Re: SO_REUSEPORT
On Fri, Jun 5, 2015 at 5:11 PM, Eric Covener wrote: > I'm trying to review & understand how this affects process management for > things like MinSpareThreads/MaxSpareThreads e.g. > > -else if (idle_thread_count < min_spare_threads) { > +else if (idle_thread_count < min_spare_threads / num_buckets) { > /* terminate the free list */ > if (free_length == 0) { /* scoreboard is f > > -if (idle_thread_count > max_spare_threads) { > +if (idle_thread_count > max_spare_threads / num_buckets) { > /* Kill off one child */ > > If I wanted between 100 and 200 spare threads available to do some slow > stuff like proxy or CGI, would we really scale it back by the # of buckets > or am I misunderstanding? perform_idle_server_maintenance() is now called for each bucket in the main loop, so this won't change the number of threads maintained per loop.
Re: ALPN patch comments
On Fri, Jun 5, 2015 at 8:39 AM Stefan Eissing wrote: > > > Am 05.06.2015 um 01:37 schrieb Yann Ylavic : > > > > On Fri, Jun 5, 2015 at 1:03 AM, Roy T. Fielding > wrote: > >> > >> Hence, we might need a configurable way to ignore a client's ALPN, > though I doubt that > >> "SSLalpn off" is the right way to express that. Likewise, neither is > SSLAlpnPreference. > >> The server protocol(s) preference should be independent of the > session/connection protocol. > >> Our internal configuration and use of ALPN should be based on the > overall configuration, not a > >> configuration specific to the SSL code. Many configurations won't > include ALPN. > > > > Maybe we can reuse the Protocol directive then... > > Something like the one below maybe. But this is 2.6/3.0 music. What do we > do for 2.4? > > cheers, Stefan > —— > # Listen directives define which transport protocols are active > Listen 443 > Listen 1234 ssh > > # Protocols lists the ALPN identifiers allowed on connections in preferred > order > # ProtocolTransports defaults to the union of transports the server > listens to > Protocols h2 spdy/3.1 http/1.1 > ProtocolTransports tls ssh clear > > # vhosts may limit this down or change order (but not extend it?) > > ServerName test1.example.org > Protocols h2 http/1.1 > ProtocolTransports tls > > > ServerName test2.example.org > Protocols * > ProtocolTransports ssh > > > Modules with protocol support need to register the ALPN ids plus a > callback at core where they become available at the base server? Callbacks > are invoked for selected protocol with selected protocol id. > > I think "Protocols" and moving the registration in the patch to the core is a good compromise. If the requirement anyone has interest in working on is h2 over tls, then at the moment the only effect will be driving the ALPN negotiation.
Re: SO_REUSEPORT
I'm trying to review & understand how this affects process management for things like MinSpareThreads/MaxSpareThreads e.g. -else if (idle_thread_count < min_spare_threads) { +else if (idle_thread_count < min_spare_threads / num_buckets) { /* terminate the free list */ if (free_length == 0) { /* scoreboard is f -if (idle_thread_count > max_spare_threads) { +if (idle_thread_count > max_spare_threads / num_buckets) { /* Kill off one child */ If I wanted between 100 and 200 spare threads available to do some slow stuff like proxy or CGI, would we really scale it back by the # of buckets or am I misunderstanding? On Sun, May 17, 2015 at 4:31 PM Lu, Yingqi wrote: > Hi Yann, > > Thank you very much for your help! > > Yingqi > > -Original Message- > From: Yann Ylavic [mailto:ylavic@gmail.com] > Sent: Saturday, May 16, 2015 3:37 AM > To: httpd > Subject: Re: SO_REUSEPORT > > On Fri, May 15, 2015 at 5:12 PM, Jeff Trawick wrote: > > On Fri, May 15, 2015 at 11:02 AM, William A Rowe Jr > > > wrote: > >> > >> My chief concern was that the phrase "Common Log" has a specific meaning > >> to us. > >> > >> ap_mpm_common_log_startup() or something else descriptive would be a > >> better name, but our crew is famous for not being terrific namers of > things > >> :) > >> > >> Did this compile with no warnings? It seems statics were used without > >> being explicitly initialized, and I don't have my copy of K&R to check > that > >> these are always NULL, but guessing that's so. > > > > > > yes; but ISTR that NetWare is the reason for explicit initialization in > some > > of our multi-platform code; I dunno the rhyme > > s/ap_log_common/ap_log_mpm_common/ in r1679714 and added to backport > proposal. > > Regarding globals/statics explicit initializations (implicit > initialization to {0} is required by the C standard), I don't think it > is necessary/suitable since and it may move these variables from the > .bss to the .data section, the former being quicker to initialize (as > a whole) at load time (though explicit initializations to {0} usually > go to .bss too but it depends on the compiler and/or flags, and we > don't explicitely need .data for those). > So I did not change the code wrt this... >
