linked file
http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.4.7-1ubuntu4.5.debian.tar.gz
in the tarball the file
/debian/config-dir/apache2.conf


> Honestly I don't know how "fnctl" works on Linux, but I'd recommend
> using no Mutex directive at all (same as "Mutex default") which falls
> back to "Mutex sysvsem default" given your output of apachectl (i.e.
> "-D APR_USE_SYSVSEM_SERIALIZE"), or possibly "Mutex pthread default"
> which is the most efficient on Linux IMHO (also robust, leaks free on
> crashes).
Great, thanks, I think we will try without Mutex directive. So if apache2ctl -V 
gives
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
then the first is taken as default?

I just checked what is the active Mutex:

#apache2ctl -t -D DUMP_RUN_CFG
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

It looks strange to me that fcntl is used but no files exist in 
/var/lock/apache2

> Hopefully, the "file" mechanism is not suitable anyway or modern OS.
Thanks for the info!
 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

[Christopher Schultz]

Eric,

On 3/9/16 8:44 PM, Eric Covener wrote:
> On Wed, Mar 9, 2016 at 8:40 PM, Francis Roy  
> wrote:
>>  drwxr-x--- username
> 
> 
> If you want to serve out of your home directory, it needs to be
> executable by "other".

Or group-owned by whatever group httpd runs under.

No ownership was previously posted, so it's tough to tell how the
permissions will be applied.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Lots of messages "[ssl:warn] Resource deadlock avoided: AH02026: Failed to acquire SSL session cache lock"

[Eric Covener]

On Thu, Mar 10, 2016 at 8:08 AM, Yann Ylavic  wrote:
>
> Honestly I don't know how "fnctl" works on Linux, but I'd recommend
> using no Mutex directive at all (same as "Mutex default") which falls
> back to "Mutex sysvsem default" given your output of apachectl (i.e.
> "-D APR_USE_SYSVSEM_SERIALIZE"), or possibly "Mutex pthread default"
> which is the most efficient on Linux IMHO (also robust, leaks free on
> crashes).


There is an old dev@ thread that talks about the same deadlock
avoidance issues from fcntl
on other platforms (at least Solaris). I think it's not really usable
in httpd as soon as you have two mutexes.

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Lots of messages "[ssl:warn] Resource deadlock avoided: AH02026: Failed to acquire SSL session cache lock"

[Yann Ylavic]

On Thu, Mar 10, 2016 at 11:09 AM, Hildegard Meier  wrote:
> Reading
> https://httpd.apache.org/docs/2.4/en/mod/core.html#mutex
>
> I guess, expected behaviour of active directive
>
> Mutex file:${APACHE_LOCK_DIR} default

Does it come from Ubuntu?
If so, I don't any modern Linux should configure the "file" mutex
mechanism by default, and you could possibly report it...

>
> would be
> Mutex fnctl:${APACHE_LOCK_DIR} default
> ?
>
> Maybe it's worth a try to add the line
>
> Mutex fnctl:${APACHE_LOCK_DIR} ssl-cache

Honestly I don't know how "fnctl" works on Linux, but I'd recommend
using no Mutex directive at all (same as "Mutex default") which falls
back to "Mutex sysvsem default" given your output of apachectl (i.e.
"-D APR_USE_SYSVSEM_SERIALIZE"), or possibly "Mutex pthread default"
which is the most efficient on Linux IMHO (also robust, leaks free on
crashes).

>
> and look if
> /var/lock/apache2/ssl-cache
> gets created

Both suggested mechanisms above are not file backed, "sysvsem" can be
seen with the "ipcs -s" command and "pthread" is (shared-)memory only.

> and the
> "AH02026: Failed to acquire SSL session cache lock" messages disappear?

Hopefully, the "file" mechanism is not suitable anyway or modern OS.

>
> But we need to test that on our standby server after upgrading that to Apache 
> 2.4 which will be done in 10 days or so.

