RE: Problems with Apache SSL under load

2003-12-12 Thread Dale Weaver 

THANK YOU!!  I just missed it!  It was still set to the default (450).  

Should work much better now.  

Thanks again to all who responded.  I think this is the solution.
Won't know for sure until the next wave hits.

I guess I should be nominated for a bonehead award. ;)

-----

Dale Weaver   [EMAIL PROTECTED]
UNIX Systems Administrator(919) 662-3508
Wake Technical Community College  fax (919) 662-3504

On Fri, 12 Dec 2003, [iso-8859-1] Jorge Carrizo wrote:

> changing max proc per user might help, say to 1000
> 
> chdev -l sys0 -a maxuproc='1000'
> 
> for AIX 4.3.3.0
> 
> HTH
> jorge
> 
>  --- Boyle Owen <[EMAIL PROTECTED]> escribió: > >
> -Original Message-
> > > From: Dale Weaver
> > [mailto:[EMAIL PROTECTED]
> > > 
> > > I have Apache 1.3.27 compiled with mod SSL using
> > openssl 0.9.6.g
> > > OS=AIX 5.1.
> > > 
> > > The SSL site stops executing CGI scripts when load
> > gets a little 
> > > high.  I checked the process list and found 106
> > httpd servers running.
> > > System loads at the UNIX level were nominal (<
> > 0.8).
> > > 
> > > I get tons of the following error in my error
> > logs:
> > > 
> > > [Thu Dec 11 06:00:00 2003] [error] [client ]
> > (11)Resource 
> > > temporarily unavailable: couldn't spawn child
> > process: 
> > > /usr/local/apache/sslcgi/navbar1
> > > [Thu Dec 11 06:00:00 2003] [error] [client ]
> > (11)Resource 
> > > temporarily unavailable: couldn't spawn child
> > process: 
> > > /usr/local/apache/sslcgi/navbar2
> > > [Thu Dec 11 06:00:00 2003] [error] [client ]
> > (11)Resource 
> > > temporarily unavailable: couldn't spawn child
> > process: 
> > > /usr/local/apache/sslcgi/register.cgi
> > 
> > Might be to do with system resources like file
> > descriptors or
> > semaphores. I'm afraid I don't know where to check
> > these on AIX...
> > 
> > Rgds,
> > Owen Boyle
> > Disclaimer: Any disclaimer attached to this message
> > may be ignored. 
> > 
> > > 
> > > HTML page responses are still very fast even with
> > the errors.
> > > 
> > > Problem does not occur when number of Apache
> > servers < 70.
> > > 
> > > This is not a great deal of load.  The hardware is
> > capable of handling
> > > a lot more than that.
> > > 
> > > Can someone point me in the right direction?  Help
> > is greatly 
> > > appreciated.
> > > Server configs availble on request.  Don't want to
> > send large 
> > > stuff over
> > > the list.
> > > 
> > > Thanks.
> > > 
> > >
> >
> -
> > > 
> > > Dale Weaver  
> > [EMAIL PROTECTED]
> > > UNIX Systems Administrator(919)
> > 662-3508
> > > Wake Technical Community College  fax
> > (919) 662-3504
> > > 
> > >
> >
> __
> > > Apache Interface to OpenSSL (mod_ssl) 
> >  www.modssl.org
> > > User Support Mailing List 
> > [EMAIL PROTECTED]
> > > Automated List Manager   
> > [EMAIL PROTECTED]
> > > 
> > Diese E-mail ist eine private und persönliche
> > Kommunikation. Sie hat
> > keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der
> > SWX Gruppe. This
> > e-mail is of a private and personal nature. It is
> > not related to the
> > exchange or business activities of the SWX Group. Le
> > présent e-mail est
> > un message privé et personnel, sans rapport avec
> > l'activité boursière du
> > Groupe SWX.
> > 
> > This message is for the named person's use only. It
> > may contain
> > confidential, proprietary or legally privileged
> > information. No
> > confidentiality or privilege is waived or lost by
> > any mistransmission.
> > If you receive this message in error, please notify
> > the sender urgently
> > and then immediately delete the message and any
> > copies of it from your
> > system. Please also immediately destroy any
> > hardcopies of the message.
> > You must not, directly or indirec

Problems with Apache SSL under load

2003-12-11 Thread Dale Weaver 

I have Apache 1.3.27 compiled with mod SSL using openssl 0.9.6.g
OS=AIX 5.1.

