[users@httpd] LongPolling/WebSockets connection handling & max. connections

2015-05-04 Thread Andre.Wendel 
Hello everybody,

currently I'm having an open question/topic about web sockets and long polling, 
which I'm not completely sure about the current handling within the Apache web 
server.

The main question is about the mechanism "how websockets connections will be 
handled from the Apache?".

Currently I have the following worker configuration within my Apache webserver 
(worker mpm):

   StartServers80
   ServerLimit160
   MinSpareThreads 25
   MaxSpareThreads250
   ThreadsPerChild 50
   MaxRequestWorkers 8000
   MaxConnectionsPerChild   0

This allows me to accept 8000 simultaneous connections and server more then 
8000 clients, because from my understand Apache takes the connection on hold 
after he has proxied the request and until he get's the response. So normally 
I'm able to serve more than 8000 clients, because not all send requests or get 
a response simultaneously.

But then if I run a client server architecture, which  uses web sockets for 
communication, the socket or connection is normally hold open all the time and 
from my understanding the Apache webserver is not able to take the connection 
in a, let's call it, "hold state". So if I use web sockets is Apache still able 
to server more then 8000 clients/connections with the configuration above, or 
is he no longer able to set connections on hold when proxying websockets?

Also does Apache open one socket within the OS for each connection, because 
then this would limit the usage of 65k clients on one server anyway, or are 
there more connections possible?

Are there any experiences about the maximum number of web socket connections 
and best practices for the Apache by using web sockets? Is it better to run 
apache with the event mpm then the worker mpm within that scenario?

Thanks in advance & Best regards,
André

AW: [users@httpd] Compile apache2.4 with mod_proxy_html/libxml2

2015-04-21 Thread Andre.Wendel 
Hello,

today, I found some time to check your comments and they worked very well! I 
also needed to set the envvars, without them Apache was not able to find the 
libs during make, configure worked without setting the envvars.

Thanks & Cheers,
André

-Ursprüngliche Nachricht-
Von: Rainer Jung [mailto:rainer.j...@kippdata.de] 
Gesendet: Dienstag, 14. April 2015 17:24
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Compile apache2.4 with mod_proxy_html/libxml2

Am 14.04.2015 um 16:34 schrieb andre.wen...@bmw.de:
> Hello,
>
> today I tried to compile the current apache 2.4.12 together with
> mod_proxy_html and xml2enc, but I ran into some problem with libxml2,
> which is currently not installed on the system and I’m not able to
> install the library in the system.
>
> So what I did was to compile libxml2 as shared library with
>
> ./configure --prefix=//libxml2 --enable-shared=yes
> --with-python=no
>
> After that I tried to build the apache with the following parameters:
>
> ./configure
>
> …
>
>--enable-proxy-html \
>
>--enable-xml2enc \
>
>--with-libxml2=${apache_prefix}/libxml2

> I also tried the following:
>
> ./configure
>
> …
>
>--enable-proxy-html \
>
>--enable-xml2enc \
>
>--with-libxml2 \
>
>--with-libxml2-include=${apache_prefix}/libxml2/include \
>
>--with-libxml2-lib=${apache_prefix}/libxml2/lib
>
> But every time the following error comes up,
>
> …
>
> checking whether to enable mod_deflate... shared
>
> checking whether to enable mod_xml2enc... checking dependencies
>
> checking for libxml2... checking for libxml2... no
>
> checking whether to enable mod_xml2enc... configure: error: mod_xml2enc
> has been requested but can not be built due to prerequisite failures
>
> …
>
> Does somebody have any idea, what is the problem or which configuration
> I need to set, so that I can build the apache with mod_proxy_html
> support. But I don’t need to install libxml2 on the system? Is there any
> additional compiler setting needed?

Try

--with-libxml2=${apache_prefix}/libxml2/include/libxml2

(in my libxml2 installation all header files are in a directory 
.../include/libxml2/libxml which should be the default layout of libxml2).

In addition set the following envvars:

MOD_XML2ENC_LDADD="-L${apache_prefix}/libxml2/lib 
-R${apache_prefix}/libxml2/lib"

export MOD_XML2ENC_LDADD

MOD_PROXY_HTML_LDADD="-L${apache_prefix}/libxml2/lib 
-R${apache_prefix}/libxml2/lib"

export MOD_PROXY_HTML_LDADD

(the -R is optional for setting the RUNPATH in the binary module file).

