>Number: 5089 >Category: general >Synopsis: Spawning childs up to MaxClients, decreasing traffic >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Fri Oct 1 07:30:01 PDT 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.6 >Environment: Pentium III 450 256 MB RAM 1 Million hits per day linux 2.2.5 #6; SuSE gcc >Description: Big trouble with our Webserver
Lately strange things happen with our Server. We suddenly had a huge traffic breakdown. Netscapes status bar showed: "Connecting to.... waiting for reply" and after a while it worked (but slowly). Checking the server, I found that Apache spawned a lot of childs (up to the limit of MaxClients which we never reached before, even in high-traffic times!). First I thought that a CGI was hanging, but there was none. I restarted Apache and the access to our pages was normal again. But after a few minutes the amount of child-processes had climbed up to MaxClients-limit and the same thing occured, so I had to restart Apache again. After reaching MaxClient, Apache doesn´t seem to kill any childs anymore. Our main traffic is usually during the working hours (max between 10am and 2pm) but the problems start much earlier and last up to the late evening. At the moment, we restart Apache every 20 minutes, but this isn't a real solution. Any help would be highly appreciated. Our httpd.conf (with cuts) ----------- # This is the main server configuration file. See URL http://www.apache.org/ # for instructions. # Do NOT simply read the instructions in here without understanding # what they do, if you are unsure consult the online docs. You have been # warned. # Originally by Rob McCool ErrorDocument 404 /bad_url.html # Fehler in Java 1.0: #BrowserMatch Java1.0 force-response-1.0 #BrowserMatch JDK/1.0 force-response-1.0 # Meldung des Apache an Clients verkürzen ServerTokens OS # ServerType is either inetd, or standalone. ServerType standalone # If you are running from inetd, go to "ServerAdmin". # Port: The port the standalone listens to. For ports < 1023, you will # need httpd to be run as root initially. Port 80 ExtendedStatus on ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## <IfDefine SSL> Listen 80 Listen 443 </IfDefine> #Redirect / http://www.as-informatik.de # HostnameLookups: Log the names of clients or just their IP numbers # e.g. www.apache.org (on) or 204.62.129.132 (off) HostnameLookups on # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # User/Group: The name (or #number) of the user/group to run httpd as. # On SCO (ODT 3) use User nouser and Group nogroup User wwwrun Group #-2 # ServerAdmin: Your address, where problems with the server should be # e-mailed. ServerAdmin [EMAIL PROTECTED] # ServerRoot: The directory the server's config, error, and log files # are kept in ServerRoot /httpd # BindAddress: You can support virtual hosts with this option. This option # is used to tell the server which IP address to listen to. It can either # contain "*", an IP address, or a fully qualified Internet domain name. # See also the VirtualHost directive. # BindAddress 192.168.255.99 # BindAddress 192.168.255.100 # Informationen ueber den benutzen Server und das Betriebssystem # hier: nur Servertyp mitschicken ServerTokens Min # ErrorLog: The location of the error log file. If this does not start # with /, ServerRoot is prepended to it. ErrorLog /var/log/httpd.error_log # TransferLog: The location of the transfer log file. If this does not # start with /, ServerRoot is prepended to it. TransferLog /var/log/httpd.access_log # The following directives define some format nicknames for use with # a CustomLog directive (see below). LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\"" mylog # PidFile: The file the server should log its pid to PidFile /var/run/httpd.pid LockFile /var/apache.accept.lock # ScoreBoardFile: File used to store internal server process information ScoreBoardFile /var/log/apache_status # ServerName allows you to set a host name which is sent back to clients for # your server if it's different than the one the program would get (i.e. use # "www" instead of the host's real name). # # Note: You cannot just invent host names and hope they work. The name you # define here must be a valid DNS name for your host. If you don't understand # this, ask your network administrator. # ServerName 192.168.255.99 # UseCanonicalName: (new for 1.3) With this setting turned on, whenever # Apache needs to construct a self-referencing URL (a url that refers back # to the server the response is coming from) it will use ServerName and # Port to form a "canonical" name. With this setting off, Apache will # use the hostname:port that the client supplied, when possible. This # also affects SERVER_NAME and SERVER_PORT in CGIs. UseCanonicalName on # CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each # document that was negotiated on the basis of content. This asks proxy # servers not to cache the document. Uncommenting the following line disables # this behavior, and proxies will be allowed to cache the documents. #CacheNegotiatedDocs # Timeout: The number of seconds before receives and sends time out # n.b. the compiled default is 1200 (20 minutes !) Timeout 180 # KeepAlive: The number of Keep-Alive persistent requests to accept # per connection. Set to 0 to deactivate Keep-Alive support KeepAlive 10 # KeepAliveTimeout: Number of seconds to wait for the next request KeepAliveTimeout 5 # Server-pool size regulation. Rather than making you guess how many # server processes you need, Apache dynamically adapts to the load it # sees --- that is, it tries to maintain enough server processes to # handle the current load, plus a few spare servers to handle transient # load spikes (e.g., multiple simultaneous requests from a single # Netscape browser). # It does this by periodically checking how many servers are waiting # for a request. If there are fewer than MinSpareServers, it creates # a new spare. If there are more than MaxSpareServers, some of the # spares die off. These values are probably OK for most sites --- MinSpareServers 10 MaxSpareServers 20 # Number of servers to start --- should be a reasonable ballpark figure. StartServers 20 # Limit on total number of servers running, i.e., limit on the number # of clients who can simultaneously connect --- if this limit is ever # reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW. # It is intended mainly as a brake to keep a runaway server from taking # Unix with it as it spirals down... MaxClients 160 # MaxRequestsPerChild: the number of requests each child process is # allowed to process before the child dies. # The child will exit so as to avoid problems after prolonged use when # Apache (and maybe the libraries it uses) leak. On most systems, this # isn't really needed, but a few (such as Solaris) do have notable leaks # in the libraries. MaxRequestsPerChild 200 # Proxy Server directives. Uncomment the following line to # enable the proxy server: #ProxyRequests On # To enable the cache as well, edit and uncomment the following lines: #CacheRoot /usr/local/etc/httpd/proxy #CacheSize 5 #CacheGcInterval 4 #CacheMaxExpire 24 #CacheLastModifiedFactor 0.1 #CacheDefaultExpire 1 #NoCache adomain.com anotherdomain.edu joes.garage.com # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the VirtualHost command #Listen 3000 #Listen 192.168.255.100:80 # Bug im ZMOD-Log-Modul: Der Hauptserver will auch ein Logfile haben # wir ignorieren dieses. ZModLog /dev/null ## ## SSL Support ## ## Note that all SSL options can apply to virtual hosts, which ## is where we are going to put them now. We disable SSL globally ## and enable only inside a virtual host only. ## <IfModule mod_ssl.c> # we disable SSL globally SSLDisable # configure the path/port for the SSL session cache server [RECOMMENDED]. # Additionally sets the session cache timeout, in seconds (set to 15 for # testing, use a higher value in real life) [RECOMMENDED] #SSLCacheServerPath /httpd/bin/ssl_gcache #SSLCacheServerPort 12345 SSLSessionCache none SSLSessionCacheTimeout 300 </IfModule> # VirtualHost: Allows the daemon to respond to requests for more than one # server address, if your server machine is configured to accept IP packets # for multiple addresses. This can be accomplished with the ifconfig # alias flag, or through kernel patches like VIF. # Any httpd.conf or srm.conf directive may go into a