testing for connections with keep-alive property from modules

2009-06-23 Thread Kevin J Walters 

Hi,

What's the recommended way to check for a connection having the
property of being kept alive?

I was expecting to see tests like c-keepalive == AP_CONN_KEEPALIVE
but i see that mod_proxy.c is testing c-keepalives which is the
incrementing counter of requests processed on that connection. Are
those two tests equivalent and interchangeable?

E.g. from 2.2.10's mod_proxy_http.c

if ((r-proxyreq == PROXYREQ_REVERSE)  (!c-keepalives)
 (apr_table_get(r-subprocess_env, proxy-initial-not-pooled))) {
backend-close = 1;
}


regards

|evin

-- 
Kevin J Walters  Morgan Stanley
k...@ms.com   25 Cabot Square
Tel: 020 7425 7886   Canary Wharf
Fax: 020 7677 8504   London E14 4QA

Re: Mitigating the Slowloris DoS attack

2009-06-24 Thread Kevin J Walters 

 M == Matthieu Estrade mestr...@apache.org writes:

M More granular timeout and maybe adaptative timeout is also IMHO a good
M way to improve resistance to this kind of attack.

The current 1.3, 2.0 and 2.2 documentation is in agreement too!

I believe the ssl module also takes its timeout value from this
setting. It would be great if that was separately configurable too to
cater for those intent on doing partial ssl handshakes.


  The TimeOut directive currently defines the amount of time Apache will wait 
for three things:

   1. The total amount of time it takes to receive a GET request.
   2. The amount of time between receipt of TCP packets on a POST or PUT 
request.
   3. The amount of time between ACKs on transmissions of TCP packets in 
responses.

  We plan on making these separately configurable at some point down the
  road. The timer used to default to 1200 before 1.2, but has been
  lowered to 300 which is still far more than necessary in most
  situations. It is not set any lower by default because there may still
  be odd places in the code where the timer is not reset when a packet
  is sent. 


regards

|evin

-- 
Kevin J Walters  Morgan Stanley
k...@ms.com   25 Cabot Square
Tel: 020 7425 7886   Canary Wharf
Fax: 020 7677 8504   London E14 4QA

ap_process_child_status() and child pid exit signal logging

2009-12-02 Thread Kevin J Walters 

Hi,

I've noticed that all versions of apache (1.3 to 2.2) will produce
error log output like this,

[Mon Jan  1 00:00:00 2009] [notice] child pid 12345 exit signal Segmentation 
fault (11)

In the case of a segmentation fault or anything that produces a core
dump this is a relatively serious error but it's only marked at notice
level due to setting of APLOG_NOTICE in the code.

I had a look in latest trunk version and i see
ap_process_child_status() has moved into mpm_unix.c but no changes wrt
this logging from the default: case.

http://svn.apache.org/viewvc/httpd/httpd/trunk/server/mpm_unix.c?revision=808895view=markup#l388

Should this be increased in severity?  APLOG_ERR?

I can see the benefit for anyone grep'ing for or automatically
scanning/processing logs for unexpected conditions based on the
[severity] tag. The core dumps might be more severe because of their
ability to consume large amounts of disk space, particularly for folk
using unique core names.


regards

|evin

-- 
Kevin J Walters  Morgan Stanley
k...@ms.com   25 Cabot Square
Tel: 020 7425 7886   Canary Wharf
Fax: 020 7056 6401   London E14 4QA

ap_reclaim_child_processes() and initialisation of waittime

2009-12-29 Thread Kevin J Walters 

Hi,

I noticed this in 2.2.14 and trunk in ./httpd/server/mpm_unix.c - it
looks unusual in the sense that waittime is initialised with an
integer value rather than using apr_time_msec()?

void ap_reclaim_child_processes(int terminate)
{
apr_time_t waittime = 1024 * 16;


regards

|evin

-- 
Kevin J Walters  Morgan Stanley
k...@ms.com   25 Cabot Square
Tel: 020 7425 7886   Canary Wharf
Fax: 020 7056 6401   London E14 4QA

ap_reclaim_child_processes() and initialisation of waittime

2009-12-29 Thread Kevin J Walters 

 K == Kevin J Walters writes:

K I noticed this in 2.2.14 and trunk in ./httpd/server/mpm_unix.c - it
K looks unusual in the sense that waittime is initialised with an
K integer value rather than using apr_time_msec()?

K void ap_reclaim_child_processes(int terminate)
K {
K apr_time_t waittime = 1024 * 16;

Correction, I meant apr_time_from_msec() and perhaps its absence(**)
from APR explains the above? I see there's an apr_time_make() which
would be the next best thing.


regards

|evin

** looks like apr_time_from_msec appears in 1.4
   
   http://svn.apache.org/viewvc?view=revisionrevision=706458

-- 
Kevin J Walters  Morgan Stanley
k...@ms.com   25 Cabot Square
Tel: 020 7425 7886   Canary Wharf
Fax: 020 7056 6401   London E14 4QA

non thread safe functions used in apache httpd project

2011-01-12 Thread Kevin J Walters 

Hi,

Whilst looking at a thread safety issue in mod_fastcgi, i noticed
there's some suspicious looking code in apache httpd project.

server/mpm_common.c (2.2.17) has two functions ap_uname2id and
ap_gname2id which call getpwnam and getgrnam, two non-reentrant
functions.

Comparing with typical apr code that tends to have an #ifdef to
select function() vs function_r().

Perhaps ap_uname2id and ap_gname2id are not executed concurrently by
the current code base but if these are general purpose functions they
should be more cautious/safe?

Has the whole apache httpd 2.x project been scanned for use of
non-reentrant function calls?


regards

|evin

-- 
Kevin J Walters  Morgan Stanley
k...@ms.com   25 Cabot Square
Tel: 020 7425 7886   Canary Wharf
Fax: 020 7056 6401   London E14 4QA