Re: [users@httpd] Bizarre problem with Apache HTTPD, a number of Tomcats, mod_proxy_balancer and mod_jk - any ideas where to look for the root cause welcome [EXT]

[Dr James Smith]

Do you see anything different between the users that work and the users 
that don't.. Do they use a different browser (useragent) or HTTP protocol?


On 18/03/2020 12:40, "Jürgen Göres" wrote:

Hi all,

we are currently observing a really bizarre problem on a customer system.
Our software runs a number of microservices on individual Tomcats, which we 
front with an Apache HTTPD (2.4.x) reverse proxy using mod_jk to route the 
requests by context. There is one exception, though: one of the microservices 
which we added to the stack at a later point in time uses websocksets, which 
are not supported through the AJP protocol, so we are using mod_proxy_balancer 
here.
We put the ProxyPass etc. rules for mod_proxy_balancer in front of the directives related to mod_jk 
and we have been mostly fine with this approach for a few years now. We have two sets of balancer 
specifications for mod_proxy_balancer and their associated rules, one for regular http traffic, the 
other for websocket traffic ("ws:" resp. "wss:").

Let's name the microservices that are handled by mod_jk A, B, and C,  and let's 
name the one handled by mod_proxy_balancer Z. Let's further assume that their 
request contexts are /a, /b, /c and /z, respectively.

Now about the current customer problem: the customer started experiencing very 
erratic system behaviour. In particular requests that were meant for one of the 
microservices A-C handled by mod_jk would randomly give 404 responses. Usually, 
this situation would persist for an affected user for a few seconds and 
reloading wouldn't resolve it. At the same time, other users accessing the very 
same microservice didn't have a problem. Pretty much all users were affected 
from time to time.

We did several troubleshooting sessions that turned up nothing. At some point, 
we started to monitor all kinds of traffic between HTTPD and the Tomcats with 
TCPdump, and here we found the bizarre thing:
When we ran TCP dump and filtered it to only show traffic between HTTPD and the 
microservice Z (handled by mod_proxy_balancer), we sometimes saw requests that 
were clearly meant for one of the OTHER microservices (A-C) based on the 
request URL (a, /b, /c) that would show up in the traffic to the microservice 
Z, and naturally microservice Z has no idea of what to do with these requests 
and responds with 404.

What else might be relevant:
- our microservices are stateless, so we an scale horizontally if we want. On 
that particular system, we have at least two instances of each microservice 
(A-C and Z)
- the installation is spread across multiple nodes
- the nodes run on Linux
- Docker is not used ;-)
- we have never seen this problem on any other system
- we haven't seen this problem on the customer's test system, but here usage 
patterns are different
- the requests with 404 responses wouldn't show up in the HTTPD's access log (where 
"normal" 404 requests DO show).
- the customer had recently updated from a version of our product that uses 
Apache 2.4.34 to one using 2.4.41
- disabling the microservice Z (= no more balancer workers for 
mod_proxy_balancer) would resolve the problem
- putting the rules for mod_proxy_balancer after those of mod_jk (and adding an 
exclusion for /z there, cause on of the other microservices is actually 
listening on the root context) would NOT change a thing

 From experience, we are pretty sure that the problem is somewhere on our side. 
;-)

- One thing we thought is that maybe a bug in microservice Z that is only 
triggered by this customer's use of our product causes the erratic behaviour of 
the HTTPD/MPB? Maybe something we do wrong messing up the connection keepalive 
between Apache and Tomcat, causing requests to go the wrong way?
- Or maybe it is related to the Apache version update (2.4.34 to 2.4.41)? But 
why are other installations with the same version not affected?

Any ideas where we should start looking?

Regards

J




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



--
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Complete list of Expires Headers for WordPress site? [EXT]

[Dr James Smith]

Do you embed external resources (like fonts in) these don't tend to have 
the same headers set... I get this with one of my static sites - I have 
13 requests and three are for google fonts (nunito-sans) and these don't 
have decent headers set!


On 18/02/2020 19:00, edflecko . wrote:
I mention that I'm running a WP site only if that matters. The OS is 
CentOS 7 and I host the server.


When I test my site with https://tools.pingdom.com [tools.pingdom.com] 
 
, it scores me an 89 in the area of Expires Headers. I'm hoping 
someone can tell me what else I might want to add, so I have  a 
"complete" list of Expires Headers?


Here's what I have in my httpd.conf file:


# Enable cache expirations
ExpiresActive On
# Default directive
ExpiresDefault "access plus 1 month"
# My favicon
ExpiresByType image/x-icon "access plus 1 year"
# Media: images, video, audio
  ExpiresByType image/gif       "access plus 1 month"
  ExpiresByType image/png       "access plus 1 month"
  ExpiresByType image/jpg       "access plus 1 month"
  ExpiresByType image/jpeg      "access plus 1 month"
  ExpiresByType video/ogg       "access plus 1 month"
  ExpiresByType audio/ogg       "access plus 1 month"
  ExpiresByType video/mp4       "access plus 1 month"
  ExpiresByType video/webm      "access plus 1 month"
# Webfonts
  ExpiresByType font/truetype   "access plus 1 year"
  ExpiresByType font/opentype   "access plus 1 year"
  ExpiresByType application/x-font-woff "access plus 1 year"
  ExpiresByType image/svg+xml   "access plus 1 year"
  ExpiresByType application/vnd.ms-fontobject   "access plus 1 year"
# CSS and JavaScript
  ExpiresByType text/css        "access plus 1 year"
  ExpiresByType application/javascript  "access plus 1 year"
  ExpiresByType text/javascript "access plus 1 year"
  ExpiresByType text/x-javascript       "access plus 1 month"
# Misc. files
  ExpiresByType application/pdf "access plus 1 month"
  ExpiresByType application/x-shockwave-flash   "access plus 1 month"
  ExpiresDefault        "access plus 2 days"


    Header append Cache-Control "public"


Thank you,
Ed




--
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] two servers and sites on single IP

[Dr James Smith]

mod_proxy is the standard approach here..

Set up a second vhost on 192.168.0.1 and get that to proxy back to 
192.168.0.2


You will need to specify a small folder as doc root - basically to serve 
error pages! - our error directory has static pages for each error 
message we wont to handle + css/images


DocumentRoot /www/place-to-put-error-pages

  ServerName  foo.bar.com
  RewriteEngine   on
  ProxyPreserveHost   on
  ProxyPassReverse    / http://192.168.0.2/
  RewriteCond %{REQUEST_URI}  !^/errors
  RewriteRule (.*) http://192.168.0.2$1   [P,L]
  ErrorDocument 403   /errors/foo.html
  ErrorDocument 500   /errors/foo.html
  ErrorDocument 502   /errors/foo.html
  ErrorDocument 503   /errors/foo.html


To be honest I use this set up on a single box with a lightweight 
frontend that serves errors and a heavyweight backend which servers 
dynamic sites - so that when I need to restart the later (which can take 
2/3 seconds) we don't lose requests. The front end apache restarts 
really quickly because it is quite small...



On 29/06/2018 16:27, Louis wrote:

On 2018-06-29 10:26 AM, Jerry Arnold wrote:
Does bar.me.com have to run on 192.168.0.2?  There is no reason you 
can't run multiple domains on the same IP


Thanks -- but yes; two separate boxes with different o/s.

I have tried setting up a new "bar.conf" on"foo" -- but am having 
difficulties with directory root:


me@foo:/etc/apache2/sites-available$ apachectl -S
AH00112: Warning: DocumentRoot 
[/etc/apache2/192.168.0.2/usr/share/bar] does not exist

VirtualHost configuration:
192.168.0.2:80    bar.me.com (/etc/apache2/sites-enabled/bar.conf:1)
192.168.0.1:80    k318 (/etc/apache2/sites-enabled/k318.conf:6)
192.168.0.31:*    k318-admin 
(/etc/apache2/sites-enabled/k318-admin.conf:3)



Louis



https://httpd.apache.org/docs/2.4/vhosts/examples.html

VirtualHost Examples - Apache HTTP Server Version 2.4 


httpd.apache.org
Your server has multiple hostnames that resolve to a single address, 
and you want to respond differently for www.example.com and 
www.example.org. The above configuration is what you will want to use 
in almost all name-based virtual hosting situations. The only thing 
that this configuration will not ...


For https you can use SNI:


https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

NameBasedSSLVHostsWithSNI - Httpd Wiki 


wiki.apache.org
SSL with Virtual Hosts Using SNI. Summary. Using name-based virtual 
hosts with SSL adds another layer of complication. Without the SNI 
extension, it's not generally possible (though a subset of virtual 
host might work).






