Fw: flush or pass filter brigade to avoid memory exhaustion
Ray, looks like this got lost in the ether. I only realised it when I got your contact from my online Form! I presume you're reading where you posted! Begin forwarded message: On Mon, 14 Nov 2011 13:00:07 -0600 Ray Morris supp...@bettercgi.com wrote: I would appreciate some help with splitting and passing a brigade in an output filter, to avoid using memory proportional to the size of the response and allow data to begin to be output prior to the completion of the filter. Studying the apache.org docs, the book, and other modules, I haven't been able to get this working. Trying to merge the code from the docs with a sample module, the connection is closed after 751,143 bytes. Not quite sure what your question is. You seem to have figured out what you're doing! APR_BUCKET_REMOVE(b);// -- new code APR_BRIGADE_INSERT_HEAD(ctxt-tmpbb, b); // -- new code If you add a flush bucket HERE it becomes less likely the next filter in the chain will buffer it. rv = ap_pass_brigade(f-next, ctxt-tmpbb); // -- new code apr_brigade_cleanup(ctxt-tmpbb);// -- new code apr_sleep(1);// -- new code Could that be triggering a timeout? -- Nick Kew
A bug, apr_os_thread_current() not equal r-connection-current_thread
Hi, I failed with this on windows with branch 2.4.x, in a handle hook, apr_os_thread_t t = apr_os_thread_current(); apr_os_thread_t *t1; apr_os_thread_get(t1, r-connection-current_thread); printf(EQUALS %d\n,apr_os_thread_equal(t,t1)); I think t and t1 must be equal, But it Not. I think this is a bug, Is this?
RE: Changes in mod_ssl
Hello Rainer, I found out that the patch that I used in order to connect apache server with SSL using our HSM to hold the Private RSA and Certificate already exists in bugzilla at: https://issues.apache.org/bugzilla/show_bug.cgi?id=42687 We found out that this patch works well. We would like to insert it in to the open source code. What is the status of this patch and what can I do in order to insert the patch to open source code? Regards, Moran Jacuel | Software Engineer | ARX phone: +972.3.9279512 | email: mor...@arx.com | www.arx.com -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Monday, November 14, 2011 4:56 PM To: dev@httpd.apache.org Cc: Moran Jacuel; Moshe Harel Subject: Re: Changes in mod_ssl Hello, On 14.11.2011 05:59, Moran Jacuel wrote: Hello, Our company is an HSM manufacturer (See link for http://www.arx.com/products/private-server-hsm PrivateServer product) We wanted to connect apache server with SSL using our HSM to hold the Private RSA and Certificate. We downloaded apache httpd-2.2.20 and modified the module mod_ssl that came with the package in a generic way to work with OpenSSL PKCS#11 engine. Now we want to add the small code changes we made to the open source code. It is not clear to us if the mod_ssl is part of the Apache project or not. If so, can you please explain us who we need to contact and what is the procedure we need to follow. Yes, mod_ssl for the Apache web server 2.x is part of the Apache web server project. Some notes about contributing patches are available at: http://httpd.apache.org/dev/patches.html For a substantial contribution we would need a signed Contributor License Agreement (CLA), see http://www.apache.org/licenses/#clas In order to document the availability of a patch and track its use, I suggest you open a bugzilla issue and attach the patch there: https://issues.apache.org/bugzilla/ For a bigger patch you can also discuss the patch on this list before or after opening the bugzilla issue. Regards, Rainer
Re: 2.3.15 RewriteRule P
Hi Steffen, On Mon, 14 Nov 2011, Steffen wrote: The issue below seems not to be related to SSL. Tested in different non-SSL configs with eg. RewriteRule /sysadmin(.*) http://%{HTTP_HOST}:81/sysadmin$1 [P,L] And different servers as the back, Sambar, Surge, DManager and Apache. Sometimes it works but mostly it is not passing (good) URL info to the server. Get errors like: requested URL not found, requested file: () Does the 'sometimes' depend on the URL? I.e. do some URLs work and some don't? Can you post errorlog output with loglevel debug proxy:trace6 rewrite:trace6? Thanks. Cheers, Stefan It is a minimal config with a commonly used rewrite: Listen 443 SSLEngine on DocumentRoot f:/web/unknown RewriteEngine on RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L] In the log no clue, only [ssl:info] [pid 6836:tid 2588] (70014)End of file found: [client 85.223.52.177:38857] SSL input filter read failed. But that I see also with 2.2.21 Looks like more errors when I have AcceptFilter https none instead of leaving this out. Steffen
CVE-2011-3607, int overflow ap_pregsub()
Hi there, Revision 1198940 attempts to fix an integer overflow in ap_pregsub() in server/util.c:394. The patch is: --- httpd/httpd/trunk/server/util.c 2011/11/07 21:09:41 1198939 +++ httpd/httpd/trunk/server/util.c 2011/11/07 21:13:40 1198940 @@ -411,6 +411,8 @@ len++; } else if (no nmatch pmatch[no].rm_so pmatch[no].rm_eo) { +if (APR_SIZE_MAX - len = pmatch[no].rm_eo - pmatch[no].rm_so) +return APR_ENOMEM; len += pmatch[no].rm_eo - pmatch[no].rm_so; } , and appears wrong, because, ap_pregsub() is AP_DECLARE(char *) ap_pregsub(...) This would require something along the lines of (proposal): } else if (no nmatch pmatch[no].rm_so pmatch[no].rm_eo) { +if (APR_SIZE_MAX - len = pmatch[no].rm_eo - pmatch[no].rm_so) { + ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL, + integer overflow or out of memory condition. ); +return NULL; + } len += pmatch[no].rm_eo - pmatch[no].rm_so; } } dest = dst = apr_pcalloc(p, len + 1); +if(!dest) + return NULL; + + /* Now actually fill in the string */ ...or simply without the error logging. Thoughts? Thanks, Roman.
