Re: Host name lookups are Off but...

2002-04-03 Thread Medi Montaseri 

You can also configure your HTTP server to be a DNS cache server and have it
resolve against itself.  See if this will change your performance.

Per Einar Ellefsen wrote:

> At 19:46 03.04.2002, kyle dawkins wrote:
> >Hi all
> >
> >We have a mod_perl server that's under constant heavy load.  In our Apache
> >config we have switched HostnameLookups off using
> >
> >HostnameLookups off
> >
> >and for the most part, it seems to work.  However, any check of the logs or
> >/server-status shows that the server is *still* doing reverse-lookup of some
> >addresses.  Often, a number of apache processes show up as "D" in
> >/server-status, and it's pretty clear that it's slowing things down.
> >
> >Does anyone have any idea what might be causing this?  Could it be something
> >in the mod_perl config?  Nowhere in any of our code do we do hostname
> >resolution and for the most part couldn't care less what host/ip people come
> >from.
> >
> >Sorry if this is the wrong list but I have a sneaking suspicion there's
> >something about our mod_perl config that's affecting it.
> >
> >RTFM's are welcome...  I already tried but maybe I missed something.
>
> This has nothing to do with mod_perl and can't even be affected by
> HostnameLookups. I guess you're protecting your /server-status URI by an
> `Allow' or `Deny' directive. mod_access performs reverse lookups to check
> these values, for security. From the HostnameLookups docs
> 
>
>  Regardless of the setting, when mod_access is used for controlling
> access by hostname, a double reverse lookup will be performed. This is
> necessary for security. Note that the result of this double-reverse
> isn't generally available unless you set HostnameLookups double. For
> example, if only HostnameLookups on and a request is made to an
> object   that is protected by hostname restrictions, regardless of
> whether the double-reverse fails or not, CGIs will still be passed the
> single-reverse result in REMOTE_HOST.
>
> There you go, RTFM :)
>
> I wouldn't be too worried about any "performance hits" from /server-status:
> this shouldn't be used too often, only by you or the other developers, so
> do you really think it's a problem?
>
> --
> Per Einar Ellefsen
> [EMAIL PROTECTED]

--
-
Medi Montaseri   [EMAIL PROTECTED]
Unix Distributed Systems EngineerHTTP://www.CyberShell.com
CyberShell Engineering
-

RE: Host name lookups are Off but...

2002-04-03 Thread Rob Bloodgood 

> We have a mod_perl server that's under constant heavy load.  In
> our Apache
> config we have switched HostnameLookups off using
>
> HostnameLookups off
>
> and for the most part, it seems to work.  However, any check of
> the logs or
> /server-status shows that the server is *still* doing
> reverse-lookup of some
> addresses.  Often, a number of apache processes show up as "D" in
> /server-status, and it's pretty clear that it's slowing things down.
>
> Does anyone have any idea what might be causing this?  Could it
> be something
> in the mod_perl config?  Nowhere in any of our code do we do hostname
> resolution and for the most part couldn't care less what host/ip
> people come
> from.
>
> Sorry if this is the wrong list but I have a sneaking suspicion there's
> something about our mod_perl config that's affecting it.
>
> RTFM's are welcome...  I already tried but maybe I missed something.

This one bit me a couple of years ago.  *IN MY CASE* it was incorrect usage
of the Allow/Deny, I specified
Allow from all
Deny from none

The problem was, the webserver doesn't recognize "none" as a special value
like it does for "all"... so "none" became a hostname,

*** which enabled HostNameLookups for the whole webserver. ***

Look in every single place where you have access control by ip/hostname.
Make sure there are no hostnames, only ip.  Once Apache turns on
HostnameLookups, it's global.

HTH!

L8r,
Rob


#!/usr/bin/perl -w
use Disclaimer qw/:standard/;

Re: Host name lookups are Off but...

2002-04-03 Thread Per Einar Ellefsen 

At 19:46 03.04.2002, kyle dawkins wrote:
>Hi all
>
>We have a mod_perl server that's under constant heavy load.  In our Apache
>config we have switched HostnameLookups off using
>
>HostnameLookups off
>
>and for the most part, it seems to work.  However, any check of the logs or
>/server-status shows that the server is *still* doing reverse-lookup of some
>addresses.  Often, a number of apache processes show up as "D" in
>/server-status, and it's pretty clear that it's slowing things down.
>
>Does anyone have any idea what might be causing this?  Could it be something
>in the mod_perl config?  Nowhere in any of our code do we do hostname
>resolution and for the most part couldn't care less what host/ip people come
>from.
>
>Sorry if this is the wrong list but I have a sneaking suspicion there's
>something about our mod_perl config that's affecting it.
>
>RTFM's are welcome...  I already tried but maybe I missed something.

This has nothing to do with mod_perl and can't even be affected by 
HostnameLookups. I guess you're protecting your /server-status URI by an 
`Allow' or `Deny' directive. mod_access performs reverse lookups to check 
these values, for security. From the HostnameLookups docs 


 Regardless of the setting, when mod_access is used for controlling 
access by hostname, a double reverse lookup will be performed. This is 
necessary for security. Note that the result of this double-reverse 
isn't generally available unless you set HostnameLookups double. For 
example, if only HostnameLookups on and a request is made to an 
object   that is protected by hostname restrictions, regardless of 
whether the double-reverse fails or not, CGIs will still be passed the 
single-reverse result in REMOTE_HOST.

There you go, RTFM :)

I wouldn't be too worried about any "performance hits" from /server-status: 
this shouldn't be used too often, only by you or the other developers, so 
do you really think it's a problem?


-- 
Per Einar Ellefsen
[EMAIL PROTECTED]

Host name lookups are Off but...

2002-04-03 Thread kyle dawkins 

Hi all

We have a mod_perl server that's under constant heavy load.  In our Apache 
config we have switched HostnameLookups off using

HostnameLookups off

and for the most part, it seems to work.  However, any check of the logs or 
/server-status shows that the server is *still* doing reverse-lookup of some 
addresses.  Often, a number of apache processes show up as "D" in 
/server-status, and it's pretty clear that it's slowing things down.

Does anyone have any idea what might be causing this?  Could it be something 
in the mod_perl config?  Nowhere in any of our code do we do hostname 
resolution and for the most part couldn't care less what host/ip people come 
from.

Sorry if this is the wrong list but I have a sneaking suspicion there's 
something about our mod_perl config that's affecting it. 

RTFM's are welcome...  I already tried but maybe I missed something.

Cheers

Kyle Dawkins
Systems Engineer
Central Park Software
http://www.centralparksoftware.com






*** IMPORTANT ! **
The content of this email and any attachments are confidential and intended
for the named recipient(s) only.

If you have received this email in error please notify the sender immediately.
Do not disclose the content of this message or make copies.

This email was scanned by eSafe Mail for viruses, vandals  and other
malicious content.
**