Jerry Arnold
Principal Engineer/Architect II
o: 1-913-663-9522



*From:* Louis 
*Sent:* Friday, June 29, 2018 9:15:19 AM
*To:* Apache list
*Subject:* [users@httpd] two servers and sites on single IP
Hopefully simple, but I'm now getting confused.  Currently, single
server1 192.168.0.1 (Apache 2.4) running single site foo.me.com on
single static IP. Rock solid for the last six years.

Need to add server2 192.168.0.2 (Apache 2.4) for site bar.me.com on the
same static IP.

What is the fastest, most efficient way for server1 to rewrite |
redirect | proxy  "bar" to 192.168.0.2 and still serve "foo" from
192.168.0.1? (Border router does not accept alpha commands, only
numerical, so I cannot redirect here.)

Many thanks -- Louis

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


--
This email is intended solely for the use of the
addressee and may contain information that is
confidential, proprietary, or both. If you receive
this email in error please immediately notify
the sender and delete the email.
--



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Trouble updating PHP version on MAMP on Mac

[Dr James Smith]

Looks like you are using php5_module with a PHP7 so file - you should be 
using:


LoadModule php7_module /libphp7.0.so


On 01/06/2017 20:26, Roparzh Hemon wrote:

I am not on Apple here, and you don't say whether you are using php-fpm or
not, but assuming that you are, check the start up (sysctl or init.d) file
and be sure that the correct version of PHP is being started.

Thank you for your feedback.
I have no idea what php-fpm is, and my guess is that I'm not using it.
The way I see it, the php I'm using should be the php module inside
Apache, which I specified with the following line in httpd.conf :

LoadModule php5_module /usr/local/php5-7.1.4-20170506-100436/libphp7.so

Roparzh

On Thu, Jun 1, 2017 at 3:58 PM, John Iliffe  wrote:

I am not on Apple here, and you don't say whether you are using php-fpm or
not, but assuming that you are, check the start up (sysctl or init.d) file
and be sure that the correct version of PHP is being started.

John
=
On Wednesday 31 May 2017 03:56:45 Roparzh Hemon wrote:

I'm trying to update the PHP version used in the built-in MAMP on my
Mac, as indicated at
http://aerendir.me/2015/08/01/how-to-upgrade-php-built-in-your-mac-osx/.

After obediently completing all the steps, the "CLI" version is
updated allright :
the output of php- v in my terminal is

PHP 7.1.4 (cli) (built: May  6 2017 10:02:00) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
 with Zend OPcache v7.1.4, Copyright (c) 1999-2017, by Zend
Technologies with Xdebug v2.5.3, Copyright (c) 2002-2017, by Derick
Rethans

But I look at the phpInfo in my built-in MAMP, I still get the old PHP
version, with the old PHP location.
I tried restarting both Firefox and MAMP.

I'm using Apache2 and Firefox 53.0.2 on Mac OS 10.11.3.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] I need help figuring out a 500 response code

[Dr James Smith]

Is there an error.log in the same directory? This is usually in the same 
directory this should contain some information about why the system failed.



On 03/05/2017 07:41, John Covici wrote:

Hi.  I am having major problems figuring out a 500 response code I am
getting  on my hserver.

I am using apache 2.4.25 on gentoo linux up to date as of a few days
ago.

So, I havinstalled owncloud which is a cloud server written in php and
it has worked for a long time, but for a few days I have gotten 500
when I try to access it.  Now, I am using https normally to access and
when I look at the error_log, I get just one line like this:

[Wed May 03 02:14:37.074791 2017] [ssl:info] [pid 22312] [client
192.168.0.2:56613] AH01964: Connection to child 0 established (server
ccs.covici.com:443)

If I change the loglevel to debug, I get all kinds of ssl information
and the lines saying that requireall was granted, but nothing about
the error.

Now, if I change to http access, on my access_log I get lines like the
following:

192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
301 295
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
301 295 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
rv:11.0) like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud HTTP/1.1"
301 295 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
rv:11.0) like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
302 -
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
302 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET /owncloud/ HTTP/1.1"
302 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0)
like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
/owncloud/index.php/login HTTP/1.1" 500 -
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
/owncloud/index.php/login HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT
10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
192.168.0.2 - - [03/May/2017:02:33:38 -0400] "GET
/owncloud/index.php/login HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT
10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"

Now, owncloud has theirownw log, but I get nothing in it.

So, my question is how to find out more about why I am getting the 500
response and what I can do about it.

Thanks in advance for any suggestions.





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] redirect port from 80 to 443

[Dr James Smith]

As I only run HTTPS - I have the following on port 80 - (this can't be 
done with redirect)




  ...
  ...
  ...

  RewriteEngine on
  RewriteCond   %{REQUEST_URI} !^/.well-known/acme-challenge
  RewriteRule   ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} 
[R=permanent,L,NE]



So I only have one port 80 configuration - even tho' I'm running 
something like 30 sub-domains on one machine and 70 sub-domains on the 
other...


{There is some other stuff associated with this - and I've got HTST 
headers set - and preloaded where I can - so most browsers won't hit the 
port 80 anyway!}



On 18/02/2017 19:00, Daniel wrote:
Yes please, let's stay away of convoluted and most times innecessary 
mod_rewrite examples to do simpleton configurations.


If you are in virtualhost 80, you have specified servername correctly 
and you just want to redirect to ssl, why not a single Redirect statement?


As Yann's refered document says:
Redirect / https://something.example.com/

Most people here knows this but there are gazillions web pages 
refering to bad advice, duck and tape solutions and convolued ways of 
using mod_rewrite for a simple redirection when placed in proper 
context, we need to finish with that trend, and the best way is to 
give simple, straight to the point examples "first".


The mod_rewrite example given,lets slice it out:
> RewriteCond %{HTTP_HOST} =www.example.com 
> RewriteCond %{SERVER_PORT} =80
> RewriteRule ^(.*)$https://www.example.com/$1 [R]

This clearly assumes it is a generic recipe in a .htaccess somewhere 
which can be read from a non-SSL virtualhost or non-SSL virtualhost 
(just to be ignored).


1º It checks the host name, but why? if you have defined a VirtualHost 
with that servername and there are no conflicts the request is already 
landing there.
2º It checks for port 80. But we are redirecting to SSL, so we are 
already on port 80, why check it?

3º Can be replaced with a Redirect as mentioned above.

So instead of giving out recipes for .htaccess thought out for an 
aging era or shared virtualhosting, lets recommend the ideal 
virtualhost context recipe first as Yann proposed earlier:


Define the virtualhost with the names you serve.

ServerName something.example.com 
Redirect / https://something.example.com/


There is no guessing here, no unnecessary directives and it's hard to 
miss or confuse with other directives and the context where it resides 
is crystal clear.


Later on, when things need to be complicated, then I guess we can use 
"If" or "mod_rewrite", and recommend it as needed.



2017-02-18 19:38 GMT+01:00 Richard >:




> Date: Saturday, February 18, 2017 11:04:34 -0700
> From: James Moe mailto:ji...@sohnen-moe.com>>
>
> On 02/18/2017 05:08 AM, Rodrigo Cunha wrote:
>> i want redirect all request from port 80 to 443.
>> what is better setting for fix this?
>>
>   Better than what?
>   Fix? Is it broken?
>
> RewriteCond %{HTTP_HOST} =www.example.com 
> RewriteCond %{SERVER_PORT} =80
> RewriteRule ^(.*)$ https://www.example.com/$1 [R]

Perhaps, better than using a "rewrite"? See the documentation
reference, given in an earlier post:

  >

that has this as a specific example of when/why to use a "redirect"
rather than a "rewrite".



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org

For additional commands, e-mail: users-h...@httpd.apache.org





--
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com 
linkedin es.linkedin.com/in/danielferradal 






--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Copyright notices in httpd source files

[Dr James Smith]

At work all out software is open source - but we have to include a 
copyright notice in all source files where possible - as we then 
distribute the content under LGPL. The logic is that if we didn't claim 
copyright on the contents of the source - someone else might claim it 
and make it closed source.



On 28/12/2016 22:44, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Is it common to have a copyright notice in httpd C source files?

Jim committed a donation of code for HAProxy's PROXY protocol in
r1776076 and later. (Thanks, by the way: I've been hoping to get this
in 2.4 for a while so consider me a big (karma-less) +1 for back-port
of this module).

The C source
https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_prox
y_protocol.c?view=markup&pathrev=1776076
file contains this copyright claim:

Copyright 2014 Cloudzilla Inc.

I haven't pulled the source to see if other such claims exist in other
source files, but I have never noticed a copyright claim in other ASF
projects.

Is this a simple oversight or should the copyright notice remain?

