date:20230525

Re: [users@httpd] Keepalive closing connections prematurely on high load on newer httpd versions

2023-05-25 Thread Mateusz Kempski

Tested server is Rocky 8. We don't use Ubuntu in prod so I focused on
testing Rocky.
Mateusz Kempski



On Wed, 24 May 2023 at 12:18, Deepak Goel  wrote:
>
> The below test results are on which OS? Ubuntu 18 or 20?
>
> On Wed, 24 May 2023, 17:17 Mateusz Kempski,  
> wrote:
>>
>> They are all identical VMs. We can also reproduce this on bigger
>> servers. I don't think this is caused by Rocky or Ubuntu config. I can
>> see 2 problems during my tests.
>> 1. httpd does not add any servers when test is running. It kills
>> keepalive connections and logs "all workers busy or dying" but does
>> not add any, maybe one at the end of the test. For example if I set
>> StartServers to 3 it goes up to 4 at the end of the test even though
>> it has ServerLimit set to 120.
>> 2. httpd seems to not register that it has free workers even when I
>> set StartServers to 120. There are thousands of idle threads and it
>> still logs "all workers busy or dying" and kills keepalive
>> connections. This can be worked around by setting ThreadsPerChild and
>> ThreadLimit much higher and lowering StartServers/ServerLimit
>> respectively.
>> For example with following settings I can easily process over 1500
>> concurrent connections without errors and keepalive killing:
>> ```
>> 
>> ThreadsPerChild 200
>> ThreadLimit 200
>> StartServers 10
>> ServerLimit 15
>> MinSpareThreads 75
>> MaxSpareThreads 3000
>> MaxRequestWorkers 3000
>> MaxConnectionsPerChild 0
>> 
>> ```
>> Why does httpd behaves this way? It seems to not be intended
>> considering ThreadsPerChild is limited to 64 by default by
>> ThreadLimit. I will try to report a bug to httpd devs as it looks like
>> one to me.
>> Test results with this config:
>> ```
>> ab -k -t 900 -c 1500 -n 100 http://rocky/
>> This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
>> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
>> Licensed to The Apache Software Foundation, http://www.apache.org/
>>
>> Benchmarking 10.1.3.11 (be patient)
>> Completed 10 requests
>> Completed 20 requests
>> Completed 30 requests
>> Completed 40 requests
>> Completed 50 requests
>> Completed 60 requests
>> Completed 70 requests
>> Completed 80 requests
>> Completed 90 requests
>> Completed 100 requests
>> Finished 100 requests
>>
>>
>> Server Software:Apache/2.4.37
>> Server Hostname:10.1.3.11
>> Server Port:80
>>
>> Document Path:  /
>> Document Length:7620 bytes
>>
>> Concurrency Level:  1500
>> Time taken for tests:   13.923 seconds
>> Complete requests:  100
>> Failed requests:0
>> Write errors:   0
>> Keep-Alive requests:990813
>> Total transferred:  7919596479 bytes
>> HTML transferred:   762000 bytes
>> Requests per second:71821.69 [#/sec] (mean)
>> Time per request:   20.885 [ms] (mean)
>> Time per request:   0.014 [ms] (mean, across all concurrent requests)
>> Transfer rate:  555467.60 [Kbytes/sec] received
>>
>> Connection Times (ms)
>>  min  mean[+/-sd] median   max
>> Connect:00  14.1  01057
>> Processing: 0   20  33.5 161483
>> Waiting:0   17  20.5 151343
>> Total:  0   21  36.4 161483
>>
>> Percentage of the requests served within a certain time (ms)
>>  50% 16
>>  66% 20
>>  75% 23
>>  80% 26
>>  90% 27
>>  95% 31
>>  98% 65
>>  99%221
>> 100%   1483 (longest request)
>> ```
>>
>> Mateusz Kempski
>>
>> Mateusz Kempski
>> Linux System Administrator
>> XTM International Ltd.
>> Email: mkemp...@xtm-intl.com
>> xtm.cloud
>>
>>
>>
>>
>> On Wed, 24 May 2023 at 05:57, Deepak Goel  wrote:
>> >
>> >
>> >
>> > On Tue, May 23, 2023 at 6:19 PM Mateusz Kempski 
>> >  wrote:
>> >>
>> >> Ubuntu 20 idle:
>> >> ```
>> >> Total DISK READ: 0.00 B/s | Total DISK WRITE: 0.00 B/s
>> >> Current DISK READ:   0.00 B/s | Current DISK WRITE:   0.00 B/s
>> >> ```
>> >> ```
>> >> top - 12:31:00 up 2 min,  1 user,  load average: 0.13, 0.04, 0.01
>> >> Tasks: 239 total,   1 running, 238 sleeping,   0 stopped,   0 zombie
>> >> %Cpu(s):  0.0 us,  0.0 sy,  0.0 ni,100.0 id,  0.0 wa,  0.0 hi,  0.0 si,  
>> >> 0.0 st
>> >> MiB Mem :  16006.4 total,  15259.6 free,251.0 used,495.8 
>> >> buff/cache
>> >> MiB Swap:  0.0 total,  0.0 free,  0.0 used.  15466.5 avail Mem
>> >> ```
>> >> Ubuntu 20 during test:
>> >> ```
>> >> Total DISK READ: 0.00 B/s | Total DISK WRITE: 3.47 M/s
>> >> Current DISK READ:   0.00 B/s | Current DISK WRITE:   0.00 B/s
>> >> ```
>> >> ```
>> >> top - 12:35:17 up 6 min,  1 user,  load average: 6.91, 2.99, 1.16
>> >> Tasks: 232 total,   3 running, 229 sleeping,   0 stopped,   0 zombie
>> >> %Cpu(s):  9.0 us, 21.3 sy,  0.0 ni, 64.4 id,  0.0 wa,  0.0 hi,  5.3 si,  
>> >> 0.1 st
>> >> MiB Mem :  16006.4 total,  14672.6 free,358.1 used,975.7 
>> >> buff/cache

