Re: Do virtual hosts need their own servers?
On Thu, 16 Aug 2001, Jonathan Edwards wrote: Related to this topic, I have a question about multiple instances of Apache. We run two mod_perl enabled sites on two separate IPs. These sites rely on mod_perl heavily. Each site has a unique perl script that handles just about everything. Currently, we only have one instance of Apache running, and I've noticed that the httpd child processes are quite large (up to 32megs!). We've upgraded the RAM on our server twice and now we're at 512, but it seems to be using all of that without a problem. Are these httpd processes so large because they include copies of both perl scripts? Would it be more efficient to set up two instances of Apache, one for each site/IP, and that way each child httpd would only contain one of the two perl scripts? That might help some, but it all depends[tm]. What you really want is to setup a (reverse) proxy process in front of the mod_perl process. Try looking through my slides at http://develooper.com/modperl/ - ask -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do(); more than a billion impressions per week, http://valueclick.com
Re: Do virtual hosts need their own servers?
On Thu, 16 Aug 2001, Dave Baker wrote: [...] p.s. The processes could also be large because of suboptimal coding, Scalability problems are almost never due to bad code and almost always due to bad design. or (if they grow over time) memory leaks ... with possibly that as the exception. :-) - ask -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do(); more than a billion impressions per week, http://valueclick.com
Re: Re: Do virtual hosts need their own servers?
On Mon, Aug 20, 2001 at 01:40:30PM +0800, Stas Bekman wrote: On Thu, 16 Aug 2001, Andy Turner wrote: On Wed, Aug 15, 2001 at 12:54:58PM -0400, Philip Mak wrote: 1. A hacker with access to a virtual host on a mod_perl Apache can steal the Apache::DBI database handles of the other virtual hosts on that Apache. suexec/cgiwrap won't work in mod_perl. The simplest answer is to just not use Apache::DBI. Just use DBI normally. The only draw back is that you don't cache database handles this way. But in many configurations that isn't an issue. Huh? You can read anything from the memory once you are running in the same process, be it Apache::DBI, DBI or your own raw access module. Ahh, I was assuming a DBI handle lexically scoped to the handler subroutine, sorry about the confusion. So long as the handle goes away with the connection you're okay. -- Andy [EMAIL PROTECTED] - http://anime.mikomi.org/ - Community Anime Reviews Thus, though we have heard of stupid haste in war, cleverness has never been seen associated with long delays. -- Sun Tzu, The Art of War
Re: Re: Do virtual hosts need their own servers?
On Mon, 20 Aug 2001, Andy Turner wrote: On Mon, Aug 20, 2001 at 01:40:30PM +0800, Stas Bekman wrote: On Thu, 16 Aug 2001, Andy Turner wrote: On Wed, Aug 15, 2001 at 12:54:58PM -0400, Philip Mak wrote: 1. A hacker with access to a virtual host on a mod_perl Apache can steal the Apache::DBI database handles of the other virtual hosts on that Apache. suexec/cgiwrap won't work in mod_perl. The simplest answer is to just not use Apache::DBI. Just use DBI normally. The only draw back is that you don't cache database handles this way. But in many configurations that isn't an issue. Huh? You can read anything from the memory once you are running in the same process, be it Apache::DBI, DBI or your own raw access module. Ahh, I was assuming a DBI handle lexically scoped to the handler subroutine, sorry about the confusion. it can be lexically scoped, but it doesn't prevent you from reading from memory. It's not easy but possible. But things are even simpler, see below. So long as the handle goes away with the connection you're okay. Your dsn + login/passwd stored in the file are readable by other users, who are in the same group as the server, so you are *NOT* OK. _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://localhost/ http://eXtropia.com/ http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
Re: Do virtual hosts need their own servers?
On Thu, 16 Aug 2001, Andy Turner wrote: On Wed, Aug 15, 2001 at 12:54:58PM -0400, Philip Mak wrote: When I have multiple virtual hosts running Apache::ASP (mod_perl), do they need to run their own instance of Apache? I would think so, but that doesn't seem to be you seem to have figured that out... what you're really asking about is how much partitioning can be provided between the two... I've read through http://perl.apache.org/guide/multiuser.html and this is what I've gathered: 1. A hacker with access to a virtual host on a mod_perl Apache can steal the Apache::DBI database handles of the other virtual hosts on that Apache. suexec/cgiwrap won't work in mod_perl. The simplest answer is to just not use Apache::DBI. Just use DBI normally. The only draw back is that you don't cache database handles this way. But in many configurations that isn't an issue. Huh? You can read anything from the memory once you are running in the same process, be it Apache::DBI, DBI or your own raw access module. _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://localhost/ http://eXtropia.com/ http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
Re: Do virtual hosts need their own servers?