Thanks,
- -chris

PS Special thanks to Dan Ruggeri who was working on this independently
of the donation with me, and who missed his own commit of virtually
the same code by a few hours.
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYZEBhAAoJEBzwKT+lPKRYMTQQALHTwsO8Xba/UtAxKoh7lwhj
Uwh/J61NR21okbb+1Kl3I3kCXAqBs61gKkEAvVZYCVIPkO6tSFW/zSlVWsebC0GD
erM9BLAk8UHfD5gEI3i6JwP+umbYleLQJOcbGbLObG6sOfsdKHcMQJ3jl2mNCFCJ
QozZQy4BQBjCw9GA5n9QJBVA04vYBAG4IKCgD6UqtrKp+9AJzfNv0fjkAHx+X6Jo
Ec5YtRsvO7hj6341C3UxgBpw/+rPZxXWeJVvVekVfsFzjxvJGpnJQV/Yx3iGvaGn
uwdnLXLAgNFs82N/ip9GZNbv12jPFzUvu7WxXG9PXHZ5z9oL2y4s1m95RsVLPATn
zViFxZkGTF4h1rdqix2MNN7/q/hQmY6XsOo1fSlSAYhAMFQ1g43EMecLud3dCECw
ypjVVJO+T29JArCzyJb5skOr2lSdcf9ZYAhnStgHmRUw/bvwDhcMaCjsdqFdaUSD
fIqMdp7gAJ3/fou/AdARERxhR7UNDp7sNJcCpOo/hoHoJ8QSy5b7CBUGG3uemdjH
JBPYtYVilbvif7/EV9AAWwsKO/JX4smqctHrU2ZG/JHt0f4pQ+QxaTkys+jblXdu
83ROK+0DlX9KXcIOSBQ/SWqj/3UoPIgVxXgnf8RKztMuUUdFrPScWYpKFPpoeXPF
5+VNuOdIkoX+MalGusox
=wMXF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] resources prioritization/scheduler (app vs assets)

[Dr James Smith]

Before you get into trying to resolve issues with load there are a few 
things to consider:


Your "model" of traffic is probably wrong...

 * Have you seen this traffic shape.. if a user requests a page - it
   will probably be a few milliseconds before the browser requests the
   first static file, they will usually limit themselves to something
   like 4, 6 or 8 parallel requests (pipelining) to minimize the
   DNS/connect/handshake/disconnect phases;
 * Even if you have large numbers of simultaneous users the amount of
   traffic won't be as bursty as you say - as they wont' all hit "go"
   at the same time;
 * The larger overheads are more likely to be up stream in network etc.

Now to reduce load ...

 * Look at a dedicated caching layer in front of apache. e.g. varnish
   which can cache the static content; get your headers right so that
   browsers + upstream caches cache your content;
 * Look at the apache event mpm - which is much lighter than the other
   mpms (prefork/threaded)
 * Do you need 40 assets or can you do optimization on these (e.g.
   merging css/js files) reducing images, icon fonts, css, spriting
   etc; I have taken a site requiring 100s of assets and gained by
   reducing these to 10-15...
 * If you are worried about performance on such a small box then
   redesign so that the site isn't heavy!
 * Look at offloading some resources to 3rd party CDNs (e.g. fonts core
   js-libraries etc)

Look at your hardware - if you are this worried - 1G is a very small box 
- look at getting a larger server - most are virtual anyway... then you 
need to look at the type of HDD etc..


 * 1G is a small server you would get gains by having a bigger server
   (and probably wouldn't cost much more!)

If you want this level of resiliance you probably need to look at load 
balancing over multiple serves - then you can dedicate some to static 
servers and some dynamic servers...


On 10/12/2016 14:22, Raphaël wrote:

Hi,

I've a question on how to prioritize traffic in order to optimize
the service in the case of traffic bursts:


Context:
* a server with finite resources (let's say 1 GB mem)
* a PHP application: initial page load needs 100 MB (index.php)
* for each page load (index.php) approx:
   * ~ 40 subsequent assets (static files) are needed
   * serving assets is, obviously, quicker than serving index.php
* I assume, and decide, that PHP-FPM must not use more than 700MB
* I want to avoid "broken" pages (missing assets/images/...) as much as possible


Thus PHP-FPM is configured to not allow no more than 7 children.
The Apache MaxRequestWorkers (worker MPM) is set to be strictly superior than
7*40 (lets say 350)


Now imagine a traffic burst with 200 distinct clients simultaneously
hitting the main page (wow!)
They now occupy 57% of the Apache workers, 193 of them waiting for a
PHP-FPM child. ( "max" default value being ThreadsPerChild)

... some hundreds milliseconds later...

The 7 first clients having been served, each one now requests 40 more assets.
And the situation is then as follows:

* 7 hits on index.php were already processed successfully
* 7 currently being processed by PHP-FPM (still occupying Apache workers)
* 186 queued Apache workers hits /index.php, waiting for PHP-FPM/proxy-fcgi
* 7*40 = 280 new hits for assets (subsequent resources needed by the 7 first 
clients)
* 157 of them immediately get an available Apache worker and can be
  served (157+186+7 == 350)
* >>>  123 assets will NOT get an available worker  <<< PROBLEM HERE


In the "best" case these 123 requests, which should have been served
*now*, will end up in the ListenBackLog and wait the 157 first assets to
be served first and liberate their workers.

The server works virtually *as* if only 350-200 = 150 workers were
available (150 being < 280, which is the typical workers implication
for 7 pages-load)

200 being the (unpredictable/variable) "intensity" of the burst, I would
like to know of a better way to handle such a situation.


The first ideas that come to mind is service shaping (prioritization/quotas):
How to make Apache only accept 1/40 of the traffic to the fcgi php-fpm proxy.
Sample heuristic:

If all worker are used (350/350), we "compute" which proportion is
dedicated to index.php. If it's superior to a given configurable
threshold, then free some of the workers dedicated to this resources
in order to accept assets-directed resources.


I'm curious about possible solutions.
Thank you for reading.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org






--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Mod_Substitute - Match the last occurrence of a string in the response

[Dr James Smith]

Why are you attaching after the last meta tag - wouldn't it be easier 
just before the  tag or just after the  tag - you should 
have no other js in the header - except possibly an HTML 5 shim...



On 23/11/2016 08:08, Mayuresh wrote:


Any suggestions?


On Nov 22, 2016 11:32 AM, "Mayuresh" > wrote:


Is there a way to make a 2 pass substitution? 1st one removing all
the \n's and then using another one to substitute the string that
I want?

On Tue, Nov 22, 2016 at 11:15 AM, Mayuresh
mailto:mayuresh.kshirsa...@gmail.com>> wrote:

Hi Jason,

I tried it:

Substitute "s%(]*>).*?$%$1window['start-time'] = new
Date().getTime();window['app-key'] = \"xxx\";%i"


However it still replaces each line that the meta tag appears on.


Regards,

Mayuresh


On Tue, Nov 22, 2016 at 11:12 AM, Mayuresh
mailto:mayuresh.kshirsa...@gmail.com>> wrote:

Hi Jason,

Each meta tag is appearing on a separate line. Will it
work even then? Trying it out any ways.

Thanks,
Mayuresh

On Tue, Nov 22, 2016 at 10:41 AM, Jason Brooks
mailto:jason.bro...@eroi.com>> wrote:

Hello,

According to the Apache Glossary page
,
it’s all PCRE  based. So you
should be able to use the “non-greedy” match.  So
instead of .* which will match all instances, use
.*?.  If you anchor it at the end of the string,
something like (text you are matching against).*?$,
then you can be certain of getting the last one.

—jason

Jason BrooksSystems Administrator
eROIPerformance is Art.

m:  505 nw couch #300   w:  eroi.com 

t:  503.290.3105f:  503.228.4249



fb: fb.com/eROI 










On Nov 22, 2016, at 8:50 AM, Mayuresh
mailto:mayuresh.kshirsa...@gmail.com>> wrote:

Hi,

How can I check for the last occurrence of a string
in the response html and only replace the last
occurrence of it?

I want to search for the last "meta" tag in the
response and replace it with something.

How can I do this?

Thanks,
Mayuresh





-- 
-Mayuresh





-- 
-Mayuresh





-- 
-Mayuresh







--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Mod_Substitute - Match the last occurrence of a string in the response

[Dr James Smith]

Never used mod_substitute - but the standard PCRE way is s/(.*)>/$1/mxs - the .* will capture greedily - so captures all but last 
meta...




On 22/11/2016 16:50, Mayuresh wrote:

Hi,

How can I check for the last occurrence of a string in the response 
html and only replace the last occurrence of it?


I want to search for the last "meta" tag in the response and replace 
it with something.


How can I do this?