Good idea :)

Regards,
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

[Richard]

> Date: Thursday, March 10, 2016 12:24:23 +
> From: Lester Caine 
>
> On 10/03/16 01:40, Francis Roy wrote:
>> This is a new install of Linux Mint 17.x with the default
>> Apache/2.4.7 (Ubuntu) install at /etc/apache2
>> My websites, plain html and PHP are kept on a different hard-drive.
>> /media/username/Terrabyte/00_Server/htdocs
> 
> Francis ...
> Since security on Linux is a high priority, many of the default
> actions are set up with that in mind.
> When Apache is installed it uses it's own user and group and if the
> demo site is also created this is owned by that. I think Ubuntu uses
> 'www-data' and 'www' so the tidy way of changing your setup is to
> 
> chown -R www-data:www /media/username/Terrabyte/00_Server/htdocs

For security reasons, the documentroot directory and files, and other
server related directories/files (configuration, etc.) should never
be owned or writable by the user or group that the web server runs
under. As appropriate they need to be readable by the web server, but
never owned/writable by its user/group (www-data:www in this context).

The issue is that if the web server's user/group own/can write to the
those directories/files, if someone is able to break through the
server - either an issue with the server or more likely some poorly
written script - they will control those directories/files and be
able to deface the served content and perhaps more with ease, i.e.,
"own" what is served by your web server.

In general, the documentroot directories/files should be owned by
some unprivileged user and (only) readable by "other".

There may be times when it seems necessary to have the web server
have write access to the directories/files, e.g., for content
updates. In such cases, care needs to be given to how this is done to
ensure that security is maintained.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

[Lester Caine]

On 10/03/16 01:40, Francis Roy wrote:
> This is a new install of Linux Mint 17.x with the default Apache/2.4.7
> (Ubuntu) install at /etc/apache2
> My websites, plain html and PHP are kept on a different hard-drive.
> /media/username/Terrabyte/00_Server/htdocs

Francis ...
Since security on Linux is a high priority, many of the default actions
are set up with that in mind.
When Apache is installed it uses it's own user and group and if the demo
site is also created this is owned by that. I think Ubuntu uses
'www-data' and 'www' so the tidy way of changing your setup is to

chown -R www-data:www /media/username/Terrabyte/00_Server/htdocs

Then the chmod can be locked down again.

Of cause this will be a problem if you want to edit the content of the
htdoc tree since you no longer own them. I have to admit to simply
opening up access on the development machines, but on production sites I
copy the new files over then correct their user/group.

Another way around the 'problem' if you are the only user on the machine
is to edit the User/Group settings in the apache config files. This can
be fun to find, and used to be in apache.conf, but that may simply link
to uid.conf ... each distribution seems to have it's own preferences on
setting this up.

Adding to the jigsaw, the user for a database connection on the same
machine may be different again. All of this is not really an 'icepick',
but makes a lot more sense once one switches off from M$ mode.

-- 
Lester Caine - G8HFL
-
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Aw: [users@httpd] Lots of messages "[ssl:warn] Resource deadlock avoided: AH02026: Failed to acquire SSL session cache lock"

[Hildegard Meier]

Reading
https://httpd.apache.org/docs/2.4/en/mod/core.html#mutex

I guess, expected behaviour of active directive

Mutex file:${APACHE_LOCK_DIR} default

would be
Mutex fnctl:${APACHE_LOCK_DIR} default

?
Maybe it's worth a try to add the line

Mutex fnctl:${APACHE_LOCK_DIR} ssl-cache

and look if
/var/lock/apache2/ssl-cache
gets created and the 

"AH02026: Failed to acquire SSL session cache lock" messages disappear?

But we need to test that on our standby server after upgrading that to Apache 
2.4 which will be done in 10 days or so.