Hi there, On Wed, 15 Aug 2001, Philip Mak wrote: When I have multiple virtual hosts running Apache::ASP (mod_perl), do they need to run their own instance of Apache? If one Apache is listening to port 80 then no others can. This is why you will get an error message when you try to start an Apache when there is already one listening on the port(s) that the newly starting Apache tries to bind to. If you want to run more than one Apache server instance then they all have to listen on different ports. So you could for example do some URL-based redirecting with a proxy listening on 80 and handing requests to other instances which are listening on other ports, or something like that - a bit like having a light/heavy server pair (see the Guide) but for different reasons. and the webmasters of the different virtual hosts trust each other, then is it safe to [snip] 'Trust' and 'Safe' are interesting concepts on the Web. 'Suspect' and 'dangerous' are more likely. 73, Ged.
Re: Do virtual hosts need their own servers?
On Thu, Aug 16, 2001 at 06:47:23PM +0100, Ged Haywood wrote: Hi there, On Wed, 15 Aug 2001, Philip Mak wrote: When I have multiple virtual hosts running Apache::ASP (mod_perl), do they need to run their own instance of Apache? If one Apache is listening to port 80 then no others can. This is why you will get an error message when you try to start an Apache when there is already one listening on the port(s) that the newly starting Apache tries to bind to. If you want to run more than one Apache server instance then they all have to listen on different ports. So you could for example do some URL-based redirecting with a proxy listening on 80 and handing requests to other instances which are listening on other ports, or something like that - a bit like having a light/heavy server pair (see the Guide) but for different reasons. Only one instance of apache can bind to the same port *on the same IP*. By having one server answer to multiple IP addresses (on one or many network interface cards) you can have as many apache instances as you have IP addresses (not forgetting 127.0.0.1 if you're so inclined). Depending on the O/S you may also consider (I have and have dismissed it as too troublesome) running apache on different ports and using transparent port mapping such that -- IP address 1 : 80 -- local port 8000 -- IP address 2 : 80 -- local port 8001 -- IP address 3 : 80 -- local port 8002 Dave -- - Dave Baker : [EMAIL PROTECTED] : [EMAIL PROTECTED] : http://dsb3.com/ - GnuPG: 1024D/D7BCA55D / 09CD D148 57DE 711E 6708 B772 0DD4 51D5 D7BC A55D
Re: Do virtual hosts need their own servers?
Hi there, On Thu, 16 Aug 2001, Jonathan Edwards wrote: Related to this topic, I have a question about multiple instances of Apache. We run two mod_perl enabled sites on two separate IPs. These sites rely on mod_perl heavily. Each site has a unique perl script that handles just about everything. Currently, we only have one instance of Apache running, and I've noticed that the httpd child processes are quite large (up to 32megs!). We've upgraded the RAM on our server twice and now we're at 512, but it seems to be using all of that without a problem. Are these httpd processes so large because they include copies of both perl scripts? Would it be more efficient to set up two instances of Apache, one for each site/IP, and that way each child httpd would only contain one of the two perl scripts? You can experiment but I wouldn't hold out great hopes of miracles. It could be that there's a lot of bloat from modules that you use, so you can find that even an apparently small script makes your Apache children grow alarmingly. Another common fault - if you can call it a fault - is the abuse of Perl's willingness to read huge data structures into RAM. It's sometimes the result of quick-n-dirty coding techniques at the prototype stage finding their way into user-facing code. You might also find that a large fraction of the RAM used by Apache is shared so effectively it doesn't matter. Do the processes start off much smaller and grow over time? If so it might be worth cutting down on MaxRequestsPerChild to see what happens. There's a good section about tuning in the Guide, it covers the sharing issues too. http://perl.apache.org/guide (forgive me if you've read it already:). 73, Ged.
Re: Do virtual hosts need their own servers?
On Thu, Aug 16, 2001 at 12:13:37PM -0600, Jonathan Edwards wrote: Related to this topic, I have a question about multiple instances of Apache. We run two mod_perl enabled sites on two separate IPs. These sites rely on mod_perl heavily. Each site has a unique perl script that handles just about everything. Currently, we only have one instance of Apache running, and I've noticed that the httpd child processes are quite large (up to 32megs!). We've upgraded the RAM on our server twice and now we're at 512, but it seems to be using all of that without a problem. Are these httpd processes so large because they include copies of both perl scripts? Would it be more efficient to set up two instances of Apache, one for each site/IP, and that way each child httpd would only contain one of the two perl scripts? Compare the memory requirement two sets of perl scripts against the memory requirement of doubling the total number of apache processes. My personal opinion is that the latter will be a lot more expensive in resources. You might do better do work to optimize/minimize the total number of mod_perl instances (separate, lightweight server for images and static content; turn off keep_alive unless it's definately giving positive results; etc). How many apache children do you normally have running at any given time? Dave p.s. The processes could also be large because of suboptimal coding, or (if they grow over time) memory leaks p.p.p.s. love the palm pilot cases ... -- - Dave Baker : [EMAIL PROTECTED] : [EMAIL PROTECTED] : http://dsb3.com/ - GnuPG: 1024D/D7BCA55D / 09CD D148 57DE 711E 6708 B772 0DD4 51D5 D7BC A55D
Re: Do virtual hosts need their own servers?