The SSL site stops executing CGI scripts when load gets a little 
high.  I checked the process list and found 106 httpd servers running.
System loads at the UNIX level were nominal (< 0.8).

I get tons of the following error in my error logs:

[Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: 
couldn't spawn child process: /usr/local/apache/sslcgi/navbar1
[Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: 
couldn't spawn child process: /usr/local/apache/sslcgi/navbar2
[Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: 
couldn't spawn child process: /usr/local/apache/sslcgi/register.cgi

HTML page responses are still very fast even with the errors.

Problem does not occur when number of Apache servers < 70.

This is not a great deal of load.  The hardware is capable of handling
a lot more than that.

Can someone point me in the right direction?  Help is greatly appreciated.
Server configs availble on request.  Don't want to send large stuff over
the list.

Thanks.

-----

Dale Weaver   [EMAIL PROTECTED]
UNIX Systems Administrator(919) 662-3508
Wake Technical Community College  fax (919) 662-3504

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Server Load problems under heavy SSL traffic

2002-12-12 Thread Dale Weaver 
We are experiencing problems under heavy traffic to our SSL site.
I have read the FAQ on performance and have decided to switch to
shmcb caching, but I don't know if that will help the problem.

With about 300 concurrent users the server loads skyrocket and the
server no longer spawns child processes for CGI scripts.  I have the
Apache 1.3.27 server set up for 4096 concurrent connections and have
made all the suggested performance tuning measures suggested on the
Apache site.  This problem does not occur on the non-ssl site which
has significantly more traffic.

Can anyone offer any insight into this problem?  Here are my specs:

AIX 4.3.3 Dual Processor F40 w/ 1GB RAM 2GB SWAP
Apache with mod_ssl (compiled in) 1.3.27-2.8.11
Openssl 0.9.6g

from http.conf:


DocumentRoot "/usr/local/apache/ssldocs"
ServerName hostname
ServerAdmin me
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
ScriptAlias /cgi-bin/ "/usr/local/apache/sslcgi/"

SSLEngine on

SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /usr/local/apache/conf/ssl.crt/public.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/private.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediate.crt
SSLVerifyClient none
SSLVerifyDepth  10


   SSLOptions +StdEnvVars


   SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /usr/local/apache/logs/ssl_request_log \
 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



Any help is appreciated.

---------
Dale Weaver   [EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: How to disable part of the HTTP pages?

2002-06-11 Thread Dale Weaver 


I believe it is more accurate to redirect.  It causes less 
confusion:


ServerName  whatever
Redirect  permanent / https://whatever


Avoids confusion and irritation on the part of site visitors.

-

When a true genius appears in the world, you may know him by
this sign; that the dunces are all in confederacy against him. 
-- Jonathan Swift 
___

Dale Weaver   [EMAIL PROTECTED]
UNIX Systems Administrator(919) 662-3508
Wake Technical Community College  fax (919) 779-3360

On Sun, 9 Jun 2002, Han,Donghoon wrote:

> Put "Deny from all" in  
> in the vhost settings where the serving port is 80.
> 
> Ex)
> 
> BlahBlahBlah
> 
>   Order Deny,Allow
>   Deny from all
> 
> 
> 
> 
> BlahBlah
> 
>   Order Allow,Deny
>   Allow from all
> 
> 
> 
> Refer to the apache manual for further information.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of lin geng
> Sent: Saturday, June 08, 2002 10:44 AM
> To: [EMAIL PROTECTED]
> Subject: RE: How to disable part of the HTTP pages?
> 
> Disable port 80.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Conrad Ng
> Sent: Wednesday, June 05, 2002 8:47 PM
> To: [EMAIL PROTECTED]
> Subject: How to disable part of the HTTP pages?
> 
> 
> Dear all
> 
> After I have implemented the SSL technology in my servers, I understand
> that
> users can access securely under HTTPS://. However, they can still
> access through HTTP://. Is there any way to block people from
> accessing under HTTP:// ? I'm not meaning to block the whole port 80 but
> only some pages, is it belong to the settings of Apache or what? Please
> instruct. Thanks a lot!!
> 
> Regards
> 
> Conrad Ng
> 
> 
> __
> 
> Scott Wilson Ltd celebrates its new name during its 50th year in Hong
> Kong!
> 
> This e-mail and any attachments to it are intended only for the party to
> whom they are addressed. They may contain privileged and/or confidential
> information. If you have received this transmission in error please
> notify
> the sender immediately and delete any digital copies and destroy any
> paper
> copies. Thank you.
> 
> Scott Wilson accepts no contractual liabilities or commitments arising
> from
> this e-mail unless subsequently confirmed by fax or letter or as an
> e-mail
> attachment giving company name, address, registration number and
> authorized
> signatory.
> __
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Runs on local...but can't see it anywhere else

2002-05-17 Thread Dale Weaver 


Make sure your server is set up in DNS for your domain as well.