> Gesendet: Dienstag, 08. März 2016 um 16:44 Uhr
> Von: "hildegard meier" 
> An: users@httpd.apache.org
> Betreff: [users@httpd] Lots of messages "[ssl:warn] Resource deadlock 
> avoided: AH02026: Failed to acquire SSL session cache lock"
>
> OS:
> Ubuntu 14.04 LTS
> 
> Kernel:
> 3.13.0-79-generic x86_64
> 
> Apache:
> 2.4.7-1ubuntu4.5
> 
> The Host has just been release-upgraded (with Ubuntu do-release-upgrade 
> command) From Ubuntu 12.04 LTS
> 
> All Apache config files are the new ones, old configuration entries have been 
> adopted to the new config files manually.
> 
> Issue:
> Most of the 74 vHosts are working fine. But on two vHosts there is coming the 
> following message nearly every minute:
> 
> [Tue Mar 08 16:08:18.596653 2016] [ssl:warn] [pid 8339:tid 140182179256064] 
> (35)Resource deadlock avoided: AH02026: Failed to acquire SSL session cache 
> lock
> [Tue Mar 08 16:08:20.791623 2016] [ssl:warn] [pid 8849:tid 140182112114432] 
> (35)Resource deadlock avoided: AH02026: Failed to acquire SSL session cache 
> lock
> [Tue Mar 08 16:08:54.230004 2016] [ssl:warn] [pid 8849:tid 140182162470656] 
> (35)Resource deadlock avoided: AH02026: Failed to acquire SSL session cache 
> lock
> [Tue Mar 08 16:13:28.180687 2016] [ssl:warn] [pid 10595:tid 140182095329024] 
> (35)Resource deadlock avoided: AH02026: Failed to acquire SSL session cache 
> lock
> 
> But we are not aware of any impact of this. Server generally working fine 
> (has some traffic- 700 established AJP proxy connections, 200 busy worker 
> threads, 100 Requests/s, 300 KB/s).
> 
> I did not find much about that message. Only official:
> 
> AH02026: Failed to acquire SSL session cache lock"  
> ./modules/ssl/ssl_engine_mutex.c:92
> (source: https://wiki.apache.org/httpd/ListOfErrors)
> 
> We use mpm worker:
> 
> /etc/apache2/mods-enabled/mpm_worker.conf
> 
> StartServers2
> MinSpareThreads 25
> MaxSpareThreads 75
> ThreadLimit 64
> ThreadsPerChild 35
> MaxRequestWorkers   560
> MaxConnectionsPerChild  1
> 
> 
> 
> /etc/apache2/mods-enabled/ssl.conf
> 
> SSLRandomSeed startup builtin
> SSLRandomSeed startup file:/dev/urandom 512
> SSLRandomSeed connect builtin
> SSLRandomSeed connect file:/dev/urandom 512
> 
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> 
> SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
> 
> SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
> SSLSessionCacheTimeout  300
> 
> SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5:!RC4
> 
> SSLProtocol all -SSLv3
> 
> 
> 
> socache_shmcb.load
> is loaded (via symlink /etc/apache2/mods-enabled)
> 
> 
> /etc/apache2/apache2.conf
> Mutex file:${APACHE_LOCK_DIR} default
> 
> 
> /etc/apache2/envvars
> export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid
> export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
> export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
> 
> file
> /var/run/apache2/apache2.pid
> exists and contains the proper PID of apache process.
> 
> But there is no "ssl_scache":
> 
> ls -al /var/run/apache2/
> total 4
> drwxr-xr-x  2 root root  80 Mar  8 12:54 .
> drwxr-xr-x 18 root root 680 Mar  8 13:18 ..
> -rw-r--r--  1 root root   5 Mar  8 12:54 apache2.pid
> srwx--  1 www-data root   0 Mar  8 12:54 cgisock.1425
> 
> But according to apache status page, SSL cache is working:
> 
> SSL/TLS Session Cache Status:
> cache type: SHMCB, shared memory: 512000 bytes, current entries: 463
> subcaches: 32, indexes per subcache: 88
> time left on oldest entries' objects: avg: 26 seconds, (range: 0...71)
> index usage: 16%, cache usage: 20%
> total entries stored since starting: 27271
> total entries replaced since starting: 0
> total entries expired since starting: 22693
> total (pre-expiry) entries scrolled out of the cache: 0
> total retrieves since starting: 224953 hit, 14045 miss
> total removes since starting: 0 hit, 0 miss
> 
> 
> There is also nothing in /var/lock/apache2:
> 
> ls -al /var/lock/apache2/
> total 0
> drwxr-xr-x 2 www-data root 40 Mar  8 12:54 .
> drwxrwxrwt 3 root root 60 Mar  4 17:35 ..
> 
> I would expect that there would be files with the names of the mutex type, 
> according to
> 
> "With the file-based mechanisms fcntl and flock, the path, if provided, is a 
> 

Re: [users@httpd] Apache virus scanning

[Rubén Toribio Aldeguer]

Thanks, This information is very ussefull for me too. What about for an
antivirus on the server? do yo have any experiencie with it?

