RE: Problems with Apache SSL under load
THANK YOU!! I just missed it! It was still set to the default (450). Should work much better now. Thanks again to all who responded. I think this is the solution. Won't know for sure until the next wave hits. I guess I should be nominated for a bonehead award. ;) ----- Dale Weaver [EMAIL PROTECTED] UNIX Systems Administrator(919) 662-3508 Wake Technical Community College fax (919) 662-3504 On Fri, 12 Dec 2003, [iso-8859-1] Jorge Carrizo wrote: > changing max proc per user might help, say to 1000 > > chdev -l sys0 -a maxuproc='1000' > > for AIX 4.3.3.0 > > HTH > jorge > > --- Boyle Owen <[EMAIL PROTECTED]> escribió: > > > -Original Message- > > > From: Dale Weaver > > [mailto:[EMAIL PROTECTED] > > > > > > I have Apache 1.3.27 compiled with mod SSL using > > openssl 0.9.6.g > > > OS=AIX 5.1. > > > > > > The SSL site stops executing CGI scripts when load > > gets a little > > > high. I checked the process list and found 106 > > httpd servers running. > > > System loads at the UNIX level were nominal (< > > 0.8). > > > > > > I get tons of the following error in my error > > logs: > > > > > > [Thu Dec 11 06:00:00 2003] [error] [client ] > > (11)Resource > > > temporarily unavailable: couldn't spawn child > > process: > > > /usr/local/apache/sslcgi/navbar1 > > > [Thu Dec 11 06:00:00 2003] [error] [client ] > > (11)Resource > > > temporarily unavailable: couldn't spawn child > > process: > > > /usr/local/apache/sslcgi/navbar2 > > > [Thu Dec 11 06:00:00 2003] [error] [client ] > > (11)Resource > > > temporarily unavailable: couldn't spawn child > > process: > > > /usr/local/apache/sslcgi/register.cgi > > > > Might be to do with system resources like file > > descriptors or > > semaphores. I'm afraid I don't know where to check > > these on AIX... > > > > Rgds, > > Owen Boyle > > Disclaimer: Any disclaimer attached to this message > > may be ignored. > > > > > > > > HTML page responses are still very fast even with > > the errors. > > > > > > Problem does not occur when number of Apache > > servers < 70. > > > > > > This is not a great deal of load. The hardware is > > capable of handling > > > a lot more than that. > > > > > > Can someone point me in the right direction? Help > > is greatly > > > appreciated. > > > Server configs availble on request. Don't want to > > send large > > > stuff over > > > the list. > > > > > > Thanks. > > > > > > > > > - > > > > > > Dale Weaver > > [EMAIL PROTECTED] > > > UNIX Systems Administrator(919) > > 662-3508 > > > Wake Technical Community College fax > > (919) 662-3504 > > > > > > > > > __ > > > Apache Interface to OpenSSL (mod_ssl) > > www.modssl.org > > > User Support Mailing List > > [EMAIL PROTECTED] > > > Automated List Manager > > [EMAIL PROTECTED] > > > > > Diese E-mail ist eine private und persönliche > > Kommunikation. Sie hat > > keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der > > SWX Gruppe. This > > e-mail is of a private and personal nature. It is > > not related to the > > exchange or business activities of the SWX Group. Le > > présent e-mail est > > un message privé et personnel, sans rapport avec > > l'activité boursière du > > Groupe SWX. > > > > This message is for the named person's use only. It > > may contain > > confidential, proprietary or legally privileged > > information. No > > confidentiality or privilege is waived or lost by > > any mistransmission. > > If you receive this message in error, please notify > > the sender urgently > > and then immediately delete the message and any > > copies of it from your > > system. Please also immediately destroy any > > hardcopies of the message. > > You must not, directly or indirec
Problems with Apache SSL under load
