Re: Growing Up
switch to a lightweight proxy + httpd on port 80. i like nginx because its had much fewer critical bugs than lighttpd. others like lighty. either will be fine - they'll free up apache to deal with content generation and you'll see a ginormous performance boost off that . you could use squid or pound for similar tasks, but they're a PITA to configure and maintain Must disagree with you about pound http://www.apsis.ch/pound/index_html being a PITA to configure and maintain. Pound is really easy to configure, fast as all hell, and just never goes down. I've been using it for about 3 years now and I've never ever had a problem with it. Just a point of clarification, with reference to this email: http://marc.info/?l=apache-modperlm=117595808501296w=2 (File Uploads using MP2 best practises): is it reasonable to serve your static files from a mod_perl server, as long as you have a proxy/pound/squid in front? My understanding is that the cost of using your mod_perl server to serve static files is the amount of time that a slow request would tie them up. However, if your requests are all fast, because your proxy handles the slow part, then this ceases to be an issue. Am I correct in this assumption? I have a bunch of mod_perl servers behind a single pound proxy (plus failover), and they share the uploaded images via NFS currently, although I'm considering moving to iSCSI with OCFS2 when I am convinced of its stability. Any views on this? thanks Clint
RE: Insecure dependency in eval while running setgid error
Hi Charlie,
-Original Message-
From: Charlie Katz [mailto:[EMAIL PROTECTED]
Sent: 30 March 2007 19:00
To: modperl@perl.apache.org
Cc: Perrin Harkins; Shah, Sagar: IT (LDN);
[EMAIL PROTECTED]; [EMAIL PROTECTED]; Client Research Development
Subject: Re: Insecure dependency in eval while running setgid error
Hi All,
I've been following this discussion closely because I had
what seems to be the
same problem Sagar is having.
On Friday 30 March 2007 12:19 pm, Perrin Harkins wrote:
This might be a silly question, but what makes you think this has to
do with tainting? If it was a taint problem, wouldn't it say
Insecure dependency in eval while running with -T switch? It's
complaining about eval while running setgid. (I know you said you
aren't running setgid, but I think you should be trying to
figure out
why it thinks it's setgid, not why something is tainted.)
I was initially on-board with Sagar about this being a
taint-checker problem,
but Perrin's makes a pretty good point: it *is* rather
suggestive that the
insecure dependency message refers to while running setgid
at the same time
that the server reports GID-EGID mismatch due to a
nonsensical EGID. I
checked and found that my server displays the EGID problem as
well, so
decided to take Perrin's advice and investigate this first.
I ran ps, which showed that the httpd processes all have
their GID matching
their EGID. Then I checked in perl by reporting the GID and
EGID from the
parent and children and found that the nonsensical EGID
appears in the
children when they are spawned (or at least in the
PerlChildInitHandler).
This seems to localize the problem to mod_perl.
I started greping around in the mod_perl source code (I have
2.0.2) and found
this in modperl_perl.c:
--
--
static void modperl_perl_ids_get(modperl_perl_ids_t *ids)
{
ids-pid = (I32)getpid();
#ifdef MP_MAINTAIN_PPID
ids-ppid = (I32)getppid();
#endif
#ifndef WIN32
ids-uid = getuid();
ids-euid = geteuid();
ids-gid = getgid();
ids-gid = getegid();
--
--
I changed that last line to
ids-egid = getegid();
then rebuilt/reinstalled/restarted, and the EGID problem is gone.
I checked the 2.0.3 source and found this already fixed there.
Sagar, can you try the same thing with your server? Perhaps
the tainting
problem will just disappear once this bug is fixed.
Sorry for the delayed reply, I had been on leave and had asked the other
members of my team to continue to look into this and feed back to the list, but
as soon as they had started looking into the issue they were asked to work on
something higher priority ;-)
As Fred said, great catch.
The initial feeling in our team was that because we're explicitly switching
taint mode on all this fix will do is change the error message from in eval
while running setgid to something else as per the if/else block in taint.c.
That said given that there was quite a gap between 2.0.2 and 2.0.3 I think your
suggestion is still worth trying. This or other fixes might indirectly resolve
the issue and it's always best practice to try and repeat what appears to be a
bug against the latest version of the software. The only reason we held off
from doing this initially was that there wasn't anything in the changes file
that seemed connected, but as you've shown there are other smaller changes
included also.
I'll report back with how I get on.
Many thanks to you and everyone else that's contributed to this thread for your
continuing support and suggestions.