Thanks,
Mayuresh





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Random Internal Server Error 500 after apache and system update

[Dr James Smith]

Things you can do are trying to track down if there is any pattern - are 
these first request on a child, "nth" request on  child etc... we add 
additional variables to access logs which include things such as 
PID/request no in PID, memory usage before and after etc. This allows us 
sometimes to see patterns in errors which aren't normally easy to see..

Saying that it may not help you here...

Another thing you can do with ab is check to see if it is OK under lower 
load?


Finally I find "siege" better than "ab" when it comes to testing as it 
is more configurable - you can send it a list of URLs - run test for 
"n-seconds" rather than "n-requests" which is more useful if you don't 
know how long things take to return!


James

On 02/10/2016 09:02, Daniel wrote:
I would bet on your method of parsing php and the scripts being ran, 
in any case to be sure:


Try the strace approach:
strace -o /tmp/outputfile -s 5000 httpd -X or strace -ff -F -s200 -o 
/tmp/strace.out -p PID


to try to find out what's really going on.

2016-09-30 20:19 GMT+02:00 Fabio F.Gervasi >:


Hi!

I have additional information:

/var/log/httpd/error_log, at "crash time": [Fri Sep 30
19:09:03.897325 2016] [mpm_event:trace4] [pid 30339:tid
139796798162688] event.c(930): socket reached timeout in
lingering-close state

What do you think?



2016-09-30 14:47 GMT+02:00 Fabio F.Gervasi
mailto:fabio.gervas...@gmail.com>>:

Hi!

Thank you for your reply. I tried the following tests.

*1) Using a little text file:*
*# ab -k -c 100 -n 2000 localhost/test.txt*
This is ApacheBench, Version 2.3 <$Revision: 1748469 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd,
http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)
Completed 200 requests
Completed 400 requests
Completed 600 requests
Completed 800 requests
Completed 1000 requests
Completed 1200 requests
Completed 1400 requests
Completed 1600 requests
Completed 1800 requests
Completed 2000 requests
Finished 2000 requests


Server Software:Apache/2.4.23
Server Hostname:localhost
Server Port:80

Document Path:  /test.txt
Document Length:52 bytes

Concurrency Level:  100
Time taken for tests:   2.521 seconds
Complete requests:  2000
*Failed requests:16*
   (Connect: 0, Receive: 0, Length: 16, Exceptions: 0)
Keep-Alive requests:1984
Total transferred:  950336 bytes
HTML transferred:   103168 bytes
Requests per second:793.45 [#/sec] (mean)
Time per request:   126.032 [ms] (mean)
Time per request:   1.260 [ms] (mean, across all
concurrent requests)
Transfer rate:  368.18 [Kbytes/sec] received

Connection Times (ms)
  min  mean[+/-sd] median   max
Connect:01   3.8  021
Processing: 1  123 126.5 83   772
Waiting:0  123 126.7 83   772
Total:  1  124 126.6 85   772

Percentage of the requests served within a certain time (ms)
  50% 85
  66%154
  75%201
  80%229
  90%303
  95%373
  98%452
  99%547
 100%772 (longest request)

/I obtain 16 failed requests, but if I run more again I obtain
a different number./

*2) Using a big gif file:*
*# ab -k -c 100 -n 2000 localhost/it-vis-animation.gif*
This is ApacheBench, Version 2.3 <$Revision: 1748469 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd,
http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)
Completed 200 requests
Completed 400 requests
Completed 600 requests
Completed 800 requests
Completed 1000 requests
Completed 1200 requests
Completed 1400 requests
Completed 1600 requests
Completed 1800 requests
Completed 2000 requests
Finished 2000 requests


Server Software:Apache/2.4.23
Server Hostname:localhost
Server Port:80

Document Path:  /it-vis-animation.gif
Document Length:8105309 bytes

Concurrency Level:  100
Time taken for tests:   26.294 seconds
Complete requests:  2000
*Failed requests:0*
Keep-Alive requests:2000
Total transferred:  16211484000 bytes
HTML transferred:   16210618000 bytes
Requests per 

Re: [users@httpd] Apache losing its connection from Tomcat in few minutes

[Dr James Smith]

You don't give enough information about the setup to solve any of your 
problems really.


Are the apache/tomcat/cms on the same box or different

We have seen big problems with mod_jk when there are firewalls involved 
(so much so we don't use it any more but use mod_proxy instead) - 
connections are severed by the firewall - you need to look up "tcp keep 
alive" settings for your connections - but even then that doesn't help - 
mod_jk doesn't handle this situation well... (ditto nginx, mod_fcgi etc 
none of them really handle any form of flakyness when it comes to 
network well)


And also mod_proxy is a lot easier to set up that mod_jk - and the 
slight overhead of not-compressing the apache headers/possibly 
renogatiting connections will not be significant if your CMS is take 10 
seconds to return - which is already about 9 seconds to long anyway!


Other things - shared file systems are generally a bad idea in a web 
environment - (esp NFS) as overhead/stability issues can be critical in 
high volume webservers..


Now for mod_proxy for what you want to do!

ProxyPass /files !
ProxyPass / http://tomcatserver:port/
ProxyPassReverse / http://tomcatserver:port/

Caching probably isn't an issue now - or shouldn't be... as your static 
content is being server via Apache directly - but I would read up on web 
optimisation in general:


 * How to minimize number of resources in a web page;
 * Setting cache control, etag headers etc to stop the client
   re-requesting resources;
 * Using mod_deflate correctly [ Note turn off deflate on tomcat - DO
   NOT GET IT TO COMPRESS CONTENT!]
 * Look at avoiding redirects etc if possible

Only when you have resolved all those issues then will you want to look 
at setting up "dumb server" caching - because unless you understand it 
well it can cause more problems that it solves! and anyway getting the 
cache headers right will make it easier! Get servers closer to the user 
caching content is always the best way!!!


James


On 04/09/2016 09:48, Jayaram Ponnusamy wrote:

Dear All,

In our Environment we are using Apache HTTP and Tomcat as AppServer on 
J2EE based CMS System. and We are using AJP 1.3 connector (Apache 
HTTPD, Tomcat, CMS are in seperate systems)


Normally accessing the sites & pages through WebServer URL is very 
slow compare to use Tomcat URL.


The Wired behavior is Apache HTTP is losing connection with Tomcat in 
few minutes (eg 10-15minutes) then we have to hit the WebServer URL 
continuously or reboot httpd to resolve this issue.


In the MOD_JK Logs we could see below errors.

[Sun Sep 04 01:17:34 2016][7945:488081152] [info] 
ajp_connection_tcp_get_message::jk_ajp_common.c (1150): (prd_live_svr) 
can't receive the response header message from tomcat, network 
problems or tomcat (10.100.116.31:9009 ) is 
down (errno=110)
[Sun Sep 04 01:17:34 2016][7945:488081152] [error] 
ajp_get_reply::jk_ajp_common.c (1962): (prd_live_svr) Tomcat is down 
or refused connection. No response has been sent to the client (yet)
[Sun Sep 04 01:17:34 2016][7945:488081152] [info] 
ajp_service::jk_ajp_common.c (2447): (prd_live_svr) sending request to 
tomcat failed (recoverable),  (attempt=1)
[Sun Sep 04 03:35:02 2016]prd_live_svr cmsliv.com  
32.624815
[Sun Sep 04 03:36:02 2016][13358:488081152] [info] 
ajp_process_callback::jk_ajp_common.c (1788): Writing to client 
aborted or client network problems
[Sun Sep 04 03:36:02 2016][13358:488081152] [info] 
ajp_service::jk_ajp_common.c (2447): (prd_live_svr) sending request to 
tomcat failed (unrecoverable), because of client write error (attempt=1)
[Sun Sep 04 03:36:02 2016]prd_live_svr cmsliv.com  
39.879029
[Sun Sep 04 03:36:02 2016][13358:488081152] [info] 
jk_handler::mod_jk.c (2608): Aborting connection for worker=prd_live_svr


Errors Log:
[Sun Sep 04 09:32:00 2016] [debug] proxy_util.c(1921): proxy: worker 
proxy:reverse already initialized
[Sun Sep 04 09:32:00 2016] [debug] proxy_util.c(2017): proxy: 
initialized single connection worker 0 in child 24423 for (*)
[Sun Sep 04 09:54:24 2016] [debug] proxy_util.c(1901): proxy: grabbed 
scoreboard slot 0 in child 24513 for worker proxy:reverse
[Sun Sep 04 09:54:24 2016] [debug] proxy_util.c(1921): proxy: worker 
proxy:reverse already initialized
[Sun Sep 04 09:54:24 2016] [debug] proxy_util.c(2017): proxy: 
initialized single connection worker 0 in child 24513 for (*)
[Sun Sep 04 09:54:29 2016] [debug] proxy_util.c(1901): proxy: grabbed 
scoreboard slot 0 in child 24514 for worker proxy:reverse
[Sun Sep 04 09:54:29 2016] [debug] proxy_util.c(1921): proxy: worker 
proxy:reverse already initialized
[Sun Sep 04 09:54:29 2016] [debug] proxy_util.c(2017): proxy: 
initialized single connection worker 0 in child 24514 for (*)
[Sun Sep 04 10:01:48 2016] [debug] proxy_util.c(1901): proxy: grabbed 
scoreboard slot 0 in child 24563 for worker proxy:reverse
[Sun Sep 04 10:01:48 2016] [debug] proxy_util.c(1921): pr

Re: [users@httpd] How to restart apache after reboot on ubuntu 16.04?