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Compile apache2.4 with mod_proxy_html/libxml2

2015-04-14 Thread Andre.Wendel 
Hello,

today I tried to compile the current apache 2.4.12 together with mod_proxy_html 
and xml2enc, but I ran into some problem with libxml2, which is currently not 
installed on the system and I'm not able to install the library in the system.

So what I did was to compile libxml2 as shared library with

./configure --prefix=//libxml2 --enable-shared=yes 
--with-python=no

After that I tried to build the apache with the following parameters:

./configure
...
  --enable-proxy-html \
  --enable-xml2enc \
  --with-libxml2=${apache_prefix}/libxml2

I also tried the following:

./configure
...
  --enable-proxy-html \
  --enable-xml2enc \
  --with-libxml2 \
  --with-libxml2-include=${apache_prefix}/libxml2/include \
  --with-libxml2-lib=${apache_prefix}/libxml2/lib

But every time the following error comes up,

...
checking whether to enable mod_deflate... shared
checking whether to enable mod_xml2enc... checking dependencies
checking for libxml2... checking for libxml2... no
checking whether to enable mod_xml2enc... configure: error: mod_xml2enc has 
been requested but can not be built due to prerequisite failures
...

Does somebody have any idea, what is the problem or which configuration I need 
to set, so that I can build the apache with mod_proxy_html support. But I don't 
need to install libxml2 on the system? Is there any additional compiler setting 
needed?

Thanky & Best regards,
André

AW: [users@httpd] Execution order of directives within Apache 2.4

2015-02-23 Thread Andre.Wendel 
Yes, you are completely right and all configurations, which are based on 
executions orders are hackish and I don't try to implement such configurations. 
There just have been some internal questions about the execution order of 
configurations inside apache and I was not fully aware of and so I asked.

The information about the sections topic 
(http://httpd.apache.org/docs/2.4/sections.html), helped me at that point. 

Thanks & cheers,
André

-Ursprüngliche Nachricht-
Von: Nick Kew [mailto:n...@webthing.com] 
Gesendet: Freitag, 20. Februar 2015 14:13
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Execution order of directives within Apache 2.4

On Fri, 20 Feb 2015 12:33:32 +
 wrote:

> 
> Hello everybody,
> 
> I was searching for a description of the exection order of directives and 
> configurations within the apache and I wasn't able to find the documentation 
> about that? E.g. I know that ReverseProxy rules will be executed in the order 
> from top down, also virtual hosts and filters, but I wasn't able to find out 
> what the execution order is if I have e.g. virtual hosts configured and 
> rewrite rules within the main configuration?
> 
> Are there general rules, like the overall order inside the httpd.conf, or the 
> execution is based on the order the single corresponding modules are loaded?

If that kind of esoterica matters to you, it suggests you're
attempting something very hackish and likely to be hard to
maintain.  Best advice is don't.  Failing that, try it and see.

The specific question you put is described in mod_rewrite documentation
(and note that any use of mod_rewrite hints at the likelihood of a hack
that might easily have been necessary in the 1990s, but has long since
become redundant).  Rewrite directives at top level are indeed processed
early, before context-sensitive config.


-- 
Nick Kew

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Execution order of directives within Apache 2.4

2015-02-20 Thread Andre.Wendel 

Hello everybody,

I was searching for a description of the exection order of directives and 
configurations within the apache and I wasn't able to find the documentation 
about that? E.g. I know that ReverseProxy rules will be executed in the order 
from top down, also virtual hosts and filters, but I wasn't able to find out 
what the execution order is if I have e.g. virtual hosts configured and rewrite 
rules within the main configuration?

Are there general rules, like the overall order inside the httpd.conf, or the 
execution is based on the order the single corresponding modules are loaded?

Thanks in advance & best regards,
André

AW: [users@httpd] Any Comparisons? -- mod_wl vs mod_proxy vs mod_jk

2015-02-08 Thread Andre.Wendel 
Hello,

mod_wl has some advantages, mod_proxy does not support i.e. mod_proxy does 
normally only a ping to check if a backend server is available, which normally 
works in 99% even if the web-application behind is not available, so it is 
possible that mod_proxy routes the request to /backend even if /backend is not 
yet available, because the application server has not loaded the application 
yet.

This means mod_wl does a little bit more then just checking if the backend 
server is available via ping, it even checks if the backend url gives a working 
response. Also mod_wl gets information about the all current cluster members 
within the session cookie, so if a server is not available anymore he directly 
knows, which cluster members the plugin can forward the request. Also to 
simulate the load balancing with mod_proxy in front of a weblogic, this must be 
done via a ROUTE_ID within the Apache and can not be done via the sessionid 
like it is done with Glassfish or Tomcat.