-

"Let me up to get my bat and I'll thank you."
   -- Calvin
___

Dale Weaver   [EMAIL PROTECTED]
UNIX Systems Administrator(919) 662-3508
Wake Technical Community College  fax (919) 779-3360

On Fri, 17 May 2002, DG Speekenbrink wrote:

> Hi,
> 
> This sounds more like a general Apache config problem.
> is it possible to request pages with the regular http:// request?
> 
> If not, some settings in your httpd.conf are the problem.
> 
> Good luck,
> 
> Dennis
> 
> Alex Earl wrote:
> > 
> > Hi!
> > 
> > First off I would like to thank you for your help and knowledge! I enjoy
> > this forum a lot!
> > 
> > I have set up mod_ssl with Apache 1.3 and everything seems to run just fine
> > on the local machine. I can curl https://localhost (and the actual server
> > address) and get the right stuff...but when I try to access it from anywhere
> > else I get a server not found error. Any ideas?!
> > 
> > Thanks!
> > 
> > Alex Earl
> > 
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: DNS aliases & modssl

2002-02-28 Thread Dale Weaver 


OK.  I think I get it.  

Looks like the simple solution would be to get a CA cert for the
short domain and provide links to the SSL portion to make sure
it is accessed via the proper URL and limit access in the SSL 
section of the site to only accept from that referring page. 

Thanks.

-

Dale Weaver   [EMAIL PROTECTED]

On Thu, 28 Feb 2002, Luciano Miguel Ferreira Rocha wrote:

> On Thu, Feb 28, 2002 at 10:23:56AM -0500, Dale Weaver wrote:
> > pretty long but I have another domain that is short.  How does modssl
> > determine which DN it is running
> > under when it compares it to the cert?  Is it DNS, httpd.conf, URL
> > accessed, hostname, etc.?
> 
> AFAIK modssl does *not* compare the cert with the DN. Only the browser does
> that.
> 
> And if both DN point to the same IP address, how can modssl, or any server,
> know what DN the client used?
> 
> modssl returns the cert as specified in httpd.conf, under a VirtualHost
> section. And that respective VirtualHost can only be calculated by the
> destination IP address (the one the client's is connecting to).
> 
> So, you'll either need to use different IP addresses for each DN, or,
> in your non-ssl site and https urls, point to just one address.
> 
> Regards,
> Luciano Rocha
> 
> -- 
> Luciano Rocha, [EMAIL PROTECTED]
> 
> The trouble with computers is that they do what you tell them, not what
> you want.
> -- D. Cohen
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

DNS aliases & modssl

2002-02-28 Thread Dale Weaver 

I have got modssl  2.8.26 compiled in Apache 1.3.23.  It works fine on
my workstation where I built it to test,
however I have not put it on my production webserver.  My web server has
a fully qualified DN that is
pretty long but I have another domain that is short.  How does modssl
determine which DN it is running
under when it compares it to the cert?  Is it DNS, httpd.conf, URL
accessed, hostname, etc.?

If someone accesses my site under the www.very.very.long.domain via
https and my cert is built for
www.short.dom and the server name in httpd.conf is
www.very.very.long.domain, will it still work?
They are both the same in DNS.  Dual entries for the address and not
just an alias.

Just a little confused about how modssl handles multiple domain names
for the same server given that
the certs are domain specific.

Any clarification is appreciated.

Dale
-


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

libssl.so won't load

2002-02-08 Thread Dale Weaver 

I have an AIX server running 4.3.3.  I have installed openssl-0.9.6.3,

Apache 1.3.19 and mod_ssl 2.8.2.0.  All installed fine, however

when I try to start the server I get the errors:

Syntax error on line 236 of /etc/apache/httpd.conf:
Cannot load /usr/local/lib/apache/libssl.so into server:0509-022 Cannot
 load module /usr/local/lib/apache/libssl.so.
0509-150   Dependent module /usr/local/lib/libssl.a(libssl.so) could not be 
loaded.
0509-152   Member libssl.so is not found in archive
0509-022 Cannot load module /usr/local/lib/libssl.a.
0509-150   Dependent module /usr/local/lib/libssl.a could not be loaded