[Dr James Smith]

It may be possible to write your own auto-renewal script relatively 
easily for LetsEncrypt. I have done for Apache as (a) I don't use the 
standard paths and setup, (b) I wish to use HPKP on my servers for 
additional security and "Lets Encrypt" auto scripts generate a new key 
each time which breaks this (the signature changes and is unpredictable) 
- so my script generates a lets encrypt request with the appropriate key 
(either the same OR the backup key I've already generated) I now have a 
relatively simple script which reads my config file and generates keys 
accordingly if required (the only thing it doesn't do is restart the 
server for the new certificates to be read) but it does inform me this 
is happening. It shouldn't be to difficult for nginx to do similar





On 17/08/2016 20:23, R wrote:
It seemed like the auto-renewal process for ssl from LetsEncrypt is 
not supported yet for nginx, at least according to this article on its 
publication date:


https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

My needs are really simple and I wanted to go with whichever would be 
simpler to setup.


On Wed, Aug 17, 2016 at 2:50 PM, Dr James Smith <mailto:j...@sanger.ac.uk>> wrote:


Depends on your backends - nginx is good if it is serving
primarily static files and or proxying back to quick responding
backends. It seems to be less well suited to slower/heavier
backends. Apache always seems to work - slower mind you - but
always seems to work... So if reliability is your requirement then
nginx may be a problem!



On 17/08/2016 19:41, Erik Dobák wrote:

why did not you use nginx anyway? should be faster and modern.
did not
have the chance to try that yet myself. still using apache
everywhere.

On 17 August 2016 at 03:18, R mailto:bittransfer2...@gmail.com>> wrote:

Ugh sorry, I had a test installation of nginx on the
machine, which was not
fully removed after doing "apt-get remove". Looks like it
would still start
up somehow. After I purged nginx, then apache2 started ok
after reboot.

Thanks

On Tue, Aug 16, 2016 at 8:57 PM, R
mailto:bittransfer2...@gmail.com>> wrote:

Hi, this is everything from cat
/var/log/apache2/error.log:

[Mon Aug 15 13:42:17.138117 2016] [mpm_event:notice]
[pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu)
configured -- resuming
normal operations
[Mon Aug 15 13:42:17.138282 2016] [core:notice] [pid
26081:tid
139773925775232] AH00094: Command line:
'/usr/sbin/apache2'
[Mon Aug 15 14:55:14.003814 2016] [mpm_event:notice]
[pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing
graceful restart
AH00112: Warning: DocumentRoot
[/var/lib/letsencrypt/tls_sni_01_page/]
does not exist
AH00558: apache2: Could not reliably determine the
server's fully
qualified domain name, using 127.0.1.1. Set the
'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:14.054552 2016] [ssl:warn] [pid
26081:tid
139773925775232] AH01906:x:0 server certificate is a
CA certificate
(BasicConstraints: CA == TRUE !?)
[Mon Aug 15 14:55:14.054736 2016] [mpm_event:notice]
[pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu)
OpenSSL/1.0.2g-fips
configured -- resuming normal operations
[Mon Aug 15 14:55:14.054747 2016] [core:notice] [pid
26081:tid
139773925775232] AH00094: Command line:
'/usr/sbin/apache2'
[Mon Aug 15 14:55:20.854353 2016 ]
[mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing
graceful restart
AH00558: apache2: Could not reliably determine the
server's fully
qualified domain name, using 127.0.1.1. Set the
'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:20.865056 2016] [mpm_event:notice]
[pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu)
configured -- resuming
normal operations
[Mon Aug 15 14:55:20.865076 2016] [core:notice] [p

Re: [users@httpd] How to restart apache after reboot on ubuntu 16.04?

[Dr James Smith]

Depends on your backends - nginx is good if it is serving primarily 
static files and or proxying back to quick responding backends. It seems 
to be less well suited to slower/heavier backends. Apache always seems 
to work - slower mind you - but always seems to work... So if 
reliability is your requirement then nginx may be a problem!



On 17/08/2016 19:41, Erik Dobák wrote:

why did not you use nginx anyway? should be faster and modern. did not
have the chance to try that yet myself. still using apache everywhere.

On 17 August 2016 at 03:18, R  wrote:

Ugh sorry, I had a test installation of nginx on the machine, which was not
fully removed after doing "apt-get remove". Looks like it would still start
up somehow. After I purged nginx, then apache2 started ok after reboot.

Thanks

On Tue, Aug 16, 2016 at 8:57 PM, R  wrote:

Hi, this is everything from cat /var/log/apache2/error.log:

[Mon Aug 15 13:42:17.138117 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) configured -- resuming
normal operations
[Mon Aug 15 13:42:17.138282 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:55:14.003814 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing graceful restart
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/]
does not exist
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:14.054552 2016] [ssl:warn] [pid 26081:tid
139773925775232] AH01906:x:0 server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
[Mon Aug 15 14:55:14.054736 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g-fips
configured -- resuming normal operations
[Mon Aug 15 14:55:14.054747 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:55:20.854353 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing graceful restart
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:20.865056 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) configured -- resuming
normal operations
[Mon Aug 15 14:55:20.865076 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:55:23.807722 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing graceful restart
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:23.840209 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g-fips
configured -- resuming normal operations
[Mon Aug 15 14:55:23.840217 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:55:31.995008 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00493: SIGUSR1 received.  Doing graceful restart
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 127.0.1.1. Set the 'ServerName' directive
globally to suppress this message
[Mon Aug 15 14:55:32.023059 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00489: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g-fips
configured -- resuming normal operations
[Mon Aug 15 14:55:32.023076 2016] [core:notice] [pid 26081:tid
139773925775232] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 14:56:04.269625 2016] [ssl:error] [pid 29903:tid
139773645637376] [client 64.41.200.108:39890] AH02042: rejecting client
initiated renegotiation
[Mon Aug 15 18:40:58.774299 2016] [ssl:error] [pid 29904:tid
139773819877120] [client 64.41.200.105:34645] AH02042: rejecting client
initiated renegotiation
[Mon Aug 15 19:07:02.626527 2016] [mpm_event:notice] [pid 26081:tid
139773925775232] AH00491: caught SIGTERM, shutting down
[Mon Aug 15 19:07:03.939317 2016] [mpm_event:notice] [pid 2548:tid
140489013651328] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41
OpenSSL/1.0.2g-fips configured -- resuming normal operations
[Mon Aug 15 19:07:03.939444 2016] [core:notice] [pid 2548:tid
140489013651328] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 19:13:44.445770 2016] [mpm_event:notice] [pid 2548:tid
140489013651328] AH00491: caught SIGTERM, shutting down
[Mon Aug 15 19:13:45.265839 2016] [mpm_event:notice] [pid 2705:tid
140547327522688] AH00489: Apache/2.4.18 (Ubuntu) mod_jk/1.2.41
OpenSSL/1.0.2g-fips configured -- resuming normal operations
[Mon Aug 15 19:13:45.265879 2016] [core:notice] [pid 2705:tid
140547327522688] AH00094: Com

Re: [users@httpd] Run PHP Handler after running my handler Apache

[Dr James Smith]

I use something similar - you should really be applying this in one of 
the AAA level of handlers (I use mod_perl rather than C handlers) but 
there are various places you can hook into the process


Usually (and slightly naughtily) I add this to the access handler within 
mod_perl {it does the user/ip identification and then performs the 
appropriate filters}


If you are doing complex access layers (e.g. checking permissions in a 
db) you may not be able to do this with Location/LocationMatch




On 19/07/2016 07:14, Nick Kew wrote:

On Tue, 2016-07-19 at 10:45 +0530, Amlaan Kar wrote:

I have created a handler in Apache

Sounds like your module's processing should be hooked up
earlier in the cycle.  It can then set the handler either
to PHP or to its own page according to the outcome of
whatever parsing it does.

