testing for connections with keep-alive property from modules
Hi, What's the recommended way to check for a connection having the property of being kept alive? I was expecting to see tests like c-keepalive == AP_CONN_KEEPALIVE but i see that mod_proxy.c is testing c-keepalives which is the incrementing counter of requests processed on that connection. Are those two tests equivalent and interchangeable? E.g. from 2.2.10's mod_proxy_http.c if ((r-proxyreq == PROXYREQ_REVERSE) (!c-keepalives) (apr_table_get(r-subprocess_env, proxy-initial-not-pooled))) { backend-close = 1; } regards |evin -- Kevin J Walters Morgan Stanley k...@ms.com 25 Cabot Square Tel: 020 7425 7886 Canary Wharf Fax: 020 7677 8504 London E14 4QA
Re: Mitigating the Slowloris DoS attack
M == Matthieu Estrade mestr...@apache.org writes: M More granular timeout and maybe adaptative timeout is also IMHO a good M way to improve resistance to this kind of attack. The current 1.3, 2.0 and 2.2 documentation is in agreement too! I believe the ssl module also takes its timeout value from this setting. It would be great if that was separately configurable too to cater for those intent on doing partial ssl handshakes. The TimeOut directive currently defines the amount of time Apache will wait for three things: 1. The total amount of time it takes to receive a GET request. 2. The amount of time between receipt of TCP packets on a POST or PUT request. 3. The amount of time between ACKs on transmissions of TCP packets in responses. We plan on making these separately configurable at some point down the road. The timer used to default to 1200 before 1.2, but has been lowered to 300 which is still far more than necessary in most situations. It is not set any lower by default because there may still be odd places in the code where the timer is not reset when a packet is sent. regards |evin -- Kevin J Walters Morgan Stanley k...@ms.com 25 Cabot Square Tel: 020 7425 7886 Canary Wharf Fax: 020 7677 8504 London E14 4QA
ap_process_child_status() and child pid exit signal logging
Hi, I've noticed that all versions of apache (1.3 to 2.2) will produce error log output like this, [Mon Jan 1 00:00:00 2009] [notice] child pid 12345 exit signal Segmentation fault (11) In the case of a segmentation fault or anything that produces a core dump this is a relatively serious error but it's only marked at notice level due to setting of APLOG_NOTICE in the code. I had a look in latest trunk version and i see ap_process_child_status() has moved into mpm_unix.c but no changes wrt this logging from the default: case. http://svn.apache.org/viewvc/httpd/httpd/trunk/server/mpm_unix.c?revision=808895view=markup#l388 Should this be increased in severity? APLOG_ERR? I can see the benefit for anyone grep'ing for or automatically scanning/processing logs for unexpected conditions based on the [severity] tag. The core dumps might be more severe because of their ability to consume large amounts of disk space, particularly for folk using unique core names. regards |evin -- Kevin J Walters Morgan Stanley k...@ms.com 25 Cabot Square Tel: 020 7425 7886 Canary Wharf Fax: 020 7056 6401 London E14 4QA
ap_reclaim_child_processes() and initialisation of waittime
Hi, I noticed this in 2.2.14 and trunk in ./httpd/server/mpm_unix.c - it looks unusual in the sense that waittime is initialised with an integer value rather than using apr_time_msec()? void ap_reclaim_child_processes(int terminate) { apr_time_t waittime = 1024 * 16; regards |evin -- Kevin J Walters Morgan Stanley k...@ms.com 25 Cabot Square Tel: 020 7425 7886 Canary Wharf Fax: 020 7056 6401 London E14 4QA
ap_reclaim_child_processes() and initialisation of waittime
K == Kevin J Walters writes: K I noticed this in 2.2.14 and trunk in ./httpd/server/mpm_unix.c - it K looks unusual in the sense that waittime is initialised with an K integer value rather than using apr_time_msec()? K void ap_reclaim_child_processes(int terminate) K { K apr_time_t waittime = 1024 * 16; Correction, I meant apr_time_from_msec() and perhaps its absence(**) from APR explains the above? I see there's an apr_time_make() which would be the next best thing. regards |evin ** looks like apr_time_from_msec appears in 1.4 http://svn.apache.org/viewvc?view=revisionrevision=706458 -- Kevin J Walters Morgan Stanley k...@ms.com 25 Cabot Square Tel: 020 7425 7886 Canary Wharf Fax: 020 7056 6401 London E14 4QA
non thread safe functions used in apache httpd project
Hi, Whilst looking at a thread safety issue in mod_fastcgi, i noticed there's some suspicious looking code in apache httpd project. server/mpm_common.c (2.2.17) has two functions ap_uname2id and ap_gname2id which call getpwnam and getgrnam, two non-reentrant functions. Comparing with typical apr code that tends to have an #ifdef to select function() vs function_r(). Perhaps ap_uname2id and ap_gname2id are not executed concurrently by the current code base but if these are general purpose functions they should be more cautious/safe? Has the whole apache httpd 2.x project been scanned for use of non-reentrant function calls? regards |evin -- Kevin J Walters Morgan Stanley k...@ms.com 25 Cabot Square Tel: 020 7425 7886 Canary Wharf Fax: 020 7056 6401 London E14 4QA