VirtualHost command. # See alto the BindAddress entry. #<VirtualHost www-2.bildschirmschoner.com> #ServerName www-2.bildschirmschoner.com #DocumentRoot /home/test-www #</VirtualHost> <VirtualHost 195.88.90.66> User ueltje group www ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/ueltje/www DirectoryIndex index.html ServerName www.ueltje.de #ScriptAlias /cgi-bin/ /httpd/cgi-bin/ueltje/ ScriptAlias /cgi-bin/ /home/ueltje/cgi-bin/ #AgentLog /home/ueltje/log/agent #RefererLog /home/ueltje/log/referer ScriptLog /home/ueltje/log/script ErrorLog /home/ueltje/log/error TransferLog /home/ueltje/log/transfer AccessConfig /httpd/conf/ueltje.access LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\"" </VirtualHost> [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] # # Wird fuer das ivw-ZMOD-Log benoetigt: Die Dummy-Grafik # <Location /cgi-bin/ivw> SetHandler ZModBlanky </Location> AddHandler server-parsed .html </VirtualHost> <VirtualHost 195.88.90.75> user objektf group www ScriptAlias /cgi-bin/ /home/objektf/cgi-bin/ ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/objektf/www DirectoryIndex index.html ServerName www.objektform.de #ScriptAlias /cgi-bin/ /httpd/cgi-bin/schoner/ #RefererLog /home/schoner/log/referer ErrorLog /home/objektf/log/error TransferLog /home/objektf/log/transfer ScriptLog /home/objektf/log/scripts AccessConfig /httpd/conf/objektf.access LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\"" </VirtualHost> [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] <IfModule mod_ssl.c> <IfDefine SSL> <VirtualHost www.butterfinger.de:443> User butterf Group www # setup the general virtual server configuration DocumentRoot /home/butterf/www ServerName www.butterfinger.de ServerAdmin [EMAIL PROTECTED] DirectoryIndex index.html ErrorLog /home/butterf/log/error TransferLog /home/butterf/log/transfer ScriptAlias /cgi-bin/ /home/butterf/cgi-bin/ ScriptLog /home/butterf/log/scripts AccessConfig /httpd/conf/butterf.access LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\"" # enable SSL for this virtual host SSLEnable # this forbids access except when SSL is in use. Very handy for defending # against configuration errors that expose stuff that should be protected # SSLRequireSSL # point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with ake certificate under # built time. [RECOMMENDED] #SSLCertificateFile /home/homer/asinfo/apache_1.3.1/conf/sslcerts/server.pem SSLCertificateFile /httpd/conf/butterf/sslcerts/cert.pem # if the key is not combined with the certificate, use this # directive to point at the key file. [OPTIONAL] SSLCertificateKeyFile /httpd/conf/butterf/sslcerts/key.pem # set the CA certificate verification path where # to find CA certificates for client authentication or # alternatively one huge file containing all of them # (file must be PEM encoded) [OPTIONAL] # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath conf/sslcerts #SSLCACertificateFile conf/sslcerts/ca.pem # set client verification level: [RECOMMENDED] # 0|none: no certificate is required # 1|optional: the client may present a valid certificate # 2|require: the client must present a valid certificate # 3|optional_no_ca: the client may present a valid certificate # but it is not required to have a valid CA SSLVerifyClient none # set how deeply to verify the certificate issuer chain # before deciding the certificate is not valid. [OPTIONAL] #SSLVerifyDepth 10 # list the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. [OPTIONAL] #SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA # these two can be used on a per-directory basis to require or # ban specific ciphers. Note that (at least in the current version) # SSL will not attempt to renegotiate if a cipher is banned # (or not required). [OPTIONAL] #SSLRequireCipher RC4-MD5 #SSLBanCipher RC4-MD5 # translate the client X.509 into a Basic Authorisation. # This means that the standard Auth/DBMAuth methods can be used for # access control. The user name is the e line' version of # the client's X.509 certificate. Note that no password is # obtained from the user. Every entry in the user file needs # this password: j31ZMTZzkVA'. [OPTIONAL] #SSLFakeBasicAuth # a