But it also has currently some disadvantages i.e. certificate handling via 
oracle wallets.

Currently all our instances are running with mod_proxy and we have normally no 
problems, only in the case an application on ONE cluster member breaks, so that 
the application server is still available but not the application, so in this 
case the only feature I’m currently missing within mod_proxy is an check URL 
feature.

Cheers,
André

Von: Daniel [mailto:dferra...@gmail.com]
Gesendet: Montag, 9. Februar 2015 08:13
An: 
Betreff: Re: [users@httpd] Any Comparisons? -- mod_wl vs mod_proxy vs mod_jk



2015-02-09 2:22 GMT+01:00 Todd Simons 
mailto:tsimons@gmail.com>>:
Hello All
We've been using the generic mod_proxy for years.   We utilize Apache to layer 
in HTTPS from the world into our DMZ, then utilize proxypass/proxypassreverse 
to our internal servers.  Our internal servers vary between iis, weblogic, 
tomcat, and a few others.

mod_proxy has been working great for us.

Recently I've been asked why not mod_wl and mod_jk.   I really have no answer 
and I haven't been able to find much online with regards to advantages of one 
vs another.

Has anyone seen, or have, any links that can help outline the difference?

Thanks,
~Todd


I can tell you about a bit the weblogic plugin.

Latest versions include WLSRequest directive that, according to its 
documentation:
* Lower web server processing overhead in general
* Resolves substantial performance degradation when the web server DocumentRoot 
is on a slow filesystem
* Resolves 403 errors for URIs which cannot be mapped to the filesystem due to 
the filesystem length restrictions

Among the interesting things it offers weblogic plugin dinamically updates the 
weblogic cluster members on first connection, no matter if you didn't specify 
all members of the cluster.

For all related info I would suggest you to check the documentation page which 
describes everything it can do:
http://docs.oracle.com/middleware/1213/webtier/PLGWL/toc.htm

In any case, if you are happy with your actual solution, why change?


--
Daniel Ferradal
IT Specialist

email dferra...@gmail.com
linkedin 
es.linkedin.com/in/danielferradal

[users@httpd] After 414 error page will not be delievered, because of long referer?

2014-10-28 Thread Andre.Wendel 
Hello,

i have a problem with customized ErrorDocuments within the Apache, because if I 
send an GET request to the webserver which provokes an 414 (i.e. an URL which 
is to long), the apache is not able to deliver the error page, only the 
standard page within the related browser will be displayed?

Also I found another problem that, if I create an 403 with an long URL on an 
customized page, additional elements i.e. pictures will not be loaded, because 
the request for the images within the error page breaks, because of an Bad 
Request 400, it seems that the referrer within the request is with the 
additional picture URL leads to an header which is too long.

Is there any possibility to delimit the referrer or to get the customized 
ErrorDocuments working? Or is there another configuration which needs to be 
added?

Regards,
André

AW: [users@httpd] Client certificate auth behind f5 loadbalancer

2014-06-26 Thread Andre.Wendel 
Why do you terminate the ssl on the F5 and not on the Apache-backend? We load 
balance IP/Port-based on the F5 and terminate the SSL on the Apache backend, so 
you would be able to turn on your SSLEngine and Proxy the SSL from the F5 on 
the SSL Standard SSL Port 443 of the Apache and you can do everything you want 
because you have all SSL information.

Cheers,
André

-Ursprüngliche Nachricht-
Von: Eric Covener [mailto:cove...@gmail.com] 
Gesendet: Donnerstag, 26. Juni 2014 00:05
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Client certificate auth behind f5 loadbalancer

On Wed, Jun 25, 2014 at 5:53 PM, Marc Schöchlin  wrote:
> in my understanding authentication using client certificates is just a
> cryptographic validation of a public/private keypair over a already
> established ssl-secured channel.
> For example, it is possible to use a official certificate for the ssl
> channel and my own ca for client certificate validation.

It's part of the handshake, which can be later scrutinized by the
application layer.

However, there is no standard way to share the the client certificate
authenticated by a proxy with a backend origin server, and no way at
all that mod_ssl is willing to receive (that I am aware of)

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

AW: [users@httpd] Problems with mod_proxy_balancer / slotmem_create @ apache 2.4.4

2013-08-30 Thread Andre.Wendel 
Hello Rainer,

all instances have different DefaultRuntimeDirs, I have also checked problems 
regarding the generated *.shm and *.uid-files, but these files are definitely 
not the problem.