Regards
Sagar
=ANYTING+BELOW+THIS+LINE+WAS+ADDED+AFTER+I+HIT+SEND=
For more information about Barclays Capital, please visit our web site at
http://www.barcap.com.
Internet communications are not secure and therefore the Barclays Group does
not accept legal responsibility for the contents of this message. Although the
Barclays Group operates anti-virus programmes, it does not accept
responsibility for any damage whatsoever that is caused by viruses being
passed. Any views or opinions presented are solely those of the author and do
not necessarily represent those of the Barclays Group. Replies to this email
may be monitored by the Barclays Group for operational or business reasons.
Re: too many connections
On 4/16/07, Kelvin Wu [EMAIL PROTECTED] wrote: but noticed sometimes cpu usage goes up to 30, and there are 80 httpd... can't even log into mysql because 'too many connections', have to restart apache and mysql. Have you set MaxClients on your mod_perl server to something that won't cause your machine to go into swap? You can read about it here: http://modperlbook.org/ While you're there, read about setting up a reverse proxy server too. You should set max_connections on MySQL high enough that the number of clients in MaxClients will be able to connect. You should also check to make sure you are only using one connection per httpd process. You can just count the number of processes and check the number of connections in MySQL. i guess some 'bad' queries caused table locked? how to capture 'bad' queries? You can use the tool innotop to help see what's locked: http://www.xaprb.com/blog/2006/07/02/innotop-mysql-innodb-monitor/ If you are using MyISAM tables, you should consider switching to InnoDB to avoid locking problems. You should also consider using the READ COMMITTED isolation level with InnoDB instead of the default REPEATABLE READ. - Perrin
Re: Growing Up
On Apr 17, 2007, at 3:55 AM, Clinton Gormley wrote: Must disagree with you about pound http://www.apsis.ch/pound/ index_html being a PITA to configure and maintain. Pound is really easy to configure, fast as all hell, and just never goes down. I've been using it for about 3 years now and I've never ever had a problem with it. if its working for you, great ;) I had some issues when I first tried it, then leaned to nginx which can handle proxy+loadbalancing and serving static content as well. Just a point of clarification, with reference to this email: http://marc.info/?l=apache-modperlm=117595808501296w=2 (File Uploads using MP2 best practises): is it reasonable to serve your static files from a mod_perl server, as long as you have a proxy/pound/squid in front? My understanding is that the cost of using your mod_perl server to serve static files is the amount of time that a slow request would tie them up. However, if your requests are all fast, because your proxy handles the slow part, then this ceases to be an issue. Am I correct in this assumption? I have a bunch of mod_perl servers behind a single pound proxy (plus failover), and they share the uploaded images via NFS currently, although I'm considering moving to iSCSI with OCFS2 when I am convinced of its stability. Any views on this? That assumption sounds right -- so long as you have a caching proxy like squid. Not all proxies cache ( i'm pretty sure that pound doesn't ). Any content you can offload from mp should give your app a big boost -- the thing that 'kills' modperl performance is tying up the same apache child used for content generation with 45 .gifs/jpg/ pngs and a handful of css/js files. If you're doing uploaded images over NFS though, chances are you have a lot of images -- which can make caching a bit of a nightmare as you try to balance the cache params. so i'd strongly suggest using a lightweight server (even vanilla apache would be an improvement). alternately, you could consider using amazon's s3 for mass storage with a CDN for distribution. ( i'm constantly told that s3 has uptime/access issues -- your data is safe, but it might not be accessible for an hour ). using a combo of the two gives you reliable storage and distro both for cheap. // Jonathan Vanasco | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | FindMeOn.com - The cure for Multiple Web Personality Disorder | Web Identity Management and 3D Social Networking | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | RoadSound.com - Tools For Bands, Stuff For Fans | Collaborative Online Management And Syndication Tools | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Re: Growing Up
On 4/17/07, Clinton Gormley [EMAIL PROTECTED] wrote: is it reasonable to serve your static files from a mod_perl server, as long as you have a proxy/pound/squid in front? Yes, but spending no time in mod_perl for a static file is better than spending a little time, and the files will be served faster if there's no extra proxying step. If you aren't having scaling problems, then don't worry about it. - Perrin
Re: Apache2::AuthenNTLM Failing Authentication from Vista Internet Explorer
Hi there, just answering my own question after some weeks ;) I had problems authenticating Windows Vista Internet Explorer clients (wrong password). Now I found the solution in a note on the module's homepage http://modntlm.sourceforge.net/ I quote it here for the archive, basically it says that the module does not work with NTLMv2 what is used by Vista by default. Jens. Update April 2007 by Michael Baltaks There are two options for NTLM authentication in Apache without using Windows (If you're using Windows, mod_auth_sspi is what you need). The first option is this apache module, mod_ntlm, source code for apache 1.x and apache 2.x. The source code is kept in Subversion, so try svn co https://modntlm.svn.sourceforge.net/svnroot/modntlm/trunk to get it. This includes the improvements from http://modntlm.jamiekerwick.co.uk/ as well as a patch to support reverse proxy mode. This module has no other dependancies, but doesn't support groups or NTLMv2, which is by default the only NTLM allowed in Windows Vista (you can change that setting). The second option is mod_auth_ntlm_winbind, which requires a working winbindd (get some help with winbind). The benefits of bothering to configure winbind are group support and NTLMv2 support. Read about it at http://adldap.sourceforge.net/mod_auth_ntlm_winbind.php.