RE: CVE-2011-3607, int overflow ap_pregsub()
The patch is fine on trunk because the affected code is not within AP_DECLARE(char *) ap_pregsub(...) but within static apr_status_t regsub_core(apr_pool_t *p, char **result, struct ap_varbuf *vb, const char *input, const char *source, size_t nmatch, ap_regmatch_t pmatch[], apr_size_t maxlen) but there is no regsub_core in 2.2.x. So the patch needs to be adjusted for backport to 2.2.x. But returning NULL in the 2.2.x case looks to be the correct thing to do as this is how trunk behaves now. OTOH there was some discussion on this list whether it is correct to backport this trunk behaviour to 2.2.x. Regards Rüdiger -Original Message- From: Roman Drahtmueller [mailto:dr...@suse.de] Sent: Dienstag, 15. November 2011 15:13 To: dev@httpd.apache.org Subject: CVE-2011-3607, int overflow ap_pregsub() Hi there, Revision 1198940 attempts to fix an integer overflow in ap_pregsub() in server/util.c:394. The patch is: --- httpd/httpd/trunk/server/util.c 2011/11/07 21:09:41 1198939 +++ httpd/httpd/trunk/server/util.c 2011/11/07 21:13:40 1198940 @@ -411,6 +411,8 @@ len++; } else if (no nmatch pmatch[no].rm_so pmatch[no].rm_eo) { +if (APR_SIZE_MAX - len = pmatch[no].rm_eo - pmatch[no].rm_so) +return APR_ENOMEM; len += pmatch[no].rm_eo - pmatch[no].rm_so; } , and appears wrong, because, ap_pregsub() is AP_DECLARE(char *) ap_pregsub(...) This would require something along the lines of (proposal): } else if (no nmatch pmatch[no].rm_so pmatch[no].rm_eo) { +if (APR_SIZE_MAX - len = pmatch[no].rm_eo - pmatch[no].rm_so) { + ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL, + integer overflow or out of memory condition. ); +return NULL; + } len += pmatch[no].rm_eo - pmatch[no].rm_so; } } dest = dst = apr_pcalloc(p, len + 1); +if(!dest) + return NULL; + + /* Now actually fill in the string */ ...or simply without the error logging. Thoughts? Thanks, Roman.
Re: Changes in mod_ssl
Hello Moran, On 15.11.2011 14:54, Moran Jacuel wrote: Hello Rainer, I found out that the patch that I used in order to connect apache server with SSL using our HSM to hold the Private RSA and Certificate already exists in bugzilla at: https://issues.apache.org/bugzilla/show_bug.cgi?id=42687 We found out that this patch works well. We would like to insert it in to the open source code. What is the status of this patch and what can I do in order to insert the patch to open source code? It is better to contact the dev list and inquire about this patch there. A friendly nagging sometimes helps. Regards, Rainer
setting TZ env var
So, I was looking at all the system calls we make in a single request, and comparing it to nginx. We were actually pretty close, baring supporting our features like htaccess, there was only one thing that stood out. Glibc is opening, calling fstat twice, and then reading /etc/localtime for every request: [pid 31496] 0.51 open(/etc/localtime, O_RDONLY) = 8 0.14 [pid 31496] 0.41 fstat(8, {st_mode=S_IFREG|0644, st_size=118, ...}) = 0 0.11 [pid 31496] 0.48 fstat(8, {st_mode=S_IFREG|0644, st_size=118, ...}) = 0 0.10 [pid 31496] 0.48 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbd87efa000 0.13 [pid 31496] 0.40 read(8, TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0..., 4096) = 118 0.15 [pid 31496] 0.51 lseek(8, -62, SEEK_CUR) = 56 0.11 [pid 31496] 0.34 read(8, TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0..., 4096) = 62 0.11 [pid 31496] 0.48 close(8) = 0 0.12 One way to fix this, is to set the TZ environment variable. For example: https://github.com/pquerna/httpd/commit/37e5815a70e88a733cd088398d016803146b545f This specific patch has some issues, but is there any objections to the concept of setting the timezone on process startup? This single change gives about a 2% performance boost in my testing. To merge to trunk I'd like to have it detect your active timezone, instead of forcing UTC+0, but if you changed timezones on your machine, you will need to restart httpd. Thoughts? Thanks, Paul
Re: svn commit: r1200040 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
On Sun, Nov 13, 2011 at 2:34 AM, Kaspar Brand httpd-dev.2...@velox.ch wrote: On 10.11.2011 00:37, pque...@apache.org wrote: Author: pquerna Date: Wed Nov 9 23:37:37 2011 New Revision: 1200040 URL: http://svn.apache.org/viewvc?rev=1200040view=rev Log: Add support for RFC 5077 TLS Session tickets. This adds two new directives: * SSLTicketKeyFile: To store the private information for the encryption of the ticket. * SSLTicketKeyDefault To set the default, otherwise the first listed token is used. This enables key rotation across servers. It's not completely clear to me how these two directives interact - what does first listed token relate to? Can multiple SSLTicketKeyFile directives appear within a VirtualHost? Yes. Maybe explaining it as such is easier to understand: SSLTicketKeyFile basically gives you a list of possible decryption keys. SSLTicketKeyDefault picks which one to use for encryption. If SSLTicketKeyDefault is not set, the first added decryption key is used. --- httpd/httpd/trunk/CHANGES [utf-8] (original) +++ httpd/httpd/trunk/CHANGES [utf-8] Wed Nov 9 23:37:37 2011 @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.3.16 + *) mod_ssl: Add support for RFC 5077 TLS Session tickets. + [Paul Querna] This is somewhat misleading, I think. Session tickets are supported in mod_ssl as soon as you compile it against OpenSSL 0.9.8f or later (they default to on in OpenSSL, SSL_OP_NO_TICKET would have to be set otherwise). What your patch adds, OTOH, is allowing explicit control of the ticket encryption/decryption keys. Sorry, this is correct. Its not adding support to them in a single cluster, its making them configurable / controlable by the user -- OpenSSL by default does generate random keys, but in a cluster of servers this makes session tickets basically useless. Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1200040r1=1200039r2=1200040view=diff == --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original) +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Wed Nov 9 23:37:37 2011 @@ -79,6 +79,14 @@ static const command_rec ssl_config_cmds SSL_CMD_SRV(FIPS, FLAG, Enable FIPS-140 mode (`on', `off')) +#ifdef HAVE_TLSEXT_TICKETS + SSL_CMD_SRV(TicketKeyFile, TAKE2, + Key file to use for encrypting and decrypting the client ticket (RFC 5077) + (keyname '/path/to/file')) I suggest to add some info about the contents of these files (like 48 random bytes in binary format). Also, the documentation of this directive should encourage users to regularly change these keys. Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1200040r1=1200039r2=1200040view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Nov 9 23:37:37 2011 @@ -200,6 +200,12 @@ static SSLSrvConfigRec *ssl_config_serve sc-fips = UNSET; #endif +#ifdef HAVE_TLSEXT_TICKETS + sc-default_ticket_name = NULL; + sc-default_ticket = NULL; + sc-tickets = apr_array_make(p, 4, sizeof(modssl_ticket_t*)); Maybe a stupid question, but I don't (yet) see the reason for using an array with four elements... could you perhaps shed some more light on this? APR array make pre-allocates this much space. If you use more than 4 elements, it needs to do another allocation. If you use less than 4, it will only allocate memory here. It is not a limit. Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1200040r1=1200039r2=1200040view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Wed Nov 9 23:37:37 2011 @@ -2067,3 +2067,94 @@ static int ssl_find_vhost(void *serverna return 0; } #endif + +#ifdef HAVE_TLSEXT_TICKETS + +#ifndef tlsext_tick_md +#ifdef OPENSSL_NO_SHA256 +#define tlsext_tick_md EVP_sha1 +#else +#define tlsext_tick_md EVP_sha256 +#endif +#endif That's something which belongs into ssl_private.h, I think. As a general comment, I would like to see some guidelines in the documentation as to when an explicit configuration of TLS session ticket keys really makes sense - and how to create/maintain the key files, in this case. For a default standalone setup, people are still better off with using OpenSSL's
Re: [VOTE] Release 2.3.15-beta as beta
Which post?? The only thing on this thread is something about mod_rewrite and SSL. On Nov 14, 2011, at 4:33 PM, William A. Rowe Jr. wrote: On 11/9/2011 8:24 AM, Jim Jagielski wrote: The 2.3.15-beta (prerelease) tarballs are available for download at test: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as 2.3.15-beta BETA and, with luck, this will be our last beta and the next release in ~2weeks or less will be 2.4.0 GA!! Vote will last the normal 72 hours... If you did not [announce]... you might want to review Steffan's post first. Looks like a pretty serious all-platform regression between mod_proxy and ap_pregsub.
Re: svn commit: r1202255 - /httpd/httpd/trunk/modules/filters/mod_reqtimeout.c
On Tue, 15 Nov 2011, pque...@apache.org wrote: Author: pquerna Date: Tue Nov 15 15:49:19 2011 New Revision: 1202255 URL: http://svn.apache.org/viewvc?rev=1202255view=rev Log: disable mod_reqtimeout if not configured Why that? We have just changed the default to be enabled in r1199447 and several developers at the hackathon agreed to this change. Modified: httpd/httpd/trunk/modules/filters/mod_reqtimeout.c Modified: httpd/httpd/trunk/modules/filters/mod_reqtimeout.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_reqtimeout.c?rev=1202255r1=1202254r2=1202255view=diff == --- httpd/httpd/trunk/modules/filters/mod_reqtimeout.c (original) +++ httpd/httpd/trunk/modules/filters/mod_reqtimeout.c Tue Nov 15 15:49:19 2011 @@ -340,6 +340,11 @@ static int reqtimeout_init(conn_rec *c) return DECLINED; } +if (cfg-header_timeout == UNSET cfg-body_timeout == UNSET) { +/* if everything is unset, skip by default. */ +return DECLINED; +} + ccfg = apr_pcalloc(c-pool, sizeof(reqtimeout_con_cfg)); ccfg-type = header; if (cfg-header_timeout != UNSET) {
Re: 2.3.15 RewriteRule P
Am I correct in assuming this is just under Windows...?? On Nov 14, 2011, at 1:31 PM, Steffen wrote: The issue below seems not to be related to SSL. Tested in different non-SSL configs with eg. RewriteRule /sysadmin(.*) http://%{HTTP_HOST}:81/sysadmin$1 [P,L] And different servers as the back, Sambar, Surge, DManager and Apache. Sometimes it works but mostly it is not passing (good) URL info to the server. Get errors like: requested URL not found, requested file: () Using the ProxyPass directive, no issues. Same configs are working with 2.2 without issues. Steffen --- Original message --- Subject: Re: [VOTE] Release 2.3.15-beta as beta From: Steffen i...@apachelounge.com To: dev@httpd.apache.org Date: Saturday, 12/11/2011 16:26 Building fine on Windows, except mod_lua is complaining that it cannot fine mod_ssl.h, just copied it and all fine. Still the issue: When run in DOS box, not shutting down when closing window, as service no problem. A real problematic one is: When running still issues with SSL, pages and/or image not displayed, is random. Some errors from the browser: Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error. The webpage at https://www.land10mail.com/ might be temporarily down or it may have moved permanently to a new web address. Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error With 2.2.21 and the exact same config, no problems. The config is: For SSL, running a Apache 443 only in front of a Apache 80. Using signed certificate. It is a minimal config with a commonly used rewrite: Listen 443 SSLEngine on DocumentRoot f:/web/unknown RewriteEngine on RewriteRule /(.*) http://%{HTTP_HOST}/$1 [P,L] In the log no clue, only [ssl:info] [pid 6836:tid 2588] (70014)End of file found: [client 85.223.52.177:38857] SSL input filter read failed. But that I see also with 2.2.21 Looks like more errors when I have AcceptFilter https none instead of leaving this out. Steffen
Re: [VOTE] Release 2.3.15-beta as beta
I found the post... IMO, this should not hold off the release at this point... On Nov 15, 2011, at 11:57 AM, Jim Jagielski wrote: Which post?? The only thing on this thread is something about mod_rewrite and SSL.
