Host name lookups are Off but...
Hi all We have a mod_perl server that's under constant heavy load. In our Apache config we have switched HostnameLookups off using HostnameLookups off and for the most part, it seems to work. However, any check of the logs or /server-status shows that the server is *still* doing reverse-lookup of some addresses. Often, a number of apache processes show up as D in /server-status, and it's pretty clear that it's slowing things down. Does anyone have any idea what might be causing this? Could it be something in the mod_perl config? Nowhere in any of our code do we do hostname resolution and for the most part couldn't care less what host/ip people come from. Sorry if this is the wrong list but I have a sneaking suspicion there's something about our mod_perl config that's affecting it. RTFM's are welcome... I already tried but maybe I missed something. Cheers Kyle Dawkins Systems Engineer Central Park Software http://www.centralparksoftware.com *** IMPORTANT ! ** The content of this email and any attachments are confidential and intended for the named recipient(s) only. If you have received this email in error please notify the sender immediately. Do not disclose the content of this message or make copies. This email was scanned by eSafe Mail for viruses, vandals and other malicious content. **
Re: Host name lookups are Off but...
At 19:46 03.04.2002, kyle dawkins wrote: Hi all We have a mod_perl server that's under constant heavy load. In our Apache config we have switched HostnameLookups off using HostnameLookups off and for the most part, it seems to work. However, any check of the logs or /server-status shows that the server is *still* doing reverse-lookup of some addresses. Often, a number of apache processes show up as D in /server-status, and it's pretty clear that it's slowing things down. Does anyone have any idea what might be causing this? Could it be something in the mod_perl config? Nowhere in any of our code do we do hostname resolution and for the most part couldn't care less what host/ip people come from. Sorry if this is the wrong list but I have a sneaking suspicion there's something about our mod_perl config that's affecting it. RTFM's are welcome... I already tried but maybe I missed something. This has nothing to do with mod_perl and can't even be affected by HostnameLookups. I guess you're protecting your /server-status URI by an `Allow' or `Deny' directive. mod_access performs reverse lookups to check these values, for security. From the HostnameLookups docs http://httpd.apache.org/docs-2.0/mod/core.html#hostnamelookups Regardless of the setting, when mod_access is used for controlling access by hostname, a double reverse lookup will be performed. This is necessary for security. Note that the result of this double-reverse isn't generally available unless you set HostnameLookups double. For example, if only HostnameLookups on and a request is made to an object that is protected by hostname restrictions, regardless of whether the double-reverse fails or not, CGIs will still be passed the single-reverse result in REMOTE_HOST. There you go, RTFM :) I wouldn't be too worried about any performance hits from /server-status: this shouldn't be used too often, only by you or the other developers, so do you really think it's a problem? -- Per Einar Ellefsen [EMAIL PROTECTED]
RE: Host name lookups are Off but...
We have a mod_perl server that's under constant heavy load. In our Apache config we have switched HostnameLookups off using HostnameLookups off and for the most part, it seems to work. However, any check of the logs or /server-status shows that the server is *still* doing reverse-lookup of some addresses. Often, a number of apache processes show up as D in /server-status, and it's pretty clear that it's slowing things down. Does anyone have any idea what might be causing this? Could it be something in the mod_perl config? Nowhere in any of our code do we do hostname resolution and for the most part couldn't care less what host/ip people come from. Sorry if this is the wrong list but I have a sneaking suspicion there's something about our mod_perl config that's affecting it. RTFM's are welcome... I already tried but maybe I missed something. This one bit me a couple of years ago. *IN MY CASE* it was incorrect usage of the Allow/Deny, I specified Allow from all Deny from none The problem was, the webserver doesn't recognize none as a special value like it does for all... so none became a hostname, *** which enabled HostNameLookups for the whole webserver. *** Look in every single place where you have access control by ip/hostname. Make sure there are no hostnames, only ip. Once Apache turns on HostnameLookups, it's global. HTH! L8r, Rob #!/usr/bin/perl -w use Disclaimer qw/:standard/;
Re: Host name lookups are Off but...
You can also configure your HTTP server to be a DNS cache server and have it resolve against itself. See if this will change your performance. Per Einar Ellefsen wrote: At 19:46 03.04.2002, kyle dawkins wrote: Hi all We have a mod_perl server that's under constant heavy load. In our Apache config we have switched HostnameLookups off using HostnameLookups off and for the most part, it seems to work. However, any check of the logs or /server-status shows that the server is *still* doing reverse-lookup of some addresses. Often, a number of apache processes show up as D in /server-status, and it's pretty clear that it's slowing things down. Does anyone have any idea what might be causing this? Could it be something in the mod_perl config? Nowhere in any of our code do we do hostname resolution and for the most part couldn't care less what host/ip people come from. Sorry if this is the wrong list but I have a sneaking suspicion there's something about our mod_perl config that's affecting it. RTFM's are welcome... I already tried but maybe I missed something. This has nothing to do with mod_perl and can't even be affected by HostnameLookups. I guess you're protecting your /server-status URI by an `Allow' or `Deny' directive. mod_access performs reverse lookups to check these values, for security. From the HostnameLookups docs http://httpd.apache.org/docs-2.0/mod/core.html#hostnamelookups Regardless of the setting, when mod_access is used for controlling access by hostname, a double reverse lookup will be performed. This is necessary for security. Note that the result of this double-reverse isn't generally available unless you set HostnameLookups double. For example, if only HostnameLookups on and a request is made to an object that is protected by hostname restrictions, regardless of whether the double-reverse fails or not, CGIs will still be passed the single-reverse result in REMOTE_HOST. There you go, RTFM :) I wouldn't be too worried about any performance hits from /server-status: this shouldn't be used too often, only by you or the other developers, so do you really think it's a problem? -- Per Einar Ellefsen [EMAIL PROTECTED] -- - Medi Montaseri [EMAIL PROTECTED] Unix Distributed Systems EngineerHTTP://www.CyberShell.com CyberShell Engineering -