Re: [users@httpd] Keepalive closing connections prematurely on high load on newer httpd versions

2023-05-25 Thread Mateusz Kempski

Before the test:
```
Apache Server
Status for 127.0.0.1 (via 127.0.0.1)

  Server Version: Apache/2.4.37 (rocky)

  Server MPM: event

  Server Built: May 17 2023 16:27:49

  
--

  Current Time: Thursday, 25-May-2023 12:51:03 UTC

  Restart Time: Thursday, 25-May-2023 12:50:52 UTC

  Parent Server Config. Generation: 1

  Parent Server MPM Generation: 0

  Server uptime: 11 seconds

  Server load: 0.03 0.02 0.00

  Total accesses: 0 - Total Traffic: 0 kB - Total Duration: 0

  CPU Usage: u.01 s.01 cu0 cs0 - .182% CPU load

  0 requests/sec - 0 B/second

  1 requests currently being processed, 74 idle workers

  
+-+
  |  ||  |Connections|   Threads   |
Async connections|
  | Slot |  PID   | Stopping
|---+-+|
  |  ||  | total | accepting | busy | idle |
writing | keep-alive | closing |
  
|--++--+---+---+--+--+-++-|
  | 0| 163535 | no   | 0 | yes   | 0| 25   | 0
  | 0  | 0   |
  
|--++--+---+---+--+--+-++-|
  | 1| 163536 | no   | 0 | yes   | 0| 25   | 0
  | 0  | 0   |
  
|--++--+---+---+--+--+-++-|
  | 2| 163537 | no   | 0 | yes   | 1| 24   | 0
  | 0  | 0   |
  
|--++--+---+---+--+--+-++-|
  | Sum  | 3  | 0| 0 |   | 1| 74   | 0
  | 0  | 0   |
  
+-+

__W_
___.

[users@httpd] Proxy with ssl backend server

2023-05-25 Thread Josef Wolf

Hello,

I am trying to use apache as a proxy to pass requests to a https backend like 
this:

  
  
SSLProxyEngine   on
ProxyPass/service/ https://backend.do.main:4434/service
ProxyPassReverse /service/ https://backend.do.main:4434/service
ProxyPassReverseCookiePath / /service/
ProxyHTMLURLMap https://backend.do.main:4434/service /service

  SetEnv force-proxy-request-1.0 1
  SetEnv proxy-nokeepalive 1
  SetEnv proxy-sendcl
  ProxyHTMLEnable On
  ProxyHTMLExtended On
  LogLevel Debug
  ProxyHTMLURLMap https://backend.do.main:4434/service/service/
  RequestHeader unset Accept-Encoding
  AuthName"Application /service"
  AuthType Basic
  AuthUserFile/m/b/httpd/passwd
  AuthGroupFile   /m/b/httpd/group
  Require group service
  SSLRequireSSL
  RequestHeader set Authorization "Basic 123456778"
  RequestHeader set X_FORWARDED_PROTO 'https'

  
  

This works fine for http backends, but with https, I get following errors:

  [Thu May 25 13:34:04.690065 2023] [proxy:debug] [pid 2259] mod_proxy.c(1245): 
[client 109.43.178.5:13845] AH01143: Running scheme https handler (attempt 0)
  [Thu May 25 13:34:04.690076 2023] [proxy:debug] [pid 2259] 
proxy_util.c(2216): [client 109.43.178.5:13845] AH00944: connecting 
https://backend.do.main:4434/service/ to backend.do.main:4434
  [Thu May 25 13:34:04.690119 2023] [proxy:debug] [pid 2259] 
proxy_util.c(2425): [client 109.43.178.5:13845] AH00947: connected /service/ to 
backend.do.main:4434
  [Thu May 25 13:34:04.690559 2023] [ssl:info] [pid 2259] [remote 
192.168.1.106:4434] AH01964: Connection to child 0 established (server 
lw.strangled.net:443)
  [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 
192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL 
context
  [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: 
error:140BA0C3:SSL routines:SSL_new:null ssl ctx
  [Thu May 25 13:34:04.690749 2023] [proxy:error] [pid 2259] (103)Software 
caused connection abort: [client 109.43.178.5:13845] AH01084: pass request body 
failed to 192.168.1.106:4434 (vdr2.wolf.lan)
  [Thu May 25 13:34:04.690783 2023] [proxy_http:error] [pid 2259] [client 
109.43.178.5:13845] AH01097: pass request body failed to 192.168.1.106:4434 
(vdr2.wolf.lan) from 109.43.178.5 ()

I guess, the reason for this problem might be that the backend server uses
a self signed certificate created like this:

   openssl req \
 -new -newkey rsa:4096 \
 -subj /C=DE/CN=backend \
 -addext subjectAltName=DNS:backend.do.main \
 -addext certificatePolicies=1.2.3.4 \
 -x509 -nodes \
 -days 3650 \
 -out server-cert.pem \
 -keyout server-key.pem \

I tried disable certificate check by addin following options, but the did
not help:

SSLProxyVerify   none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off

Any ideas what might be wrong with my configuration?

How could I explicitly install the backend certificate as "trusted"?
I tried SSLProxyMachineCertificatePath, but also without success.


-- 
Josef Wolf
j...@raven.inka.de

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Keepalive closing connections prematurely on high load on newer httpd versions

Re: [users@httpd] Keepalive closing connections prematurely on high load on newer httpd versions

[users@httpd] Proxy with ssl backend server

3 matches

Site Navigation

Mail list logo

Footer information