Fwd: svn commit: r1202257 - in /httpd/httpd/trunk/server/mpm/event: config3.m4 equeue.c equeue.h event.c
Original-Nachricht Betreff:svn commit: r1202257 - in /httpd/httpd/trunk/server/mpm/event: config3.m4 equeue.c equeue.h event.c Datum: Tue, 15 Nov 2011 15:51:04 GMT Von:pque...@apache.org Author: pquerna Date: Tue Nov 15 15:51:03 2011 New Revision: 1202257 URL: http://svn.apache.org/viewvc?rev=1202257view=rev Log: Create a new lock free circular queue, and use it in the EventMPM to remove the timeout mutex that was wrapping both timeout queue operations and pollset operations. Added: httpd/httpd/trunk/server/mpm/event/equeue.c (with props) httpd/httpd/trunk/server/mpm/event/equeue.h (with props) Modified: httpd/httpd/trunk/server/mpm/event/config3.m4 httpd/httpd/trunk/server/mpm/event/event.c Added: httpd/httpd/trunk/server/mpm/event/equeue.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/mpm/event/equeue.c?rev=1202257view=auto == --- httpd/httpd/trunk/server/mpm/event/equeue.c (added) +++ httpd/httpd/trunk/server/mpm/event/equeue.c Tue Nov 15 15:51:03 2011 @@ -0,0 +1,125 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the License); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include equeue.h + +#includeapr_atomic.h +#includesched.h + +struct ap_equeue_t { +apr_uint32_t nelem; +apr_size_t elem_size; +uint8_t *bytes; +volatile apr_uint32_t writeCount; +volatile apr_uint32_t readCount; +}; + + +static APR_INLINE apr_uint32_t count_to_index(ap_equeue_t *eq, apr_uint32_t count) +{ +return (count (eq-nelem - 1)); +} + +static APR_INLINE void* index_to_bytes(ap_equeue_t *eq, apr_uint32_t idx) +{ +apr_size_t offset = idx * eq-elem_size; +return (void*)eq-bytes[offset]; +} + +static APR_INLINE apr_uint32_t nearest_power(apr_uint32_t num) +{ +apr_uint32_t n = 1; +while (n num) { +n= 1; +} + +return n; +} + +#if 0 +static void dump_queue(ap_equeue_t *eq) +{ +apr_uint32_t i; + +fprintf(stderr, dumping %p\n, eq); +fprintf(stderr, nelem: %u\n, eq-nelem); +fprintf(stderr, esize: %APR_SIZE_T_FMT\n, eq-elem_size); +fprintf(stderr, wcnt:%u\n, eq-writeCount); +fprintf(stderr, rcnt:%u\n, eq-writeCount); +fprintf(stderr, bytes: %p\n, eq-bytes); +for (i = 0; i eq-nelem; i++) { +fprintf(stderr, [%u] = %p\n, i, index_to_bytes(eq, i)); +} + +fprintf(stderr, \n); +fflush(stderr); +} +#endif + +apr_status_t +ap_equeue_create(apr_pool_t *p, apr_uint32_t nelem, apr_size_t elem_size, ap_equeue_t **eqout) +{ +ap_equeue_t *eq; + +*eqout = NULL; + +eq = apr_palloc(p, sizeof(ap_equeue_t)); +eq-bytes = apr_palloc(p, (1 + nelem) * elem_size); +eq-nelem = nearest_power(nelem); Shouldn't that be +eq-nelem = nearest_power(nelem); +eq-bytes = apr_palloc(p, eq-nelem * elem_size); instead? Otherwise we might allocate too few elements. Regards Rüdiger
Re: svn commit: r1202256 - /httpd/httpd/trunk/server/mpm/event/event.c
On Tue, 15 Nov 2011, pque...@apache.org wrote: Author: pquerna Date: Tue Nov 15 15:50:09 2011 New Revision: 1202256 URL: http://svn.apache.org/viewvc?rev=1202256view=rev Log: Instead of disabling the listening sockets from the pollset when under load, just stop calling the accept call, but leave the sockets in the pollset. Won't that mean that the listener thread will loop because the apr_pollset_poll call returns immediately? Modified: httpd/httpd/trunk/server/mpm/event/event.c Modified: httpd/httpd/trunk/server/mpm/event/event.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/mpm/event/event.c?rev=1202256r1=1202255r2=1202256view=diff == --- httpd/httpd/trunk/server/mpm/event/event.c (original) +++ httpd/httpd/trunk/server/mpm/event/event.c Tue Nov 15 15:50:09 2011 @@ -1533,35 +1533,35 @@ static void * APR_THREAD_FUNC listener_t } } else if (pt-type == PT_ACCEPT) { +int skip_accept = 0; +int connection_count_local = connection_count; connection_count is read/written atomically. While a normal read of a 32bit int is atomic on most architectures, IMHO you cannot assume that this is the case on all architectures. + /* A Listener Socket is ready for an accept() */ if (workers_were_busy) { -if (!listeners_disabled) -disable_listensocks(process_slot); -listeners_disabled = 1; +skip_accept = 1; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, All workers busy, not accepting new conns in this process); } -else if (apr_atomic_read32(connection_count) threads_per_child +else if (listeners_disabled) { +listeners_disabled = 0; +enable_listensocks(process_slot); +} +else if (connection_count_local threads_per_child + ap_queue_info_get_idlers(worker_queue_info) * worker_factor / WORKER_FACTOR_SCALE) { -if (!listeners_disabled) -disable_listensocks(process_slot); +skip_accept = 1; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, Too many open connections (%u), not accepting new conns in this process, - apr_atomic_read32(connection_count)); + connection_count_local); ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, Idle workers: %u, ap_queue_info_get_idlers(worker_queue_info)); -listeners_disabled = 1; } -else if (listeners_disabled) { -listeners_disabled = 0; -enable_listensocks(process_slot); -} -if (!listeners_disabled) { + +if (skip_accept == 0) { lr = (ap_listen_rec *) pt-baton; ap_pop_pool(ptrans, worker_queue_info);
