mpm worker and mod_cgi
Hi, I am compiling mod_cgi with apxs outside the httpd-2.2.9 source tree. When I choose --with-mpm=prefork this works fine, but when I use --with-mpm=worker it seems not to use the implementation in the module at all (the cgi_handler hook method is never called, but CGI applications seem to work fine). In both cases I configure httpd with --disable-cgi. Am I doing something wrong, or is there something special about CGI for the worker mpm? Thank you, Andrej
SSL toolkit detection in acinclude.m4
While investigating PR46018 I came across the following in acinclude.m4 dnl Run header and version checks saved_CPPFLAGS=$CPPFLAGS saved_LIBS=$LIBS if test x$ap_ssltk_base != x; then APR_ADDTO(CPPFLAGS, [-I$ap_ssltk_base/include]) APR_ADDTO(INCLUDES, [-I$ap_ssltk_base/include]) APR_ADDTO(LDFLAGS, [-L$ap_ssltk_base/lib]) Is there any reason why we only save / restore CPPFLAGS and LIBS and not INCLUDES and LDFLAGS which are also modified? The next thing I don't get is why we do not add `$apr_config --libs` to LIBS any longer (since r669924). This causes -ldl to miss and thus the checks to fail (I guess only if there is no pkgconfig file). Regards RĂ¼diger
Save the DOLLAR
Petition : Save the DOLLAR http://answers.yahoo.com/question/index?qid=20081016021357AAsrnFRr=w I'm asking the geeks, because the politicians and bankers dont know what the hell they doing... Dont answer here... go to the link. Thanks --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- If you cant pay in gold... get lost... http://coolharbor.100free.com/debt/usadebt.htm
Re: strange usage pattern for child processes
On 10/15/08 6:56 PM, Graham Leggett [EMAIL PROTECTED] wrote: Obviously, if the loop comes round more than once, then the client comes into play. This definitely needs to be fixed, it is a big performance issue. Could a more general purpose optimization be done? I was thinking of a generic store and forward filter. Basically, just dump the entire brigade into some storage (memory, file) in a loop (like deflate sorta does) without sending to client at all until the response is finished. This would work for proxy, php, some strange handler, etc. A small test I did was a module had a filter that just dumped all the brigade contents into a temp file. When it saw EOS, it would then send the complete file to the client (via sendfile, mmap, etc..) and remove the tempfile. Almost like an in process X-Sendfile. This very rudimentary module increased overall throughput of some large SSI files by about 20% and completely shielded origin servers from clients in some proxy tests. It also did not consume very much memory (although I was writing the temp files into /dev/shm on Linux). Basic logic - I ignored flush and meta buckets in my tests: while (!APR_BRIGADE_EMPTY(bb)) { e = APR_BRIGADE_FIRST(bb); if (APR_BUCKET_IS_EOS(e)) { create a file bucket with the tempfile and send it along tempfile was opened with APR_DELONCLOSE } else { apr_bucket_read(e, write content to temp file } apr_bucket_delete(e); } apr_brigade_cleanup(bb); return APR_SUCCESS; -- Brian Akins Chief Operations Engineer Turner Digital Media Technologies
Re: [VOTE] Release Apache HTTP server 2.2.10
Den Friday 10 October 2008 16:36:02 skrev Jim Jagielski: For some unknown reason I suddenly get some failed tests on Mandriva Cooker, it worked fine 2008-10-10 (!?) t/modules/digestNOK 6/13# Failed test 6 in t/modules/digest.t at line 84 t/modules/digestNOK 7/13# Failed test 7 in t/modules/digest.t at line 96 t/modules/digestNOK 8/13# Failed test 8 in t/modules/digest.t at line 106 t/modules/digestNOK 11/13# Failed test 11 in t/modules/digest.t at line 141 t/modules/digestNOK 12/13# Failed test 12 in t/modules/digest.t at line 152 t/modules/digestFAILED tests 6-8, 11-12 -- Regards // Oden Eriksson
Re: SSL toolkit detection in acinclude.m4
Ruediger Pluem wrote: While investigating PR46018 I came across the following in acinclude.m4 dnl Run header and version checks saved_CPPFLAGS=$CPPFLAGS saved_LIBS=$LIBS if test x$ap_ssltk_base != x; then APR_ADDTO(CPPFLAGS, [-I$ap_ssltk_base/include]) APR_ADDTO(INCLUDES, [-I$ap_ssltk_base/include]) APR_ADDTO(LDFLAGS, [-L$ap_ssltk_base/lib]) Is there any reason why we only save / restore CPPFLAGS and LIBS and not INCLUDES and LDFLAGS which are also modified? The next thing I don't get is why we do not add `$apr_config --libs` to LIBS any longer (since r669924). This causes -ldl to miss and thus the checks to fail (I guess only if there is no pkgconfig file). Yes, I ran into a similar issue, when compiling 2.2.10 against static openssl libs on Solaris, having no pkgconfig. Then you need to add -ldl, -lnsl, -lsocket during the configure tests, because otherwise tehy fail. That was not necessary until 2.2.9. Regards, Rainer