home for miscellaneous rubbish generated by SSL. Much of it # is duplicated in the error log file. Put this somewhere where # it cannot be used for symlink attacks on a real server (i.e. # somewhere where only root can write). [RECOMMENDED] SSLLogFile /home/butterf/log/ssl_misc_log # define custom SSL logging [RECOMMENDED] CustomLog /home/butterf/log/ssl_log "%t %h %{version}c %{cipher}c %{subjectdn}c %{issuerdn}c </VirtualHost> </IfDefine> </IfModule> [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] [cut: an other virtual host] # Bildschirmschoner.de Dummy-SSL <IfModule mod_ssl.c> <IfDefine SSL> <VirtualHost www.bildschirmschoner.de:443> User schoner group www ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/schoner/www DirectoryIndex index.html ServerName www.bildschirmschoner.de #ScriptAlias /cgi-bin/ /httpd/cgi-bin/schoner/ ScriptAlias /cgi-bin/ /home/schoner/cgi-bin/ #RefererLog /home/schoner/log/referer ErrorLog /home/schoner/log/error TransferLog /home/schoner/log/transfer ScriptLog /home/schoner/log/scripts AccessConfig /httpd/conf/schoner.access LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\"" ZModLog /home/schoner/log/zmod.log ZModSubPath /cgi-bin/ivw/ ZMODFormat ZMODS # # Wird fuer das ivw-ZMOD-Log benoetigt: Die Dummy-Grafik # <Location /cgi-bin/ivw> SetHandler ZModBlanky </Location> AddHandler server-parsed .html # enable SSL for this virtual host SSLEnable # this forbids access except when SSL is in use. Very handy for defending # against configuration errors that expose stuff that should be protected # SSLRequireSSL # point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with ake certificate under # built time. [RECOMMENDED] #SSLCertificateFile /home/homer/asinfo/apache_1.3.1/conf/sslcerts/server.pem SSLCertificateFile /httpd/conf/schoner/sslcerts/cert.pem # if the key is not combined with the certificate, use this # directive to point at the key file. [OPTIONAL] SSLCertificateKeyFile /httpd/conf/schoner/sslcerts/key.pem # set the CA certificate verification path where # to find CA certificates for client authentication or # alternatively one huge file containing all of them # (file must be PEM encoded) [OPTIONAL] # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath conf/sslcerts #SSLCACertificateFile conf/sslcerts/ca.pem # set client verification level: [RECOMMENDED] # 0|none: no certificate is required # 1|optional: the client may present a valid certificate # 2|require: the client must present a valid certificate # 3|optional_no_ca: the client may present a valid certificate # but it is not required to have a valid CA SSLVerifyClient none # set how deeply to verify the certificate issuer chain # before deciding the certificate is not valid. [OPTIONAL] #SSLVerifyDepth 10 # list the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. [OPTIONAL] #SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA # these two can be used on a per-directory basis to require or # ban specific ciphers. Note that (at least in the current version) # SSL will not attempt to renegotiate if a cipher is banned # (or not required). [OPTIONAL] #SSLRequireCipher RC4-MD5 #SSLBanCipher RC4-MD5 # translate the client X.509 into a Basic Authorisation. # This means that the standard Auth/DBMAuth methods can be used for # access control. The user name is the e line' version of # the client's X.509 certificate. Note that no password is # obtained from the user. Every entry in the user file needs # this password: j31ZMTZzkVA'. [OPTIONAL] #SSLFakeBasicAuth # a home for miscellaneous rubbish generated by SSL. Much of it # is duplicated in the error log file. Put this somewhere where # it cannot be used for symlink attacks on a real server (i.e. # somewhere where only root can write). [RECOMMENDED] SSLLogFile /home/schoner/log/ssl_misc_log # define custom SSL logging [RECOMMENDED] CustomLog /home/schoner/log/ssl_log "%t %h %{version}c %{cipher}c %{subjectdn}c %{issuerdn}c </VirtualHost> </IfDefine> </IfModule> <VirtualHost _default_> Redirect temp / http://www.as-informatik.de/ </VirtualHost> [cut: an other virtual host] [cut: an other virtual host] >How-To-Repeat: >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