But given that the server parses the URL, you can probably
dispense with that altogether, and use configuration to
deal with whatever your parser does.  If 
or  is not sufficient, then an  clause.
Or even the archaic tool of yesteryear, mod_rewrite.





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Help disabling weak ciphers.

[Dr James Smith]

I use:

  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS


as the setting for ciphers - this gets a A+ rating on the qualys SSL 
labs scoring (although Java 6 + IE 6 clients don't work but that is the 
compromise you need to take)


James

On 15/07/2016 22:49, Spork Schivago wrote:

Hello,

I think I figured it out.  I removed the DES-CBC3-SHA line from the 
SSL Cipher Suite list and now this is the output from nmap:


| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's 
Encrypt/countryName=US

| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-07-13T03:49:00
| Not valid after:  2016-10-11T03:49:00
| MD5:   e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee
|_SHA-1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6
| ssl-enum-ciphers:
|   TLSv1.0:
| ciphers:
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: client
|   TLSv1.1:
| ciphers:
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: client
|   TLSv1.2:
| ciphers:
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds


With the least strength being A, that's exactly what I want, right?   
That would mean the ciphers are very strong ones? I'm still trying to 
learn all of this and now I gotta figure out how to enable "Perfect" 
Forward Secrecy.   Thanks!




--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Strange access.log entry...

[Dr James Smith]

Is the response the same as the response for / - thats' all I can assume...?


On 09/07/2016 14:00, Jonesy wrote:

On Fri, 8 Jul 2016 15:51:27 -0700, Red-Tail Books wrote:

--D86F2E214EC5EE5DBED2B3B9
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Wow Ken, Thanks for the thorough research. I just did a whois and
figured it wasn't an attack.

But being a complete rookie (no experience with linux or servers prior
to creating a droplet on DO 2 weeks ago)
I was curious to not see any request prefix (GET|POST|CONNECT...etc...)
and then I saw that the request was successful (status 200) instead of a
404. And what 11k of data did my server send in response...

In 13 days of logs this IP has only hit my server once and this is the
only time I've seen such a request... So no issue with their legitimate
research...

All well and good, I suppose.
I still wonder why the fetch resulted in a "200 OK".


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Issues migrating Weblogic proxies from Sun One 6.1 to Apache 2.4

[Dr James Smith]

How are you connecting between the web-proxies and web-logic application 
servers?


Having a firewall in place can be an issue - the firewall may drop idle 
connections silently (we see this with oracle, mod_jk/ajp/memcache and 
in some instances cached mysql connections; unfortunately neither end 
know the connection has been dropped and they still send packets down 
the broken connection.. - so any attempt to connect just hangs even 
doing a database ping!


We have dropped mod_jk in favour of using mod_proxy/mod_proxy_http as 
this doesn't have the same problem (but is slightly less efficietnt)


You can have some success with playing the the tcp keep alive settings:

echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 10 > /proc/sys/net/ipv4/tcp_keepalive_probes

But even these don't always seem to work - our more robust applications 
keep a track of when the connection was last used and will not 
re-connect to a connection which hasn't been used for 15 minutes

(using mod_perl this can happen!)

On 17/06/2016 15:30, Joe Muller wrote:

I am working on a project to migrate all our IPlanet 6.1 SP19 webserver proxies 
(formerly Sun One) to Apache 2.4, since IPlanet 6.1 does not support TLS 1.2 
and IPlanet 7.0 is being EOL. Our backend application servers are Weblogic 9.2 
/ Weblogic 12c. The IPlanet proxies have performed FLAWLESSLY for over 10 
years, despite the product being no longer supported and their WL Plug-in not 
officially supported with Weblogic 12c.

  However now that we are trying to use a more supported configuration 
(self-compiled Apache 2.4.18 running Weblogic Server Plugin 12.1.3) we are 
constantly seeing these errors, which results in performance degradation for 
our applications, and in some cases I think maybe even lost data.


  [Tue Jun 14 09:27:36.239682 2016] [weblogic:error] [pid 12513:tid 140185150932736] 
[client 10.165.254.1:28171] <1251314659108487> Write to the client failed: 
calling URL::close at line 559 of BaseProxy.cpp, referer: 
https://intgalf.xyz.com/ALFA/selectFileType.do?fileType=O1MM

  [Tue Jun 14 09:27:36.239747 2016] [weblogic:error] [pid 12513:tid 140185150932736] 
[client 10.165.254.1:28171] <1251314659108487> **
  *Exception type [WRITE_ERROR_TO_CLIENT] raised at line 560 of 
BaseProxy.cpp, referer: 
https://intgalf.xyz.com/ALFA/selectFileType.do?fileType=O1MM

  [Tue Jun 14 09:27:36.239952 2016] [weblogic:error] [pid 12513:tid 140185150932736] 
[client 10.165.254.1:28171] <1251314659108487> request 
[/ALFA/servlet/DecryptDownload?linkName=al_o1mm_carr20150630.csv] did NOT process 
successfully.., 
referer:https://intgalf.xyz.com/ALFA/selectFileType.do?fileType=O1MM



  Our topology is like this:

  Client Browser <--> Firewall <--> Load Balancer <--> Web Proxies <--> Firewall 
<--> Weblogic Application Servers

  Oracle support suggested as work around that we increase WLSocketsTimeOut in 
the plug-in, but I think that only masks the issue, as we still the errors.

  We did a network trace and it looks like the Apache plug-in is pre-maturely 
closing the connection to the WL server, but I can't be certain. We know that 
our firewall is not responsible.

  Any ideas ? I thought Apache would work better then Sun One, but this has 
been the opposite. Is there some fundamental webserver tunable parameter that 
is so different between out of the box Sun One and out of the box Apache that 
could be causing this ?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Make Apache react more graceful to SSL errors

[Dr James Smith]

Agree with Michael,

My start/stop scripts all now do a configtest before trying to 
stop/start apache - this way I never have no service if something goes 
wrong!


I do have a forcestop which will stop an apache if the config is wrong - 
as a last resort!


James

On 01/05/2016 14:27, Michael A. Peters wrote:

On 05/01/2016 06:19 AM, Florian Lindner wrote:

Hello,

in my server configuration users can place their own SSL certificate in
predefined directories. A daily cron script detects them, updates the 
apache

config and restarts the server.

However, if there is a problem with the certificate or key file, the 
apache

refused to work altogether.

Is it possible to make apache disable only the problematic vhost 
instead of

refusing to start?


What you probably need to do is validate the certificates before 
updating the apache configuration file. The TLS library (e.g. openssl) 
probably can do that, though I'm not familiar with the specific 
argument you would need.


Apache also has a check that can test whether or not apache will 
successfully start, that you can run before restarting the server.


apachectl configtest

I believe is the command.

I'm not sure it tests all the TLS certs but if it doesn't, it is a bug 
in my mind.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] What is wrong with my virtual host setting

[Dr James Smith]

On 10/04/2016 15:31, Roland Szűcs wrote:

Hi folks,

I use Apache 2.4 and I installed a Glassfish application server behind 
it. I use mod_jk modul as the dynamic content has to be handled by 
Glassfish and my static content (wordpress blog) is handled by Abapche.


My test domain is: muveltnep.hu 

My conf file for virtual host looks like this:

ServerAdmin webmaster@localhost
ServerName muveltnep.hu 
ServerAlias www.muveltnep.hu 
DocumentRoot 
/home/glassfish/glassfish/domains/domain1/applications/muveltnepbasic

JkMount /* muvnepworker
JkUnMount /blog/* muvnepworker
/home/glassfish/glassfish/domains/domain1/applications/muveltnepbasic/blog>

Options Indexes FollowSymLinks MultiViews
Require all granted
AddHandler php5-script php

ErrorLog /home/glassfish/glassfish/domains/domain1/logs/error.log
CustomLog 
/home/glassfish/glassfish/domains/domain1/logs/access.log combined



The following erros are occured:
1. If I type muveltnep.hu  I got 404 response
Not sure how your tomcat/glassfish is configured to handle the toot 
level requests!
2. If I type muveltnep.hu/muveltnepbasic 
 I got the right index.xhtml and 
works properly
3. If I type muveltnep.hu/blog  where there 
is an index.php of my wordpress, I Got: /blog/index.xhtml Not Found in 
ExternalContext as a Resource.




For this you need to add index.php to the the document index ... or 
configure wordpress according to the standard instructions with a 
rewrite rule if you are doing fancy URLs - although this may not play 
nicely with having the jkmount/unmount stuff!

i.e.

|DirectoryIndexindex.php index.xhtml|


Anybody can help me to find my mistakes in the configuration?