I have Apache 1.3.27 compiled with mod SSL using openssl 0.9.6.g OS=AIX 5.1. The SSL site stops executing CGI scripts when load gets a little high. I checked the process list and found 106 httpd servers running. System loads at the UNIX level were nominal (< 0.8). I get tons of the following error in my error logs: [Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: couldn't spawn child process: /usr/local/apache/sslcgi/navbar1 [Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: couldn't spawn child process: /usr/local/apache/sslcgi/navbar2 [Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: couldn't spawn child process: /usr/local/apache/sslcgi/register.cgi HTML page responses are still very fast even with the errors. Problem does not occur when number of Apache servers < 70. This is not a great deal of load. The hardware is capable of handling a lot more than that. Can someone point me in the right direction? Help is greatly appreciated. Server configs availble on request. Don't want to send large stuff over the list. Thanks. ----- Dale Weaver [EMAIL PROTECTED] UNIX Systems Administrator(919) 662-3508 Wake Technical Community College fax (919) 662-3504 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Server Load problems under heavy SSL traffic
We are experiencing problems under heavy traffic to our SSL site. I have read the FAQ on performance and have decided to switch to shmcb caching, but I don't know if that will help the problem. With about 300 concurrent users the server loads skyrocket and the server no longer spawns child processes for CGI scripts. I have the Apache 1.3.27 server set up for 4096 concurrent connections and have made all the suggested performance tuning measures suggested on the Apache site. This problem does not occur on the non-ssl site which has significantly more traffic. Can anyone offer any insight into this problem? Here are my specs: AIX 4.3.3 Dual Processor F40 w/ 1GB RAM 2GB SWAP Apache with mod_ssl (compiled in) 1.3.27-2.8.11 Openssl 0.9.6g from http.conf: DocumentRoot "/usr/local/apache/ssldocs" ServerName hostname ServerAdmin me ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log ScriptAlias /cgi-bin/ "/usr/local/apache/sslcgi/" SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/public.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/private.key SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediate.crt SSLVerifyClient none SSLVerifyDepth 10 SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /usr/local/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Any help is appreciated. --------- Dale Weaver [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: How to disable part of the HTTP pages?
I believe it is more accurate to redirect. It causes less confusion: ServerName whatever Redirect permanent / https://whatever Avoids confusion and irritation on the part of site visitors. - When a true genius appears in the world, you may know him by this sign; that the dunces are all in confederacy against him. -- Jonathan Swift ___ Dale Weaver [EMAIL PROTECTED] UNIX Systems Administrator(919) 662-3508 Wake Technical Community College fax (919) 779-3360 On Sun, 9 Jun 2002, Han,Donghoon wrote: > Put "Deny from all" in > in the vhost settings where the serving port is 80. > > Ex) > > BlahBlahBlah > > Order Deny,Allow > Deny from all > > > > > BlahBlah > > Order Allow,Deny > Allow from all > > > > Refer to the apache manual for further information. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of lin geng > Sent: Saturday, June 08, 2002 10:44 AM > To: [EMAIL PROTECTED] > Subject: RE: How to disable part of the HTTP pages? > > Disable port 80. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Conrad Ng > Sent: Wednesday, June 05, 2002 8:47 PM > To: [EMAIL PROTECTED] > Subject: How to disable part of the HTTP pages? > > > Dear all > > After I have implemented the SSL technology in my servers, I understand > that > users can access securely under HTTPS://. However, they can still > access through HTTP://. Is there any way to block people from > accessing under HTTP:// ? I'm not meaning to block the whole port 80 but > only some pages, is it belong to the settings of Apache or what? Please > instruct. Thanks a lot!! > > Regards > > Conrad Ng > > > __ > > Scott Wilson Ltd celebrates its new name during its 50th year in Hong > Kong! > > This e-mail and any attachments to it are intended only for the party to > whom they are addressed. They may contain privileged and/or confidential > information. If you have received this transmission in error please > notify > the sender immediately and delete any digital copies and destroy any > paper > copies. Thank you. > > Scott Wilson accepts no contractual liabilities or commitments arising > from > this e-mail unless subsequently confirmed by fax or letter or as an > e-mail > attachment giving company name, address, registration number and > authorized > signatory. > __ > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Runs on local...but can't see it anywhere else