Re: Growing Up
On Tue, 17 Apr 2007 10:48:57 -0400 Perrin Harkins [EMAIL PROTECTED] wrote: On 4/17/07, Clinton Gormley [EMAIL PROTECTED] wrote: is it reasonable to serve your static files from a mod_perl server, as long as you have a proxy/pound/squid in front? Yes, but spending no time in mod_perl for a static file is better than spending a little time, and the files will be served faster if there's no extra proxying step. If you aren't having scaling problems, then don't worry about it. Personally, I've fallen in love with Perlbal and it can serve up static files from disk so that would be probably what I would do in this situation. - Frank Wiles [EMAIL PROTECTED] http://www.wiles.org -
$r-handler and $r-set_handlers on all files
Hi,
I have configuration:
apache-2.0.59
mod_perl-2.0.3
Directory /somedir/htdocs
PerlAuthzHandler MyModule::authorize
and in authorize:
if ...
$r-handler('perl-script');
$r-set_handlers( (MP2 ? 'PerlResponseHandler' : 'PerlHandler') =
\somefunc );
If url is / all ok - authorize and after somefunc is called
But if I request all other files like /test.html
authorize called and set handlers, but somefunc not called :(
Also it called if request /test (try to resolve test.html I think)
and for non existing url(files) it(somefunc) called too
Where a problem?
Is a way for fix it without redirect or add new Perl*Handler
(PerlMapToStorageHandler,PerlFixupHandler?) ?
--
Sergij Borodych
http://bor.org.ua
RE: Lock Files - File is permanently locked
Just wanted to let you know that I found the problem. I had an error in
my code where I was accidentally trying to put a read lock on a file
where I had not properly closed the write lock. This condition occurred
in error handling code and it was hard to find.
Anyway I was happy to learn that if you assign a file handle to a
lexical variable:
i.e.
my $FileHandle = Symbol::gensym();
open $FileHandle, $strOpenChar . $strFileName or eval{$blnError = 1};
then when the scope of that variable ends, be it in mod_perl or
elsewhere, the file is unlocked and closed even if you forget to do so.
Thanks for your help,
Justin
-Original Message-
From: Robert Landrum [mailto:[EMAIL PROTECTED]
Sent: Friday, April 13, 2007 3:16 PM
To: Justin Luster
Cc: 'Dondi M. Stroma'; modperl@perl.apache.org
Subject: Re: Lock Files - File is permanently locked
Justin Luster wrote:
Here is an example of a call to OpenFile(). You will notice that I'm
additionally locking the file itself as well as the lock file (I
figured
it would not hurt to have both methods):
my $LockFileHandle = authlib::FileLock(udata_ . $strRespNum .
_lck.cgi, 1);
#Read restart question name
my ($DataFileHandle, $blnError) = authlib::OpenFile($strDataFileName,
update, 1, 1);
authlib::LockMe($DataFileHandle, 1);
authlib::RestartQNameWrite($DataFileHandle, $strRestartQName);
close $DataFileHandle;
close authlib::FileUnLock($LockFileHandle);
Seems like an awful lot of code...
open(DATAFILE,$strDataFileName) or die;
flock(DATAFILE,LOCK_EX);
seek(DATAFILE,0,0);
eval {
authlib::RestartQNameWrite(\*DATAFILE,$strRestartQName);
};
flock(DATAFILE,LOCK_UN);
close(DATAFILE);
if($@) {
die $@;
}
Code like that has never failed me on Solaris or Linux. I don't write
W32 code, so maybe it's more complicated than that.