Re: [VOTE] Release Apache HTTP server 2.2.10
On Oct 16, 2008, at 6:07 AM, Oden Eriksson wrote: For some unknown reason I suddenly get some failed tests on Mandriva Cooker, it worked fine 2008-10-10 (!?) I saw that on my Solaris x86 VM, but it happened across the board against 2.2.9 and the 2.2.10 rc. And, I didn't see it on either Ubuntu or my Mac so I'm blaming staleness in the Perl setup on that Solaris install. S. -- Sander Temme [EMAIL PROTECTED] PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
Re: strange usage pattern for child processes
Ruediger Pluem wrote: This is a pity, because then it will become much harder to debug this issue. Any chance you get shell access or that you can instruct the administrators in the service company to get the needed information for you? Getting shell access is very unlikely ... However, initial tests using mod_disk_cache have been very good. The performance of mod_mem_cache compared to mod_disk_cache is just very bad ... It seems the main issue is/was that under high load the child process(es) of Apache just starve while trying to read something from the mem cache or to write something to it. But well, without access to the box I couldn't really dig into what exactly is happening in such a case. Ok. MaxSpareThreads is set to 75 with ThreadsPerChild 256. This means that StartServers 3 is pointless because after starting *one* process we already have way too much spare threads *overall*. So the other 2 processes will get killed immediately :-). Yes you are right, I missed that MaxSpareThreads applies to all child processes. But I didn't wrote the config. ;-) However, I still find it a bit odd that we actually use only a single process and only start using threads of another child process once all threads of the other process are busy. Wouldn't it make more sense to keep spare threads in all child processes instead of just one? Especially if the config has low MaxRequestsPerChild limit. Or am I missing something? ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: strange usage pattern for child processes
On 10/16/2008 02:35 PM, Lars Eilebrecht wrote: Ruediger Pluem wrote: This is a pity, because then it will become much harder to debug this issue. Any chance you get shell access or that you can instruct the administrators in the service company to get the needed information for you? Getting shell access is very unlikely ... However, initial tests using mod_disk_cache have been very good. The performance of mod_mem_cache compared to mod_disk_cache is just very bad ... It seems the main issue is/was that under high load the child process(es) of Apache just starve while trying to read something from the mem cache or to write something to it. But well, without access to the box I couldn't really dig into what exactly is happening in such a case. Maybe while writing as mod_mem_cache needs to do locking over all threads during several processing phases. Ok. MaxSpareThreads is set to 75 with ThreadsPerChild 256. This means that StartServers 3 is pointless because after starting *one* process we already have way too much spare threads *overall*. So the other 2 processes will get killed immediately :-). Yes you are right, I missed that MaxSpareThreads applies to all child processes. But I didn't wrote the config. ;-) I have not assumed that you wrote the config :-). However, I still find it a bit odd that we actually use only a single process and only start using threads of another child process once all threads of the other process are busy. Wouldn't it make more sense to keep spare threads in all child processes instead of just one? Especially if the config has low MaxRequestsPerChild limit. Or am I missing something? Two points that can happen: 1. Because of the configuration you only have one process started. Once it reaches MinSpareThreads it starts a second one. Depending on the request types the first process still has a lot of keepalive connections and thus is more busy than the second process. 2. Unfair lock handling on OS side. Each process tries to get the accept mutex. If getting the lock is not fairly distributed over the two processes then one process has to handle more connections than the other one. Given the MaxRequestsPerChild limit (why is there one at all), the configuration is especially unfortunate as if there is only one process there are times where httpd does not accept new connections at all until it has started an additional process. So MPM settings should be in a way that they allow an idle system to run more than one process. But, who I am a telling, you didn't wrote the config :-). Regards RĂ¼diger
