Re: [users@httpd] virtual host gives unexpected network read error

[Luca Toscano]

Hi David,

2018-01-29 19:45 GMT-08:00 David Mehler :

> Hello,
>
> Can someone take a look at the below virtual host configuration?
> Whenever I put it in my apache 2.4 the server returns an alert
> unexpected network read error connection aborted message. If I take it
> out the server behaves normally. Of course nothing is in any of the
> logs I've got LogLevel set to warn. An apachectl -t says the files are
> syntactically correct.
>
> Any ideas?
>
> Thanks.
> Dave.
>
> #
> # Virtual host file
> #
>
> # The example.com http  and https virtual host
> 
>
> SSLCertificateFile "/usr/local/etc/ssl/acme/example.com/fullchain.pem"
> SSLCertificateKeyFile "/usr/local/etc/ssl/acme/private/
> example.com/privkey.pem"
> SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-
> RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-
> RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-
> AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-
> AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-
> AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-
> RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:
> ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-
> SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:
> AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!
> EXPORT:!DES:!MD5:!PSK:!RC4:!3DES
> SSLEngine on
>
>
In this way you are enabling SSL/TLS on both 80 and 443 port, I don't
believe that it will work (even if I didn't test it properly). Any reason
why you have this settings? Can you try without the "*:80" ? In your case
I'd simply create a *:80 Vhost to force a http->https redirect, and then
apply SSL/etc.. settings only to *:443.

Luca

Re: [users@httpd] proxy_fcgi - force flush to client

[Luca Toscano]

Hi Hajo,

2018-01-31 1:27 GMT-08:00 Hajo Locke :

> Hello List,
>
> currently i compare features and behaviour of proxy_fcgi to classical
> methods like mod_fastcgi/mod_php.
>
> mod_php/fastcgi have options to send every output from backend immediately
> to client. So it is possible to see progressing output in browser and not
> complete websiteoutput at once.
>
> Here is an example script:
> https://pastebin.com/4drpgBMq
>
> if you ran this with php-cli or adjusted mod_php/mod_fastcgi you see
> progress in browser and numbers 0 1 2 appear one after another.
> If you run this with proxy_fcgi you will see no progress, but complete
> output at once.
>
> mod_proxy knows about worker parameter flushpackets, but the docs say this
> is in effect only for AJP. I can confirm that this and related options have
> no effect.
> There are some workarounds posted in the web, but only one worked for me.
> If i add following line to the script, i also see a progress with
> proxy_fcgi in browser:
>
> header('Content-Encoding: none');
>
> Somebody knows a working workaround which works without scriptediting?
> some workarounds tell about using "SetEnv no-gzip 1". This was not working
> for me and iam not please to disable content-compression.
> Is it planned to support >>flushpackets<< also to proxy_fcgi?
>
> May be this is not important for typical website but some
> service/monitoring scripts.
>
>
The functionality is committed to trunk but never backported to 2.4.x
because I was not sure about its importance, it looks like some users might
benefit from it :)

The trunk patch is http://svn.apache.org/r1802040, it should apply to 2.4.x
if you want to test it and give me some feedback.

Thanks!

Luca

Re: [users@httpd] problems benchmarking php-fpm/proxy_fcgi with h2load

[Luca Toscano]

Hi Hajo,

2018-01-31 2:37 GMT-08:00 Hajo Locke :