Make sure your server is set up in DNS for your domain as well. - "Let me up to get my bat and I'll thank you." -- Calvin ___ Dale Weaver [EMAIL PROTECTED] UNIX Systems Administrator(919) 662-3508 Wake Technical Community College fax (919) 779-3360 On Fri, 17 May 2002, DG Speekenbrink wrote: > Hi, > > This sounds more like a general Apache config problem. > is it possible to request pages with the regular http:// request? > > If not, some settings in your httpd.conf are the problem. > > Good luck, > > Dennis > > Alex Earl wrote: > > > > Hi! > > > > First off I would like to thank you for your help and knowledge! I enjoy > > this forum a lot! > > > > I have set up mod_ssl with Apache 1.3 and everything seems to run just fine > > on the local machine. I can curl https://localhost (and the actual server > > address) and get the right stuff...but when I try to access it from anywhere > > else I get a server not found error. Any ideas?! > > > > Thanks! > > > > Alex Earl > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: DNS aliases & modssl
OK. I think I get it. Looks like the simple solution would be to get a CA cert for the short domain and provide links to the SSL portion to make sure it is accessed via the proper URL and limit access in the SSL section of the site to only accept from that referring page. Thanks. - Dale Weaver [EMAIL PROTECTED] On Thu, 28 Feb 2002, Luciano Miguel Ferreira Rocha wrote: > On Thu, Feb 28, 2002 at 10:23:56AM -0500, Dale Weaver wrote: > > pretty long but I have another domain that is short. How does modssl > > determine which DN it is running > > under when it compares it to the cert? Is it DNS, httpd.conf, URL > > accessed, hostname, etc.? > > AFAIK modssl does *not* compare the cert with the DN. Only the browser does > that. > > And if both DN point to the same IP address, how can modssl, or any server, > know what DN the client used? > > modssl returns the cert as specified in httpd.conf, under a VirtualHost > section. And that respective VirtualHost can only be calculated by the > destination IP address (the one the client's is connecting to). > > So, you'll either need to use different IP addresses for each DN, or, > in your non-ssl site and https urls, point to just one address. > > Regards, > Luciano Rocha > > -- > Luciano Rocha, [EMAIL PROTECTED] > > The trouble with computers is that they do what you tell them, not what > you want. > -- D. Cohen > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
DNS aliases & modssl
I have got modssl 2.8.26 compiled in Apache 1.3.23. It works fine on my workstation where I built it to test, however I have not put it on my production webserver. My web server has a fully qualified DN that is pretty long but I have another domain that is short. How does modssl determine which DN it is running under when it compares it to the cert? Is it DNS, httpd.conf, URL accessed, hostname, etc.? If someone accesses my site under the www.very.very.long.domain via https and my cert is built for www.short.dom and the server name in httpd.conf is www.very.very.long.domain, will it still work? They are both the same in DNS. Dual entries for the address and not just an alias. Just a little confused about how modssl handles multiple domain names for the same server given that the certs are domain specific. Any clarification is appreciated. Dale - __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
libssl.so won't load
I have an AIX server running 4.3.3. I have installed openssl-0.9.6.3, Apache 1.3.19 and mod_ssl 2.8.2.0. All installed fine, however when I try to start the server I get the errors: Syntax error on line 236 of /etc/apache/httpd.conf: Cannot load /usr/local/lib/apache/libssl.so into server:0509-022 Cannot load module /usr/local/lib/apache/libssl.so. 0509-150 Dependent module /usr/local/lib/libssl.a(libssl.so) could not be loaded. 0509-152 Member libssl.so is not found in archive 0509-022 Cannot load module /usr/local/lib/libssl.a. 0509-150 Dependent module /usr/local/lib/libssl.a could not be loaded