[ANNOUNCE] Apache HTTP Server 2.3.15-beta Released
Apache HTTP Server 2.3.15-beta Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.3.15-beta of the Apache HTTP Server (Apache). This version of Apache is our forth (and likely final) beta release to test new technology and features that are incompatible or too large for the stable 2.2.x branch. This beta release should not be presumed to be compatible with binaries built against any prior or future version. Apache HTTP Server 2.3.15-beta is available for download from: http://httpd.apache.org/download.cgi Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.3 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.3 file, linked from the download page, for a full list of changes. This release includes the Apache Portable Runtime (APR) version 1.4.5 and APR-Util version 1.3.12 in a separate -deps tarball. The APR libraries must be upgraded for all features of httpd to operate correctly. This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.3, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
Re: [VOTE] Release 2.3.15-beta as beta
On 11/15/2011 11:22 AM, Jim Jagielski wrote: I found the post... IMO, this should not hold off the release at this point... It's beta, they get to keep all the pieces :) But it suggests the ap_pregsub fix is not ready for 2.2-stable, not until this is rooted out.
Re: [ANNOUNCE] Apache HTTP Server 2.3.15-beta Released
On 11/15/2011 11:31 AM, Jim Jagielski wrote: Apache HTTP Server 2.3.15-beta Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.3.15-beta of the Apache HTTP Server (Apache). This version of Apache is our forth (and likely final) beta release to test new technology and features that are incompatible or too large for the stable 2.2.x branch. This beta release should not be presumed to be compatible with binaries built against any prior or future version. Wasn't this a security release?
Re: svn commit: r1202257 - in /httpd/httpd/trunk/server/mpm/event: config3.m4 equeue.c equeue.h event.c
On Tue, Nov 15, 2011 at 9:25 AM, Rüdiger Plüm ruediger.pl...@vodafone.com wrote: Original-Nachricht Betreff: svn commit: r1202257 - in /httpd/httpd/trunk/server/mpm/event: config3.m4 equeue.c equeue.h event.c Datum: Tue, 15 Nov 2011 15:51:04 GMT Von: pque...@apache.org Author: pquerna Date: Tue Nov 15 15:51:03 2011 New Revision: 1202257 URL: http://svn.apache.org/viewvc?rev=1202257view=rev Log: Create a new lock free circular queue, and use it in the EventMPM to remove the timeout mutex that was wrapping both timeout queue operations and pollset operations. Added: httpd/httpd/trunk/server/mpm/event/equeue.c (with props) httpd/httpd/trunk/server/mpm/event/equeue.h (with props) Modified: httpd/httpd/trunk/server/mpm/event/config3.m4 httpd/httpd/trunk/server/mpm/ event/event.c Added: httpd/httpd/trunk/server/mpm/event/equeue.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/mpm/event/equeue.c?rev=1202257view=auto == --- httpd/httpd/trunk/server/mpm/event/equeue.c (added) +++ httpd/httpd/trunk/server/mpm/event/equeue.c Tue Nov 15 15:51:03 2011 @@ -0,0 +1,125 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the License); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include equeue.h + +#include apr_atomic.h +#include sched.h + +struct ap_equeue_t { +apr_uint32_t nelem; +apr_size_t elem_size; +uint8_t *bytes; +volatile apr_uint32_t writeCount; +volatile apr_uint32_t readCount; +}; + + +static APR_INLINE apr_uint32_t count_to_index(ap_equeue_t *eq, apr_uint32_t count) +{ +return (count (eq-nelem - 1)); +} + +static APR_INLINE void* index_to_bytes(ap_equeue_t *eq, apr_uint32_t idx) +{ +apr_size_t offset = idx * eq-elem_size; +return (void*)eq-bytes[offset]; +} + +static APR_INLINE apr_uint32_t nearest_power(apr_uint32_t num) +{ +apr_uint32_t n = 1; +while (n num) { +n = 1; +} + +return n; +} + +#if 0 +static void dump_queue(ap_equeue_t *eq) +{ +apr_uint32_t i; + +fprintf(stderr, dumping %p\n, eq); +fprintf(stderr, nelem: %u\n, eq-nelem); +fprintf(stderr, esize: %APR_SIZE_T_FMT\n, eq-elem_size); +fprintf(stderr, wcnt:%u\n, eq-writeCount); +fprintf(stderr, rcnt:%u\n, eq-writeCount); +fprintf(stderr, bytes: %p\n, eq-bytes); +for (i = 0; i eq-nelem; i++) { +fprintf(stderr, [%u] = %p\n, i, index_to_bytes(eq, i)); +} + +fprintf(stderr, \n); +fflush(stderr); +} +#endif + +apr_status_t +ap_equeue_create(apr_pool_t *p, apr_uint32_t nelem, apr_size_t elem_size, ap_equeue_t **eqout) +{ +ap_equeue_t *eq; + +*eqout = NULL; + +eq = apr_palloc(p, sizeof(ap_equeue_t)); +eq-bytes = apr_palloc(p, (1 + nelem) * elem_size); +eq-nelem = nearest_power(nelem); Shouldn't that be +eq-nelem = nearest_power(nelem); +eq-bytes = apr_palloc(p, eq-nelem * elem_size); instead? Otherwise we might allocate too few elements. Whoops! Thanks for spotting this, fixed in r1202329.