 	Roland 
Szűcs 	 
Connect with me on Linkedin 
 


CEO Phone: +36 1 210 81 13
Bookandwalk.hu 






--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Address already in use in Apache on Mac

[Dr James Smith]

Apache will have already started... try -k restart or -k stop followed 
by -k start


On 19/03/2016 07:21, Roparzh Hemon wrote:

Hello all, I get the following error message when I try to launch the
Apache server :

$ sudo ./bin/apachectl -k start
Password:
(48)Address already in use: AH00072: make_sock: could not bind to
address [::]:80
(48)Address already in use: AH00072: make_sock: could not bind to
address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Here is the output of sudo lsof -i:80 :

$ sudo lsof -i:80
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   40013 root5u  IPv6 0x81ec9b8feb11d6a5  0t0  TCP *:http (LISTEN)
httpd   40025 _www5u  IPv6 0x81ec9b8feb11d6a5  0t0  TCP *:http (LISTEN)
httpd   40031 _www5u  IPv6 0x81ec9b8feb11d6a5  0t0  TCP *:http (LISTEN)

Should I kill all those processes ? Will that harm my usual Internet browsing ?

I also looked for possible "Conflicting Listen declarations" in my .conf files.
There are nine .conf files in my Apache directory :

httpd-2.4.18/modules/lua/test/test_httpd.conf
httpd-2.4.18/modules/core/test/conf/test31.conf
httpd-2.4.18/modules/core/test/conf/test14.conf
httpd-2.4.18/docs/conf/httpd.conf
httpd-2.4.18/docs/conf/extra/httpd-ssl.conf
conf/original/httpd.conf
conf/original/extra/httpd-ssl.conf
conf/httpd.conf
conf/extra/httpd-ssl.conf

I only need look at the last two in the list, right ?

I found Listen 80 in the httpd.conf file and Listen 443 in the
httpd-ssl.conf file.
These are not conflicting, right ?
Any help appreciated.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Howto accept only one connection

[Dr James Smith]

Can you not just go into debug mode -X?


On 19/02/2016 12:52, Aurélien Terrestris wrote:
Richard, is this a config that you tried successfully ? On my server, 
"prefork MPM" will put requests in the backlog (waiting), and "event 
MPM" is not designed for such behaviours because of its 
multi-threading model (I did not try "hybrid MPM" since it is supposed 
to be multi-threaded as well)




2016-02-19 13:46 GMT+01:00 Richard >:




> Date: Friday, February 19, 2016 13:32:02 +0100
> From: Oliver Graute mailto:oliver.gra...@gmail.com>>
>
> On 19/02/16, Jim Jagielski wrote:
>> Just one connection? By that do you mean one concurrent user or
>> actually one request or actually one connection?
>>
>> A connection is a socket opened between the client and the server.
>> A request is a HTTP request on that connection.
>
> my requirement is:
>
>  "The Apache server listens on port 443i (https). It must accept
> only one connection at a time on this port"
>
> so its one socket opened between the client and the server.
>
> Best Regards,
>
> Oliver
>

Other than humoring a customer, who may not understand what they are
asking for, what is the goal of trying to do this?

I don't think the server will be very usable -- basically you want
to set "startservers" to 1, "spareservers" to 0 and "maxclients" to
1.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org

For additional commands, e-mail: users-h...@httpd.apache.org








--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] How to solve ONE fixed IP serving multiple web-servers running on VMs

[Dr James Smith]

You need to set up one webserver on the fixed IP as a proxy. (Look up 
docs for mod_proxy) and set up appropriate rules to proxy through to 
your back-end servers...


On 27/12/2015 18:28, Jim Paniagua wrote:

I dont even know how VM's work .. sorry no help

On Fri, Dec 25, 2015 at 7:11 AM, Stephen Liu 
mailto:sati...@yahoo.com.invalid>> wrote:


Hi all,

I have following problem:

Host   Ubuntu 14.04 desktop
VMs   Ubuntu 14.04 desktop/server edition
VirtualBox

I have several web-servers running on VMs, each with its own
domain/subdomain and internal IP address.  But I have only one
Fixed IP/External IP.

All VMs are Apache server running WordPress.  I can create many
internal IPs on router.

Please advise how can I make all web-servers be browsed on Internet

Thanks in advance.

Regards
satimis







--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Hung thread

[Dr James Smith]

Have you looked at installing apache server status code so you can see 
what the last request is on each of these hung threads...


Alternatively if you have something like mod_perl installed one thing 
that you can do is add a handler to warn the PID/request to the error 
logs at the start and end of the requests (with an appropriate tag) then 
you can look at the history of the hung threads to see if there is 
anything consistent with them...


Before I've had threads hang if it is the request after a particular 
request - or on a particular set of circumstances for a particular 
request (infinite loop or something similar)


HTH

James

On 17/08/2015 20:18, Mark Jacquet wrote:

Jeff/Community

Getting back to this thread after a long time. We tried many things 
since this initial issue: Moved to linux, tried latest 
apache/apr/aprutils bins, tried adjusting the configuration, etc. All 
this failed eventually in the same way: Multiple hung threads 
eventually overloading the server.


In our current environment we switched to pre-fork mpm thinking that 
maybe threading was killing us. This seemed to work well until day 20 
(which seems to be relevant as we got to day 20 a few times). Today 
all 200 procs (Max Servers) were launched, not one would die. All hung.


The root proc is in this state:

$sudo pstack 5362
#0  0x0039892e1353 in __select_nocancel () from /lib64/libc.so.6
#1  0x77989025 in apr_sleep () from 
/codeadm/http_servers/httpd-2.4.16-prefork/lib/libapr-1.so.0

#2  0x004325ec in ap_wait_or_timeout ()
#3  0x00469680 in prefork_run ()
#4  0x0043171e in ap_run_mpm ()
#5  0x0042b9e4 in main ()

Typical pstack from a hung proc is

$ sudo pstack 6100
#0  0x77dd4955 in move_block () from 
/codeadm/http_servers/httpd-2.4.16-prefork/lib/libaprutil-1.so.0
#1  0x77dd50a1 in apr_rmm_calloc () from 
/codeadm/http_servers/httpd-2.4.16-prefork/lib/libaprutil-1.so.0
#2  0x75f26c66 in util_ald_strdup () from 
/codeadm/http_servers/httpd/modules/mod_ldap.so
#3  0x75f2628a in util_ldap_search_node_copy () from 
/codeadm/http_servers/httpd/modules/mod_ldap.so
#4  0x75f27235 in util_ald_cache_insert () from 
/codeadm/http_servers/httpd/modules/mod_ldap.so
#5  0x75f2352d in uldap_cache_checkuserid () from 
/codeadm/http_servers/httpd/modules/mod_ldap.so
#6  0x76b459ae in authn_ldap_check_password () from 
/codeadm/http_servers/httpd/modules/mod_authnz_ldap.so
#7  0x7673ae4f in authenticate_basic_user () from 
/codeadm/http_servers/httpd/modules/mod_auth_basic.so

#8  0x00441c90 in ap_run_check_user_id ()
#9  0x004451d2 in ap_process_request_internal ()
#10 0x004627d8 in ap_process_async_request ()
#11 0x0046294f in ap_process_request ()
#12 0x0045ec9e in ap_process_http_connection ()
#13 0x004567f0 in ap_run_process_connection ()
#14 0x0046900e in child_main ()
#15 0x00469264 in make_child ()
#16 0x00469d87 in prefork_run ()
#17 0x0043171e in ap_run_mpm ()
#18 0x0042b9e4 in main ()
[jacquet@llbdub0009 logs]$

Running on Red Hat Enterprise Linux Server release 6.6 (Santiago) with 
httpd-2.4.16-prefork.


Killing off these hung procs only band-aides the situation. New procs 
also hang (building up slowly now).

I am going to have to do a full restart of the server.
My expectation is that the server will be find again for another 20 days.

Grasping at straws now. Any thoughts on this? Anything to try?

Thanks
Mj





On Thursday, June 18, 2015 7:56 AM, Jeff Trawick  
wrote:



On Wed, Jun 17, 2015 at 8:51 PM, Mark Jacquet 
> wrote:


Just another oddity to add to the issue.

Overnight several more hung threads appeared and the load on the
system had jumped into the mid 20's.
After killing these the load did not drop. Looking at the list of
running processes I found httpd's running,spawned from the
original root httpd process that *were not even displayed* in the
scoreboard!!  After killing these hidden zombies off the load
dropped again.


What's common about the processes?  Similar backtrace to the first one 
posted?




So now I have to catch and kill two types: Zombies on the
scoreboard and hidden zombies.