Re: svn commit: r704883 - /httpd/httpd/trunk/Apache.dsw
Tom Donovan wrote: William A. Rowe, Jr. wrote: [EMAIL PROTECTED] wrote: Author: tdonovan Date: Wed Oct 15 05:24:25 2008 New Revision: 704883 URL: http://svn.apache.org/viewvc?rev=704883view=rev Log: Windows: add apr_dbd_odbc project to Visual Studio workspace .dsw file Hmmm? Guess I'm confused, we trigger _try_dbd in Makefile.win for the BuildBin target. We could default to building this as a dependency but it really isn't needed if _try_dbd sees a default odbc list, which could be a simple ifndef test of DBD_LIST. More likely I'm the one confused. You are correct, this change isn't necessary for either a command-line build using the generated .mak files (from the Windows .zip distribution), or for an IDE build. _try_dbd works as you describe and it builds the odbc driver for the BuildBin target. If there are no .mak files, the symbol USEDSW=1 is defined; then the build uses: msdev Apache.dsw /USEENV /MAKE apr_dbd_odbc - Win32 $(LONG) which fails without an apr_dbd_odbc project in Apache.dsw. This can happen if the source is from a snapshot or from svn, instead of from the Windows source .zip file. It also seemed odd in the IDE to see a project for each of the other dbd drivers, but no project for odbc. I couldn't see any disadvantage to having an apr_dbd_odbc project in Apache.dsw, but maybe I'm missing something. HA! Yes I was confused, too. apr_dbd_odbc must be added as a project. It does not become a -dependency- of any particular target. We'll always build it; we could leave it out of the _try_dbd default list. But since we can't imagine many users ever inspecting or changing that code and recompiling it with local changes, the _try_dbd solution is likely the simplest. At some point, it would be nice to add some decision making so that the others, beyond odbc, can be detected if they just reside somewhere in the LIB and INCLUDE paths :)
[ANNOUNCEMENT] Apache HTTP Server 2.2.10 Released
Apache HTTP Server 2.2.10 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.10 of the Apache HTTP Server (Apache). This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed: * CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.10 is available for download from: http://httpd.apache.org/download.cgi Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.10 provides the complete list of changes since 2.2.9. A summary of security vulnerabilities which were addressed in the previous 2.2.9 and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently available. See the appropriate CHANGES from the url above. See the corresponding CHANGES files linked from the download page. The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited maintenance is performed on these legacy versions. This release includes the Apache Portable Runtime (APR) version 1.3.0 bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv) must all be updated to ensure binary compatibility and address many known platform bugs. This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
Re: svn commit: r705361 - in /httpd/httpd/trunk/modules/aaa: mod_authz_dbd.c mod_authz_dbm.c mod_authz_groupfile.c mod_authz_owner.c mod_authz_user.c
On Thu, Oct 16, 2008 at 5:09 PM, [EMAIL PROTECTED] wrote: NOTE: I can't test mod_authnz_ldap.c myself, so I'm not sure if it needs similar fixes. On the one hand, a NULL r-user in the authz handlers always generates a log message. However, it appears that authn_ldap_build_filter() will sometimes then be called, perform no action, which may result in a possibly uninitialized filtbuf buffer being passed to util_ldap_cache_getuserdn(). I don't know if that could cause problems in the LDAP cache code. If someone familiar with LDAP authz could take a look, that would be much appreciated. IIUC mod_authnz_ldap would follow the pattern of the modules in your commit and not mod_authz_host. Authorization in LDAP has a special path for when authentication wasn't handled by mod_authnz_ldap, but r-user still may be mappable to an DN on the LDAP server. Net, it can't do anything useful without r-user. This short-circuit should be possible well before the problematic functions you mention. -- Eric Covener [EMAIL PROTECTED]