Re: svn commit: r1202255 - /httpd/httpd/trunk/modules/filters/mod_reqtimeout.c
On Tue, Nov 15, 2011 at 9:17 AM, Stefan Fritsch s...@sfritsch.de wrote: On Tue, 15 Nov 2011, pque...@apache.org wrote: Author: pquerna Date: Tue Nov 15 15:49:19 2011 New Revision: 1202255 URL: http://svn.apache.org/viewvc?rev=1202255view=rev Log: disable mod_reqtimeout if not configured Why that? We have just changed the default to be enabled in r1199447 and several developers at the hackathon agreed to this change. Didn't know it was discussed in depth at the hackathon, and there wasn't any discussion on the list It showed up quite quickly in my profiling of the Event MPM, because every pull/push on the filters would cause a apr_time_now() call. I don't really like that just by loading the module, it changes the behavior and performance of the server so drastically.
Re: svn commit: r1202255 - /httpd/httpd/trunk/modules/filters/mod_reqtimeout.c
On Tuesday 15 November 2011, Paul Querna wrote: On Tue, Nov 15, 2011 at 9:17 AM, Stefan Fritsch s...@sfritsch.de wrote: On Tue, 15 Nov 2011, pque...@apache.org wrote: Author: pquerna Date: Tue Nov 15 15:49:19 2011 New Revision: 1202255 URL: http://svn.apache.org/viewvc?rev=1202255view=rev Log: disable mod_reqtimeout if not configured Why that? We have just changed the default to be enabled in r1199447 and several developers at the hackathon agreed to this change. Didn't know it was discussed in depth at the hackathon, and there wasn't any discussion on the list It showed up quite quickly in my profiling of the Event MPM, because every pull/push on the filters would cause a apr_time_now() call. I don't really like that just by loading the module, it changes the behavior and performance of the server so drastically. It only acts on reads from the client. Normal non-POST requests arrive in one or two packets, which would mean approx. 3 additional apr_time_now calls per request. I haven't done benchmarks, but I can't imagine that this has a drastic impact on performance. And if it costs 1-2%, then that's a small cost compared to the impact of slowloris type attacks which eat lots of memory. The general intention of the recent changes in default configs and module selection/loading was to make it easier to only load those modules that are really needed, have a reasonable default config, and have the compiled-in default values be the same as those in the example config files.
Re: setting TZ env var
On 15/11/2011 18:06, Paul Querna wrote: but is there any objections to the concept of setting the timezone on process startup? This single change gives about a 2% performance boost in my testing. To merge to trunk I'd like to have it detect your active timezone, instead of forcing UTC+0, but if you changed timezones on your machine, you will need to restart httpd. Thoughts? Well, the only 2 use-cases I can see for changing TZs at runtime are: 1) Flight/Travel/Navigation systems, which probably already use UTC for this reason, and 2) Mobile Apps (and maybe, maybe PC apps running on laptops). So how many mobile apps do we think there are based on httpd and how critical is the timezone (presumably changing at airports, like we just did)? Issac
Re: svn commit: r1202255 - /httpd/httpd/trunk/modules/filters/mod_reqtimeout.c
On 11/15/2011 12:33 PM, Stefan Fritsch wrote: On Tuesday 15 November 2011, Paul Querna wrote: On Tue, Nov 15, 2011 at 9:17 AM, Stefan Fritschs...@sfritsch.de wrote: On Tue, 15 Nov 2011, pque...@apache.org wrote: Author: pquerna Date: Tue Nov 15 15:49:19 2011 New Revision: 1202255 URL: http://svn.apache.org/viewvc?rev=1202255view=rev Log: disable mod_reqtimeout if not configured Why that? We have just changed the default to be enabled in r1199447 and several developers at the hackathon agreed to this change. Didn't know it was discussed in depth at the hackathon, and there wasn't any discussion on the list It showed up quite quickly in my profiling of the Event MPM, because every pull/push on the filters would cause a apr_time_now() call. I don't really like that just by loading the module, it changes the behavior and performance of the server so drastically. It only acts on reads from the client. Normal non-POST requests arrive in one or two packets, which would mean approx. 3 additional apr_time_now calls per request. I haven't done benchmarks, but I can't imagine that this has a drastic impact on performance. And if it costs 1-2%, then that's a small cost compared to the impact of slowloris type attacks which eat lots of memory. The general intention of the recent changes in default configs and module selection/loading was to make it easier to only load those modules that are really needed, have a reasonable default config, and have the compiled-in default values be the same as those in the example config files. Which means, build by default, disable by default. I think that keeps everyone happy. When abuse arrives, it's trivial to load.
Re: setting TZ env var
On 11/15/2011 10:06 AM, Paul Querna wrote: To merge to trunk I'd like to have it detect your active timezone, instead of forcing UTC+0, but if you changed timezones on your machine, you will need to restart httpd. Thoughts? If it did so (extract the correct offset) then I'd be +1. I'm not clear if the zone changes between EDT and EST, but I'd presume the name doesn't and the value does? OTOH, this causes something of a mess in the server logs. If the user cycles them out between restarts, then sticking to the same time zone for the lifespan of the server seems like a feature, to me.