Also,
close authlib::FileUnLock($LockFileHandle);
That seems like an error waiting to happen, since FileUnLock doesn't
return a file handle.
Rob
Re: Growing Up
On Mon, 2007-04-16 at 12:21 -0700, Will Fould wrote: Hi, I have a service that is currently running a basic LAMP stack with mod_perl and life has been good! The site running has been getting very busy and I've ordered a second machine with intention to move the database off that machine and start the growing up process. I am looking for next steps to growing up from this machine. Can somebody recommend a good article, presentation or document that advocates various strategies to growing up the current architecture (i.e. basic load balancing, network topology, switches, etc. )? I realize that milage will vary based on the particular service and demands. Currently, the site does not deliver a lot of static content that can be cached or cause huge I/O issues (i.e. images, media, huge pages, etc). Our database is probably 95% read-only. Thanks a lot There is a consideration, regarding using a proxy or a different server, that has not been brought up: If there is mod_perl based access control for the static files, then it's basically impossible not to go through a mod_perl server to serve them. In fact, I'm not sure what the effect would be in that scenario if a proxy was used: would it serve the static file regardless of the access control?, does it depend on the expiration data on the headers sent through the proxy when the acess controled static file was sent? Rafael Caceres Analizado por ThMailServer para Linux.
Re: Growing Up
On 4/17/07, Rafael Caceres [EMAIL PROTECTED] wrote: There is a consideration, regarding using a proxy or a different server, that has not been brought up: If there is mod_perl based access control for the static files, then it's basically impossible not to go through a mod_perl server to serve them. I use mod_auth_tkt. You issue a cookie with credentials, and the C module can use it to check access rights on static files from the proxy server. You have to run apache as your proxy server, but I prefer that anyway. In fact, I'm not sure what the effect would be in that scenario if a proxy was used: would it serve the static file regardless of the access control? No, it would talk to mod_perl every time and not do any caching, unless you have a mis-configured proxy. - Perrin
[Fwd: CPAN Upload: P/PG/PGOLLUCCI/Apache-Peek-1.07.tar.gz]
The uploaded file Apache-Peek-1.07.tar.gz has entered CPAN as file: $CPAN/authors/id/P/PG/PGOLLUCCI/Apache-Peek-1.07.tar.gz size: 49951 bytes md5: a259e9065eed9f0fcbfcf55cb5affc07 CHANGES: =head 1.07 Tue Apr 17 15:00:55 PDT 2007 - Fix invalid prereq check of mod_perl.pm vs mod_perl2.pm [Dintelmann, Peter [EMAIL PROTECTED]] -- Philip M. Gollucci ([EMAIL PROTECTED]) 323.219.4708 Consultant / http://p6m7g8.net/Resume/resume.shtml Senior Software Engineer - TicketMaster - http://ticketmaster.com 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching.
Authentication Problem
Hello,
I'm having trouble with PerlAuthenHandler.
The symptom is that in a browser (Firefox at least), I'm prompted for
a password the first time I visit a page. If I enter it incorrectly,
I'm not prompted again, but instead just see the error page.
The cause seems to be that when mod_perl gets an Authorization
header in the request, it doesn't supply a WWW-Authenticate header
in the response.
Even in a very simple PerlAuthenHandler I see this behavior. I've
attached an example that shows the problem with this configuration:
PerlModule Authen::AlwaysFails
Directory /home/sgifford/public_html/authtest
PerlAuthenHandler Authen::AlwaysFails
AuthType Basic
AuthName GOOD LUCK
Require valid-user
/Directory
I'm running on Debian 3.1 (Sarge), using the distribution copies of
Apache 1.3.33, mod_perl 1.27, and perl 5.8.4.
Any ideas?
Thanks!
Scott.
package Authen::AlwaysFails;
use strict;
use warnings;
use Apache::Constants qw(HTTP_UNAUTHORIZED OK);
use Apache;
sub handler
{
my ( $class, $r ) = @_;
$r ||= Apache-request;
warn Class='$class'; r='$r'\n;
my( $rc, $password ) = $r-get_basic_auth_pw;
unless ( $rc == OK ) {
warn Returning $rc\n;
return $rc;
}
return HTTP_UNAUTHORIZED;
}
1;
Re: Authentication Problem
Scott Gifford [EMAIL PROTECTED] writes: [...] The cause seems to be that when mod_perl gets an Authorization header in the request, it doesn't supply a WWW-Authenticate header in the response. Nevermind, found it, the solution was to call: $r-note_basic_auth_failure(); Scott.