> Hello,
>
>
> Am 22.01.2018 um 11:54 schrieb Hajo Locke:
>
> Hello,
>
> Am 19.01.2018 um 15:48 schrieb Luca Toscano:
>
> Hi Hajo,
>
> 2018-01-19 13:23 GMT+01:00 Hajo Locke :
>
>> Hello,
>>
>> thanks Daniel and Stefan. This is a good point.
>> I did the test with a static file and this test was successfully done
>> within only a few seconds.
>>
>> finished in 20.06s, 4984.80 req/s, 1.27GB/s
>> requests: 10 total, 10 started, 10 done, 10 succeeded, 0
>> failed, 0 errored, 0 timeout
>>
>> so problem seems to be not h2load and basic apache. may be i should look
>> deeper into proxy_fcgi configuration.
>> php-fpm configuration is unchanged and was successfully used with
>> classical fastcgi-benchmark, so i think i have to doublecheck the proxy.
>>
>> now i did this change in proxy:
>>
>> from
>> enablereuse=on
>> to
>> enablereuse=off
>>
>> this change leads to a working h2load testrun:
>> finished in 51.74s, 1932.87 req/s, 216.05MB/s
>> requests: 10 total, 10 started, 10 done, 10 succeeded, 0
>> failed, 0 errored, 0 timeout
>>
>> iam surprised by that. i expected a higher performance when reusing
>> backend connections rather then creating new ones.
>> I did some further tests and changed some other php-fpm/proxy values, but
>> once "enablereuse=on" is set, the problem returns.
>>
>> Should i just run the proxy with enablereuse=off? Or do you have an other
>> suspicion?
>>
>
>
> Before giving up I'd check two things:
>
> 1) That the same results happen with a regular localhost socket rather
> than a unix one.
>
> I changed my setup to use tcp-sockets in php-fpm and proxy-fcgi. Currently
> i see the same behaviour.
>
> 2) What changes on the php-fpm side. Are there more busy workers when
> enablereuse is set to on? I am wondering how php-fpm handles FCGI requests
> happening on the same socket, as opposed to assuming that 1 connection == 1
> FCGI request.
>
> If "enablereuse=off" is set i see a lot of running php-workerprocesses
> (120-130) and high load. Behaviour is like expected.
> When set "enablereuse=on" i can see a big change. number of running
> php-workers is really low (~40). The test is running some time and then it
> stucks.
> I can see that php-fpm processes are still active and waiting for
> connections, but proxy_fcgi is not using them nor it is establishing new
> connections. loadavg is low and benchmarktest is not able to finalize.
>
> I did some further tests to solve this issue. I set ttl=1 for this Proxy
> and achieved good performance and high number of working childs. But this
> is paradoxical.
> proxy_fcgi knows about inactive connection to kill it, but not reenable
> this connection for working.
> May be this is helpful to others.
>
> May be a kind of communicationproblem and checking health/busy status of
> php-processes.
> Whole proxy configuration is  this:
>
> 
> ProxySet enablereuse=off flushpackets=On timeout=3600 max=15000
> 
> 
>SetHandler "proxy:fcgi://php70fpm"
> 
>
>
Thanks a lot for following up and reporting these interesting results! Yann
opened a thread[1] on dev@ to discuss the issue, let's follow up in there
so we don't keep two conversations open.

Luca

[1]:
https://lists.apache.org/thread.html/a9586dab96979bf45550c9714b36c49aa73526183998c5354ca9f1c8@%3Cdev.httpd.apache.org%3E

[users@httpd] compiling Apache httpd 2.4 with mod_nss - configure.sh ignoring --with-nss= option

[Jorge Suarez]

 Apache 2.4.29 on RHEL 7.4


I need to compile Apache with --prefix so that I can manage it with a
non-privileged account, thus I am avoiding the RHEL provided RPMs. I am
trying to compile Apache 2.4.29 from scratch with mod_nss included.

I am configuring using:

 ./configure  --with-apxs --prefix=/opt/apps/httpd-2.4.29
--enable-mods-shared="all cgi nss" --enable-mpms-shared='all'
 --with-nss=/opt/local/ --with-nspr=/opt/local/ --enable-mods-shared

However, I do not see that any action is taken on the --with-nspr or
--with-nss options. I was hoping that Apache would complain about not being
able to find suitable files to build such if there is a problem, but it
doesn't, instead appearing to just ignore them. I have tried both with the
Mozilla provided packages (compile fine on my box) and also with RHEL
provided nspr & nss as shown below:

$ rpm -qa | grep nss | grep -v open
nss-softokn-freebl-devel-3.28.3-8.el7_4.x86_64
libsss_nss_idmap-1.15.2-50.el7_4.8.x86_64 nss-3.28.4-15.el7_4.x86_64
nss-util-devel-3.28.4-3.el7.x86_64 nss-softokn-devel-3.28.3-8.el7_4.x86_64
nss-sysinit-3.28.4-15.el7_4.x86_64 nss-softokn-freebl-3.28.3-8.el7_4.x86_64
nss-devel-3.28.4-15.el7_4.x86_64 nss-util-3.28.4-3.el7.x86_64
jansson-2.10-1.el7.x86_64 nss-tools-3.28.4-15.el7_4.x86_64
nss-softokn-freebl-3.28.3-8.el7_4.i686 nss-pem-1.0.3-4.el7.x86_64
nss-softokn-3.28.3-8.el7_4.x86_64

$ rpm -qa | grep nspr nspr-devel-4.13.1-1.0.el7_3.x86_64
nspr-4.13.1-1.0.el7_3.x86_64

Apache is not attempting to find either package, or atleast doesn't
complain about not finding them. Any help is appreciated.

Re: [users@httpd] problems benchmarking php-fpm/proxy_fcgi with h2load

[Hajo Locke]

Hello,

Am 22.01.2018 um 11:54 schrieb Hajo Locke:

Hello,

Am 19.01.2018 um 15:48 schrieb Luca Toscano:

Hi Hajo,

2018-01-19 13:23 GMT+01:00 Hajo Locke >:


Hello,

thanks Daniel and Stefan. This is a good point.
I did the test with a static file and this test was successfully
done within only a few seconds.

finished in 20.06s, 4984.80 req/s, 1.27GB/s
requests: 10 total, 10 started, 10 done, 10
succeeded, 0 failed, 0 errored, 0 timeout

so problem seems to be not h2load and basic apache. may be i
should look deeper into proxy_fcgi configuration.
php-fpm configuration is unchanged and was successfully used with
classical fastcgi-benchmark, so i think i have to doublecheck the
proxy.

now i did this change in proxy:

from
enablereuse=on
to
enablereuse=off

this change leads to a working h2load testrun:
finished in 51.74s, 1932.87 req/s, 216.05MB/s
requests: 10 total, 10 started, 10 done, 10
succeeded, 0 failed, 0 errored, 0 timeout

iam surprised by that. i expected a higher performance when
reusing backend connections rather then creating new ones.
I did some further tests and changed some other php-fpm/proxy
values, but once "enablereuse=on" is set, the problem returns.