Re: svn commit: r1202395 - /httpd/httpd/trunk/server/mpm/event/event.c
On Tue, Nov 15, 2011 at 2:38 PM, traw...@apache.org wrote: Author: trawick Date: Tue Nov 15 19:38:31 2011 New Revision: 1202395 URL: http://svn.apache.org/viewvc?rev=1202395view=rev Log: spellcheck r1202258 actually, it needs a little more than that, but I couldn't move forward past the misspelling; I'll fix the two affected error messages also, I'll fix the config snippet to no longer require APR_POLLSET_THREADSAFE in order to use event; it looks like the addition of APR_POLLSET_WAKEABLE is a non-issue
Re: svn commit: r1202255 - /httpd/httpd/trunk/modules/filters/mod_reqtimeout.c
On Tue, Nov 15, 2011 at 2:32 PM, William A. Rowe Jr. wr...@rowe-clan.net wrote: On 11/15/2011 12:33 PM, Stefan Fritsch wrote: On Tuesday 15 November 2011, Paul Querna wrote: On Tue, Nov 15, 2011 at 9:17 AM, Stefan Fritschs...@sfritsch.de wrote: On Tue, 15 Nov 2011, pque...@apache.org wrote: Author: pquerna Date: Tue Nov 15 15:49:19 2011 New Revision: 1202255 URL: http://svn.apache.org/viewvc?rev=1202255view=rev Log: disable mod_reqtimeout if not configured Why that? We have just changed the default to be enabled in r1199447 and several developers at the hackathon agreed to this change. Didn't know it was discussed in depth at the hackathon, and there wasn't any discussion on the list It showed up quite quickly in my profiling of the Event MPM, because every pull/push on the filters would cause a apr_time_now() call. I don't really like that just by loading the module, it changes the behavior and performance of the server so drastically. It only acts on reads from the client. Normal non-POST requests arrive in one or two packets, which would mean approx. 3 additional apr_time_now calls per request. I haven't done benchmarks, but I can't imagine that this has a drastic impact on performance. And if it costs 1-2%, then that's a small cost compared to the impact of slowloris type attacks which eat lots of memory. The general intention of the recent changes in default configs and module selection/loading was to make it easier to only load those modules that are really needed, have a reasonable default config, and have the compiled-in default values be the same as those in the example config files. Which means, build by default, disable by default. I think that keeps everyone happy. When abuse arrives, it's trivial to load. Timeout 60 isn't nearly as bad as the old Timeout 300 that is probably still in wide use, but mod_reqtimeout can provide a much more reasonable out of the box configuration. I think we should keep it in place by default.
Re: setting TZ env var
On 11/15/2011 10:06 AM, Paul Querna wrote: One way to fix this, is to set the TZ environment variable. For example: https://github.com/pquerna/httpd/commit/37e5815a70e88a733cd088398d016803146b545f Without modifying TZ, what happens to the profiling if a call to tzset() is added at startup?
Re: A bug, apr_os_thread_current() not equal r-connection-current_thread
On 11/15/2011 7:43 AM, zhiguo zhao wrote: Hi, I failed with this on windows with branch 2.4.x, in a handle hook, apr_os_thread_t t = apr_os_thread_current(); apr_os_thread_t *t1; apr_os_thread_get(t1, r-connection-current_thread); printf(EQUALS %d\n,apr_os_thread_equal(t,t1)); I think t and t1 must be equal, But it Not. I think this is a bug, Is this? No, it's not. /** * Compare two thread id's * @param tid1 1st Thread ID to compare * @param tid2 2nd Thread ID to compare * @return non-zero if the two threads are equal, zero otherwise */ APR_DECLARE(int) apr_os_thread_equal(apr_os_thread_t tid1, apr_os_thread_t tid2); This behavior is by design, use the designated comparator.
Re: setting TZ env var
On 15/11/2011 21:35, William A. Rowe Jr. wrote: On 11/15/2011 10:06 AM, Paul Querna wrote: To merge to trunk I'd like to have it detect your active timezone, instead of forcing UTC+0, but if you changed timezones on your machine, you will need to restart httpd. Thoughts? If it did so (extract the correct offset) then I'd be +1. I'm not clear if the zone changes between EDT and EST, but I'd presume the name doesn't and the value does? OTOH, this causes something of a mess in the server logs. If the user cycles them out between restarts, then sticking to the same time zone for the lifespan of the server seems like a feature, to me. Well, for me it went beyond saying that the proposal would include a config directive to overwrite the detected system TZ... I'd likely -1 anything that assumed without allowing the user to specify an override. Issac
Re: setting TZ env var
On 11/15/2011 4:28 PM, Issac Goldstand wrote: I'd likely -1 anything that assumed without allowing the user to specify an override. what on earth is wrong with --- ../httpd-2.x/support/apachectl.in (revision 1198625) +++ ../httpd-2.x/support/apachectl.in (working copy) @@ -44,6 +44,9 @@ # the path to your httpd binary, including options if necessary HTTPD='@exp_sbindir@/@progname@' # +# desired local timezone representation for logs +TZ=GMT+ +# # pick up any necessary environment variables if test -f @exp_sbindir@/envvars; then . @exp_sbindir@/envvars or... SetEnv TZ GMT+ There you go, two mechanisms allowing the user to specify an override Can we quit inventing redundant directives? I'm certainly -1 on such a directive. I'm totally +1 if someone wants to document the appropriate use of the TZ variable. And I'd be very cool with ensuring that we tzset() after allowing conf parsing/SetEnv processing and before forking.
Re: 2.3.15 RewriteRule P
On Monday 14 November 2011, William A. Rowe Jr. wrote: On 11/14/2011 12:31 PM, Steffen wrote: The issue below seems not to be related to SSL. Tested in different non-SSL configs with eg. RewriteRule /sysadmin(.*) http://%{HTTP_HOST}:81/sysadmin$1 [P,L] And different servers as the back, Sambar, Surge, DManager and Apache. Sometimes it works but mostly it is not passing (good) URL info to the server. Get errors like: requested URL not found, requested file: () Using the ProxyPass directive, no issues. Same configs are working with 2.2 without issues. Sounds like a flubup in ap_pregsub_ex? Not really. mod_rewrite doesn't use ap_pregsub and the only ap_pregsub related change in mod_proxy* would cause an obvious error message to be logged. Also, when Steffen previously reported this I could not reproduce it under Linux (assuming it is still the same issue).