How many apache children do you normally have running at any given time? Apache is set to: MaxKeepAliveRequests 200 KeepAliveTimeout 15 MinSpareServers 5 MaxSpareServers 10 StartServers 10 MaxClients 512 MaxRequestsPerChild 200 Is that to say that the max number of children is 20 (StartServers + MaxSpareServers) or 512 (MaxClients) I am just starting to learn about having a light server to perform all static functions. As you may have seen on the site, there are a lot of images. The images are stored in a MySQL database, and the mod_perl script requests them. Is my understanding correnct that I can set up a server to deal with all of the mod_perl scripting requests, and have a separate server that deals exclusively with displaying images and other static content? I'm a little confused, but it sounds like a pretty sweet deal. Jon - Original Message - From: Dave Baker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jonathan Edwards [EMAIL PROTECTED] Sent: Thursday, August 16, 2001 12:24 PM Subject: Re: Do virtual hosts need their own servers? On Thu, Aug 16, 2001 at 12:13:37PM -0600, Jonathan Edwards wrote: Related to this topic, I have a question about multiple instances of Apache. We run two mod_perl enabled sites on two separate IPs. These sites rely on mod_perl heavily. Each site has a unique perl script that handles just about everything. Currently, we only have one instance of Apache running, and I've noticed that the httpd child processes are quite large (up to 32megs!). We've upgraded the RAM on our server twice and now we're at 512, but it seems to be using all of that without a problem. Are these httpd processes so large because they include copies of both perl scripts? Would it be more efficient to set up two instances of Apache, one for each site/IP, and that way each child httpd would only contain one of the two perl scripts? Compare the memory requirement two sets of perl scripts against the memory requirement of doubling the total number of apache processes. My personal opinion is that the latter will be a lot more expensive in resources. You might do better do work to optimize/minimize the total number of mod_perl instances (separate, lightweight server for images and static content; turn off keep_alive unless it's definately giving positive results; etc). How many apache children do you normally have running at any given time? Dave p.s. The processes could also be large because of suboptimal coding, or (if they grow over time) memory leaks p.p.p.s. love the palm pilot cases ... -- - Dave Baker : [EMAIL PROTECTED] : [EMAIL PROTECTED] : http://dsb3.com/ - GnuPG: 1024D/D7BCA55D / 09CD D148 57DE 711E 6708 B772 0DD4 51D5 D7BC A55D
Re: Do virtual hosts need their own servers?
On Thu, 16 Aug 2001 14:24:50 -0400 Dave Baker [EMAIL PROTECTED] wrote: Compare the memory requirement two sets of perl scripts against the memory requirement of doubling the total number of apache processes. My personal opinion is that the latter will be a lot more expensive in resources. You might do better do work to optimize/minimize the total number of mod_perl instances (separate, lightweight server for images and static content; turn off keep_alive unless it's definately giving positive results; etc). Yes, do turn OFF keep_alive. This has the benefit of freeing up heavyweight mod_perl processes sooner. I do this, and serve graphics from a separate, lightweight server (thttpd), so I get the best of both worlds. I'm able to keep the number of mod_perl processes under 15, while still serving 40 hit per second, because the bulk of the hits are on graphics, where a full mod_perl server process is just a waste. -- Jay Thorne Manager, Systems Technology, UserFriendly Media, Inc. http://www.userfriendly.org/
Re: Do virtual hosts need their own servers?
Hi there, On Thu, 16 Aug 2001, Jonathan Edwards wrote: Apache is set to: StartServers 10 MaxClients 512 Is that to say that the max number of children is 20 (StartServers + MaxSpareServers) or 512 (MaxClients) MaxClients. But if you have 10M unshared in each child and only 500M of RAM you'll never get there, the machine will just grind to a halt as it starts to swap processes to and from disc. You really need to think hard about the settings. Read the docs. I am just starting to learn about having a light server to perform all static functions. [snip] have a separate server that deals exclusively with displaying images and other static content? I'm a little confused, but it sounds like a pretty sweet deal. You'll be a lot less confused after you've read the Guide a few times. http://perl.apache.org/guide 73, Ged.
Re: Do virtual hosts need their own servers?
On Wed, 15 Aug 2001, Philip Mak wrote: When I have multiple virtual hosts running Apache::ASP (mod_perl), do they need to run their own instance of Apache? I've read through http://perl.apache.org/guide/multiuser.html and this is what I've gathered: 1. A hacker with access to a virtual host on a mod_perl Apache can steal the Apache::DBI database handles of the other virtual hosts on that Apache. suexec/cgiwrap won't work in mod_perl. this is true for anything that can be snooped. Apache::DBI is just an example. You don't even have to snoop, you have to run under the same uid/gid, which means you can just read the source code. 2. Scripts from one virtual host can call a script with the same path from the other virtual host. Setting $Apache::Registry::NameWithVirtualHost to 1 in startup.pl gets around this problem. So, it sounds like if I set $Apache::Registry::NameWithVirtualHost to 1, and the webmasters of the different virtual hosts trust each other, then it is safe to put them on the same Apache? yes. _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://localhost/ http://eXtropia.com/ http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