The problem here is definitely inside the shared memory of the os (command: 
ipcs), only if there is shared memory or semaphore reserved on the requested 
address the apache comes up, whether or not *.shm files are existing inside the 
DefaultRuntimeDir.

Regards,
André

-Ursprüngliche Nachricht-
Von: Rainer Jung [mailto:rainer.j...@kippdata.de] 
Gesendet: Samstag, 24. August 2013 22:34
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Problems with mod_proxy_balancer / slotmem_create @ 
apache 2.4.4

On 12.08.2013 13:19, andre.wen...@bmw.de wrote:
> since apache version 2.4.4 I have a problem by running multiple apache
> instances on my server. Normally we run multiple apaches, under
> different users, on one machine, but since 2.4.4 we have often the
> problem that apache is not able to reserve shared memory, because some
> other instance is using the same shared memory block.
> 
>  
> 
> The failure in the logs:
> 
>  
> 
> [Fri Aug 09 09:24:31.160654 2013] [:emerg] [pid 23958:tid
> 139658191218496] AH00020: Configuration Failed, exiting
> 
> [Fri Aug 09 11:09:46.919038 2013] [proxy_balancer:emerg] [pid 6549:tid
> 139675464337216] (17)File exists: AH01179: balancer slotmem_create failed
> 
>  
> 
> Also seen from another failure
> 
> 6989  shmget(0x1038007, 537, IPC_CREAT|IPC_EXCL|0600) = -1 EEXIST (File
> exists)
> 
>  
> 
> If I now check the shared memory with "ipcs -a" I see that the segment
> is reserverd by another instance of another user. After waiting a couple
> of minutes (up to hours) the apache is then able to start, but waiting
> is currently not really an option!?
> 
>  
> 
> Currently, I’m using apache 2.4.4 with the newest open ssl and and
> openldap version on Suse Linux 11 SP1/2.
> 
>  
> 
> Is there any work around or solution available, or an idea to solve this
> issue?

Can you try DefaultRuntimeDir ?

Regards,

Rainer

-- 
kippdata
informationstechnologie GmbH   Tel: 0228 98549 -0
Bornheimer Str. 33aFax: 0228 98549 -50
53111 Bonn www.kippdata.de

HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Problems with mod_proxy_balancer / slotmem_create @ apache 2.4.4

2013-08-12 Thread Andre.Wendel 
Hello eveybody,

since apache version 2.4.4 I have a problem by running multiple apache 
instances on my server. Normally we run multiple apaches, under different 
users, on one machine, but since 2.4.4 we have often the problem that apache is 
not able to reserve shared memory, because some other instance is using the 
same shared memory block.

The failure in the logs:


[Fri Aug 09 09:24:31.160654 2013] [:emerg] [pid 23958:tid 139658191218496] 
AH00020: Configuration Failed, exiting

[Fri Aug 09 11:09:46.919038 2013] [proxy_balancer:emerg] [pid 6549:tid 
139675464337216] (17)File exists: AH01179: balancer slotmem_create failed



Also seen from another failure

6989  shmget(0x1038007, 537, IPC_CREAT|IPC_EXCL|0600) = -1 EEXIST (File exists)

If I now check the shared memory with "ipcs -a" I see that the segment is 
reserverd by another instance of another user. After waiting a couple of 
minutes (up to hours) the apache is then able to start, but waiting is 
currently not really an option!?

Currently, I'm using apache 2.4.4 with the newest open ssl and and openldap 
version on Suse Linux 11 SP1/2.

Is there any work around or solution available, or an idea to solve this issue?

Thanks,
André

---
BMW Group
Andre Wendel
Lösungsbau IT, Plattformen
80788 München

Tel: +49-89-382-50385
Mail:andre.wen...@bmw.de
Web: http://www.bmwgroup.com/
--
Bayerische Motoren Werke Aktiengesellschaft
Vorstand: Norbert Reithofer, Vorsitzender,
Milagros Caiña Carreiro-Andree,
Herbert Diess, Klaus Draeger, Friedrich Eichiner,
Harald Krüger, Ian Robertson, Peter Schwarzenbauer.
Vorsitzender des Aufsichtsrats: Joachim Milberg
Sitz und Registergericht: München HRB 42243
--