Should i just run the proxy with enablereuse=off? Or do you have
an other suspicion?



Before giving up I'd check two things:

1) That the same results happen with a regular localhost socket 
rather than a unix one.
I changed my setup to use tcp-sockets in php-fpm and proxy-fcgi. 
Currently i see the same behaviour.
2) What changes on the php-fpm side. Are there more busy workers when 
enablereuse is set to on? I am wondering how php-fpm handles FCGI 
requests happening on the same socket, as opposed to assuming that 1 
connection == 1 FCGI request.
If "enablereuse=off" is set i see a lot of running php-workerprocesses 
(120-130) and high load. Behaviour is like expected.
When set "enablereuse=on" i can see a big change. number of running 
php-workers is really low (~40). The test is running some time and 
then it stucks.
I can see that php-fpm processes are still active and waiting for 
connections, but proxy_fcgi is not using them nor it is establishing 
new connections. loadavg is low and benchmarktest is not able to finalize.
I did some further tests to solve this issue. I set ttl=1 for this Proxy 
and achieved good performance and high number of working childs. But 
this is paradoxical.
proxy_fcgi knows about inactive connection to kill it, but not reenable 
this connection for working.

May be this is helpful to others.
May be a kind of communicationproblem and checking health/busy status 
of php-processes.

Whole proxy configuration is  this:


    ProxySet enablereuse=off flushpackets=On timeout=3600 max=15000


   SetHandler "proxy:fcgi://php70fpm"




Luca


Alltogether i have collected interesting results. this should be 
remarkable for Stefan, because some results are not as expected. I 
will show this results in separate mail, to not mix up with this proxy 
problem.



Thanks,
Hajo

Re: [users@httpd] minimal custom modul with no functionality

[Hajo Locke]

Hello List,

Am 29.01.2018 um 11:32 schrieb Hajo Locke:

Hello List,

i try to remove mod_php and switch to php-cgi with proxy_fcgi and 
mpm_event.
An example setup is running well.  But by removing libphp7.so i want 
to keep support for php_value/php_flag directives  in .htaccess
This is done by php-htscanner extension. But for a working 
php-htscanner extension it is needed that apaches knows about this 
directives.
(a threadsafe compiled libphp7.so is currently no option because of 
other problems).


So following this tutorial i "created" a custom module which just 
registers my needed directives and does nothing else:

https://httpd.apache.org/docs/2.4/developer/modguide.html

I reduced the example to minimum. Please look here:
https://pastebin.com/gEDqJYLR

compiling and using are successful. Apache knows about 
php_flag/php_value and my .htaccess is working together with 
htscanner. my php-ini settings are edited like expected.


This is a minimal apache-modul i just relinquished to use a hook 
registering function.
My question is: Is this safe for using? I did not notice any error, 
but iam no programmer.


Please take a short look at the code and tell me your opinion.
seems we have no programmers here. I think i will start a small question 
in dev-list.



Thanks,
Hajo

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] proxy_fcgi - force flush to client

[Hajo Locke]

Hello List,

currently i compare features and behaviour of proxy_fcgi to classical 
methods like mod_fastcgi/mod_php.


mod_php/fastcgi have options to send every output from backend 
immediately to client. So it is possible to see progressing output in 
browser and not complete websiteoutput at once.


Here is an example script:
https://pastebin.com/4drpgBMq

if you ran this with php-cli or adjusted mod_php/mod_fastcgi you see 
progress in browser and numbers 0 1 2 appear one after another.
If you run this with proxy_fcgi you will see no progress, but complete 
output at once.


mod_proxy knows about worker parameter flushpackets, but the docs say 
this is in effect only for AJP. I can confirm that this and related 
options have no effect.
There are some workarounds posted in the web, but only one worked for 
me. If i add following line to the script, i also see a progress with 
proxy_fcgi in browser:


header('Content-Encoding: none');

Somebody knows a working workaround which works without scriptediting? 
some workarounds tell about using "SetEnv no-gzip 1". This was not 
working for me and iam not please to disable content-compression.

Is it planned to support >>flushpackets<< also to proxy_fcgi?

May be this is not important for typical website but some 
service/monitoring scripts.


Thank you,
Hajo

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org