Re: ALPN patch comments
> Am 05.06.2015 um 01:37 schrieb Yann Ylavic : > > On Fri, Jun 5, 2015 at 1:03 AM, Roy T. Fielding wrote: >> >> Hence, we might need a configurable way to ignore a client's ALPN, though I >> doubt that >> "SSLalpn off" is the right way to express that. Likewise, neither is >> SSLAlpnPreference. >> The server protocol(s) preference should be independent of the >> session/connection protocol. >> Our internal configuration and use of ALPN should be based on the overall >> configuration, not a >> configuration specific to the SSL code. Many configurations won't include >> ALPN. > > Maybe we can reuse the Protocol directive then... Something like the one below maybe. But this is 2.6/3.0 music. What do we do for 2.4? cheers, Stefan —— # Listen directives define which transport protocols are active Listen 443 Listen 1234 ssh # Protocols lists the ALPN identifiers allowed on connections in preferred order # ProtocolTransports defaults to the union of transports the server listens to Protocols h2 spdy/3.1 http/1.1 ProtocolTransports tls ssh clear # vhosts may limit this down or change order (but not extend it?) ServerName test1.example.org Protocols h2 http/1.1 ProtocolTransports tls ServerName test2.example.org Protocols * ProtocolTransports ssh Modules with protocol support need to register the ALPN ids plus a callback at core where they become available at the base server? Callbacks are invoked for selected protocol with selected protocol id. bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
Re: httpd and OpenSSL 1.0.2
Along the lines of "to be continued" - IMHO httpd should be one of the early adopters of not allowing linkage to versions of openssl that cannot support TLS1.2. I have built (on AIX) against libreSSL (v2.1.6) with some private additions for AIX (that will be verified and improved upon by openbsd in the soon to be released libreSSL 2.2 version). Basically, there are only two defines that were 'missing'. One was rather 'obscure' it what it is suppossed to be doing (i.e., looking in the openssl code) - the other was downright 'dangerous" because it permits 'any external so-called enthrophy generator' to be added and used for randomness - because it is, or at least was, part of the openSSL libraries. (the approach of libreSSL was to completely remove it, hence a missing #define). Again - to be continued. and asap - in a separate post I will post the differences to get it to link against libreSSL (p.s. only mod_ssl needs this afaik). On Wed, May 27, 2015 at 3:29 PM, Tom Browder wrote: > On May 27, 2015 5:26 AM, "Mario Brandt" wrote: > > Hi Tom, > > I saw you on the httpd dev mailing list about that topic. How did you > > manage to build apache against 1.0.2? > > > > Cause if I try that I get in my VM > > > > /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_finish > > > > or on my real server > > > > /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_free > > > > OpenSSL > > ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared no-ssl2 > > make depend > > make > > sudo make install > > > > > > apache > > ./configure --prefix=/opt/apache2 --enable-pie > > --enable-mods-shared=all --enable-so --disable-include --enable-lua > > --enable-deflate --enable-headers --enable-expires --enable-ssl=shared > > --enable-mpms-shared=all --with-mpm=event --enable-rewrite > > --with-z=$HOME/apache24/httpd-2.4.12/srclib/zlib --enable-module=ssl > > --enable-fcgid --with-included-apr > > --with-openssl=$HOME/apache24/openssl-1.0.2a > > --enable-ssl-staticlib-deps > > > > with the 1.0.1m it works all fine > > seehttps:// > github.com/JBlond/debian_build_apache24/blob/master/build_apache.sh > > > > > > Please tell me how you got it working. > > Mario, I did get it working, but I did have a bit more effort to make > the latest openssl work. Taking a quick look at your blog I believe I > can help, but I'll explain my solution in a follow-up message so this > thread is on the public mailing lists. > > I feel I must explain that I'm using a Debian 7, 64-bit server. It > might help if we could know your server info as other architectures > may require more or other tweaks. > > Finally, the best I can probably do is show you my configure options > which may conflict with yours. > > TO BE CONTINUED > > Best regards, > > -Tom >