Re: A bug, apr_os_thread_current() not equal r-connection-current_thread
Why not. In mpm\winnt\child.c /* * worker_main() * Main entry point for the worker threads. Worker threads block in * win*_get_connection() awaiting a connection to service. */ static DWORD __stdcall worker_main(void *thread_num_val) { apr_thread_t *thd = NULL; apr_os_thread_t osthd; static int requests_this_child = 0; winnt_conn_ctx_t *context = NULL; int thread_num = (int)thread_num_val; ap_sb_handle_t *sbh; apr_bucket *e; int rc; conn_rec *c; apr_int32_t disconnected; /* here get real os thread */ osthd = apr_os_thread_current(); /* create a apr_thread_t */ apr_os_thread_put(thd, osthd, pchild); /*osthd and thd will not changed */ while (1) { ap_update_child_status_from_indexes(0, thread_num, SERVER_READY, NULL); /* Grab a connection off the network */ context = winnt_get_connection(context); if (!context) { /* Time for the thread to exit */ break; } /* Have we hit MaxConnectionsPerChild connections? */ if (ap_max_requests_per_child) { requests_this_child++; if (requests_this_child ap_max_requests_per_child) { SetEvent(max_requests_per_child_event); } } e = context-overlapped.Pointer; ap_create_sb_handle(sbh, context-ptrans, 0, thread_num); c = ap_run_create_connection(context-ptrans, ap_server_conf, context-sock, thread_num, sbh, context-ba); if (!c) { /* ap_run_create_connection closes the socket on failure */ context-accept_socket = INVALID_SOCKET; if (e) apr_bucket_free(e); continue; } /* c-current_thread changed, the thd */ c-current_thread = thd; /* follow ap_process_connection(c, context-sock) logic * as it left us no chance to reinject our first data bucket. */ ap_update_vhost_given_ip(c); rc = ap_run_pre_connection(c, context-sock); if (rc != OK rc != DONE) { c-aborted = 1; } if (e c-aborted) { apr_bucket_free(e); } else if (e) { core_ctx_t *ctx; core_net_rec *net; ap_filter_t *filt; filt = c-input_filters; while ((strcmp(filt-frec-name, core_in) != 0) filt-next) filt = filt-next; net = filt-ctx; ctx = net-in_ctx; if (net-in_ctx) ctx = net-in_ctx; else { ctx = apr_pcalloc(c-pool, sizeof(*ctx)); ctx-b = apr_brigade_create(c-pool, c-bucket_alloc); ctx-tmpbb = apr_brigade_create(c-pool, c-bucket_alloc); /* seed the brigade with AcceptEx read heap bucket */ e = context-overlapped.Pointer; APR_BRIGADE_INSERT_HEAD(ctx-b, e); /* also seed the brigade with the client socket. */ e = apr_bucket_socket_create(net-client_socket, c-bucket_alloc); APR_BRIGADE_INSERT_TAIL(ctx-b, e); net-in_ctx = ctx; } } if (!c-aborted) { ap_run_process_connection(c); apr_socket_opt_get(context-sock, APR_SO_DISCONNECTED, disconnected); if (!disconnected) { context-accept_socket = INVALID_SOCKET; ap_lingering_close(c); } } } ap_update_child_status_from_indexes(0, thread_num, SERVER_DEAD, (request_rec *) NULL); return 0; } 2011/11/16 William A. Rowe Jr. wr...@rowe-clan.net On 11/15/2011 7:43 AM, zhiguo zhao wrote: Hi, I failed with this on windows with branch 2.4.x, in a handle hook, apr_os_thread_t t = apr_os_thread_current(); apr_os_thread_t *t1; apr_os_thread_get(t1, r-connection-current_thread)**; printf(EQUALS %d\n,apr_os_thread_equal(t,**t1)); I think t and t1 must be equal, But it Not. I think this is a bug, Is this? No, it's not. /** * Compare two thread id's * @param tid1 1st Thread ID to compare * @param tid2 2nd Thread ID to compare * @return non-zero if the two threads are equal, zero otherwise */ APR_DECLARE(int) apr_os_thread_equal(apr_os_**thread_t tid1, apr_os_thread_t tid2); This behavior is by design, use the designated comparator.
Re: A bug, apr_os_thread_current() not equal r-connection-current_thread
Sorry, I make a mistack. apr_os_thread_t t = apr_os_thread_current(); apr_os_thread_t *t1; apr_os_thread_get(t1, r-connection-current_thread); printf(EQUALS %d\n,apr_os_thread_equal(t, *t1)); Tow different type data to comp, so it's will fail.
Re: setting TZ env var
On 16/11/2011 01:06, William A. Rowe Jr. wrote: On 11/15/2011 4:28 PM, Issac Goldstand wrote: I'd likely -1 anything that assumed without allowing the user to specify an override. what on earth is wrong with --- ../httpd-2.x/support/apachectl.in (revision 1198625) +++ ../httpd-2.x/support/apachectl.in (working copy) @@ -44,6 +44,9 @@ # the path to your httpd binary, including options if necessary HTTPD='@exp_sbindir@/@progname@' # +# desired local timezone representation for logs +TZ=GMT+ +# # pick up any necessary environment variables if test -f @exp_sbindir@/envvars; then . @exp_sbindir@/envvars or... SetEnv TZ GMT+ There you go, two mechanisms allowing the user to specify an override Can we quit inventing redundant directives? I'm certainly -1 on such a directive. I'm totally +1 if someone wants to document the appropriate use of the TZ variable. And I'd be very cool with ensuring that we tzset() after allowing conf parsing/SetEnv processing and before forking. Good point - that's definitely fair enough, just need to make sure it's documented in the right place. Issac