TX.

2016-03-09 21:22 GMT+01:00 Wei-min Lee :

> Using ICAP is a good way to go so that the person uploading files can be
> notified of upload fails due to the virus scan.  Relying on filesystem
> virus scans lacks visibility of quarantined/rejected files.
>
> On Wed, Mar 9, 2016 at 12:18 PM, Wei-min Lee 
> wrote:
>
>> You could use clamav via ICAP with squid transparently in front of apache.
>>
>> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
>> http://squidclamav.darold.net/config.html
>>
>> http://louwrentius.com/setting-up-a-squid-proxy-with-clamav-anti-virus-using-c-icap.html
>>
>> On Wed, Mar 9, 2016 at 8:12 AM, Aurélien Terrestris <
>> aterrest...@gmail.com> wrote:
>>
>>> On a large scale prod (200 000 users/day), I was using proxies working
>>> with antivirus through ICAP protocol (RFC 3507). The results were pretty
>>> good.
>>> I am not sure we could use this technology with Apache, and ICAP seems a
>>> bit old now.
>>>
>>> 2016-03-09 16:45 GMT+01:00 Christopher Schultz <
>>> ch...@christopherschultz.net>:
>>>
 John,

 On 3/9/16 10:21 AM, Rose, John B wrote:
 > What about if your web sites allow for uploading files? Would you not
 want
 > to scan those on upload before they got on your filesystem?

 Sure, it would be nice to have the file scanned during upload, but I'm
 guessing that the AV can't give an opinion on a file until it's been
 completely-uploaded. In that case, do you really want to buffer the
 whole file in memory to scan it?

 I think the file is going to make it -- at least in part -- to the disk
 either way, unless you have other controls in place such as upload-size
 limits where you can make a good bet that in-memory scanning can be done
 without bringing-down your server.

 Anyhow, I don't have any particular experience with mod_clamav or
 anything like that. Certainly I wouldn't rely upon it solely, since
 there are other ways files can make it onto your server(s). But it
 probably couldn't hurt.

 Things I'd be worried about are which requests will be scanned by the
 AV? Will every single GET/POST/etc. be scanned? That might cause a
 significant impact on your response times. Also, the aforementioned
 buffering -- does the file have to remain in memory to be scanned, or
 will it be streamed to a disk somewhere first? You don't want AV-scans
 to bust your memory cap.

 -chris

 > On 3/9/16 9:49 AM, "Christopher Schultz" <
 ch...@christopherschultz.net>
 > wrote:
 >
 >> John,
 >>
 >> On 3/8/16 6:02 PM, Rose, John B wrote:
 >>> I am interested in both
 >>>
 >>> Thanks
 >>>
 >>> Sent from my iPad
 >>>
  On Mar 8, 2016, at 3:27 PM, Christopher Schultz
   wrote:
 
 >>> John
 >>>
 >> On 3/8/16 2:43 PM, Rose, John B wrote:
 >> Looking for comments on mod_clamav, and any other alternative
 >> antivirus software for Apache on linux
 >>>
 >>> Are you trying to protect your clients or your servers?
 >>
 >> I would imagine that running any AV software that monitors the
 >> filesystem for changes would be sufficient. Why do you think you
 need an
 >> httpd module for this?
 >>
 >> -chris
 >>
 >> -
 >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 >> For additional commands, e-mail: users-h...@httpd.apache.org
 >>
 >
 >
 > -
 > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 > For additional commands, e-mail: users-h...@httpd.apache.org
 >

 -
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org


>>>
>>
>>
>> --
>> *~Wei-min Lee~*
>>
>
>
>
> --
> *~Wei-min Lee~*
>



-- 

*Rubén Toribio Aldeguer*
Técnico Sistemas DataCenter
Informática Área Sistemas
(+34) 971743030
www.riu.com / www.riuplaza.com

-- 
 
  
[image: Facebook]  [image: Twitter] 
 [image: Flickr] 
 [image: Youtube] 
 [image: Google Plus] 
 

 

This e-mail and its attachments, if any, are confidential and may be 
legally privileged. If you have received it in error, you are on notice of 
this status. Please do not copy or use it for