And this is cute. Some times the zombies hang around so long that
when the system gets back to creating a new process for slot #1,
if the zombie was originally in that slot it is displayed their
along with it's brothers for the new process:


"scoreboard squatting"


e.g. Note process 19597 below

*1-0*166310/33/1320_ 131.22202255280.01.6035.79
10.172.91.217newyahoo.oak.sap.corp:80NULL *1-0*166310/18/1087_
105.88340736980.00.6926.65
10.172.240.113www-dse.oak.sap.corp:80GET
/cgi-bin/websql/websql.dir/QTS/bugsheetcont.hts?bugid=74133
*1-0*166310/11/1178_ 76.49589542980.00.5634.78
10.172.91.92new

Re: [users@httpd] Random latency in reentrant calls (Bug 57916)

[Dr James Smith]

You are probably hitting child spin up issues...

Out of the box apache uses a process per apache child... There is an 
overhead/delay when a child is initially spun up,

and that is what you are possibly seeing...

nginx works a different way - and can cope with a moderate number of 
"light" requests better than apache, but once
the numbers of requests get higher (or they get heavier) then nginx can 
start dropping requests in "interesting" ways!


Additionally there is a cleanup phase in the apache process which 
handles logging (and other potential custom
code) which happens after the request is finished - so although you 
think you have only two simultaneous requests
there are probably more in the process (after each request there will be 
a write to disk to write the access log)



   StartServers 5
   MinSpareServers  5
   MaxSpareServers 10
   MaxRequestWorkers  150
   MaxConnectionsPerChild   0


You can tune apache by increasing the first 3 values and this will 
likely remove the effect you are seeing at least

for the number of requests you are making...

HTH

On 12/05/2015 08:13, Luc Andre wrote:
This issue was first submitted as a bug report but I was advised to 
use this mailing list instead.


The problem occurs with an 'out of the box' configuration (tested on 
debian and windows)


Our php web site requires sometimes a reentrant call (i.e. it calls 
file_get_contents(http://127.0.0.1/reentrant.php).


Most of the times calls are really fast (<1ms) but a few ones take 
over 0.5 secs.


We had a hard time reproducing the bug but we finally found a php 
script that calls itself (see enclosure).


To test it just try http://127.0.0.1/reentrant.php?count=10 where 10 
is the reentrancy level.


The script works fine with NGINX that's why we suspect apache rather 
than PHP.


Sample output with count=15
Each value of 'report' is the time spent between the http request and 
the execution of the first PHP line.


{
 "microtime": 1431414304.2875,
 "report": [
 0.0014371871948242,
 0.1552619934082,
 0.020139932632446,
 0.82674908638,
 0.5719690322876,
 0.00056719779968262,
 0.00065994262695312,
 0.00075387954711914,
 0.00066518783569336,
 0.00063514709472656,
 0.00071001052856445,
 0.00066900253295898,
 0.00063490867614746,
 0.00070381164550781,
 0.00070095062255859
 ]
}

You can see that 3 calls are ridiculously slow for a simple localhost 
request.


We don't believe in an misconfiguration issue since we reproduced it 
with an out of the box config.


Feel free to reopen the BR 57916 if you agree that it is a bug.

Regards,

Luc



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Apache24, Perl 5.010, MySQL 5.6 and Windows 8.1 - no database connection

[Dr James Smith]

Dan,

The #! line has to be the first line - so it's being ignored... remove 
the ##! line at the start and see what happens.


James

On 19/04/2015 18:28, Dan Östberg wrote:
Dear Jeff:-) As you can see from the enclosed files I've changed the 
scriptinpretersource.
Are there any updates of httpd.conf that I shall do? DBIcreatetable.pl 
doesn't run but printenv.pl  does



2015-04-19 18:22 GMT+02:00 Jeff Trawick >:


On 04/19/2015 11:01 AM, Dan Östberg wrote:

Everything works (It works!) except for running cgi/pl-files
where database connection are involved. A typical Apache server
error message is
"
[Sun Apr 19 15:11:03.324060 2015] [cgi:error] [pid 3312:tid 1032]
(9)Bad file descriptor: [client ::1:49681] AH01222: don't know
how to spawn child process: C:/Apache24/cgi-bin/DBIcreatetable.pl
"
HELP!
/
/

Expect this to be a simple issue of running Perl scripts as CGIs,
and nothing to do with database connections.

Please have a look at this documentation and see if it helps:
http://httpd.apache.org/docs/2.4/mod/core.html#scriptinterpretersource





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Re: 2 web servers in load balancing

[Dr James Smith]

On 17/03/2015 07:59, Alfredo De Luca wrote:


Hi all.
Any clue on this?

On 15/03/2015 9:30 PM, "Alfredo De Luca" > wrote:


Hi all.
I ve never done this before so I am asking best practice/info/docs of
how to have 2 apache web servers in load balancing.

- Which httpd module do I have to load in the http conf?

Nothing unless you are using apache load balancer modules as a front end 
... (mod_proxy_balancer)


- I was reading that I have to have a web load balancer on top of
them? Is it necessary? Can they accept requests from a cisco /F5 load
 balancer?

I haven't played with F5 load balancers - but use the rival product 
Brocade/SteelApp/StingRay/Zeus
traffic managers - which I think the F5s do the same thing as (just not 
as user friendly)
so they should be able to do the job (I know we looked into it when we 
bought the ZTMs)


- What about persistent connection?

? HTTP is stateless - if you have poorly written backends which require 
requests to go the backend
you should be able to use sticky sessions - but this is bad as you lose 
resilience (one of the main

reason for load balancing backends!)


- Also we''ll have a mySQL server? Any more info about this?

Load balancing MySQL can be trickier - easier if mainly RO connections 
(you can round robin requests
to a large number of clones - or usually slaves to a single master) but 
harder if read/write

- you can look at mysql cluster or master-master MySQL (galera)

Read write you can use master + multiple slaves - but need to tag a 
process/session/user as
requiring access to master if a write happens for an unspecified length 
of time!



Thanks in advance
--
Alfredo





---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Any Comparisons? -- mod_wl vs mod_proxy vs mod_jk

[Dr James Smith]

We used mod_jk for ages and have recently flipped back to mod_proxy for 
our java/tomcat apps, we found that we had connectivity issues with 
mod_jk - if the connection between apache/tomcat is severed then mod_jk 
did not always work cleanly - and subsequent requests would just hang. 
mod_proxy didn't have the problem.


The problem showed it self when we started segregating machines into 
virtual firewall zones - so traffic between machines was controlled.


It does mean that we don't have as easy a load-balanced setup  - 
although we do send the requests back through our front-end load 
balancers and this seems effective.


James

---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache make fedora go into corner

[Dr James Smith]

If you have root access you can look in /var/log and this might show up 
stuff in messages or syslog...


Sometimes Apache can leak little bits of memory with each request - 
along with other processes.


You could also write a simple cron job which does something like:

echo `date` `cat /proc/meminfo | grep Free | grep kB | cut -d : -f 2 | 
xargs` >> ~/mem-free


which will give you a log file like:

Sat Dec 27 17:01:01 GMT 2014 80908 kB 3549440 kB
Sat Dec 27 17:02:01 GMT 2014 79760 kB 3549516 kB

and so you can check that the two numbers (mem free + swap free) are not 
both getting towards 0...


On 27/12/2014 15:52, georg chambert wrote:

Hi James,
well, no, traffic hasn't been very intense, and the machines only task 
is to be a server, the number  of accesses
(at least in logg) is quite limited, some hundred at maximum, is there 
a way to  check "post-mortem" ?


- Original Message -
*From:* Dr James Smith <mailto:j...@sanger.ac.uk>
*To:* users@httpd.apache.org <mailto:users@httpd.apache.org>
*Sent:* Saturday, December 27, 2014 3:49 PM
*Subject:* Re: [users@httpd] Apache make fedora go into corner

On 27/12/2014 13:21, georg chambert wrote:

Hi, have for a bit of time had trouble with my server PC running
Fedora Os and Apache.
After some time it goes into non-communicatable mode, does not
take any input whatsover,
hard shutdown is only way to get out. It can be 24hours and it
can be 14days of running before this happes.
While if  the httpd is not active the machine has no issues.
So where do I look to find answers; short look in access_log for
servere does not give any specific clues to what
happens, possibly because the "hard takedown" of the machine the
file is not closed properly ?

Have you checked top regularly to see if you are running the
machine out of memory.


Any suggestions ?
Georg





<http://www.avast.com/>   

This email has been checked for viruses by Avast antivirus software.
www.avast.com <http://www.avast.com/>



-- The Wellcome Trust Sanger Institute is operated by Genome
Research Limited, a charity registered in England with number
1021457 and a company registered in England with number 2742969,
whose registered office is 215 Euston Road, London, NW1 2BE.





---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 

Re: [users@httpd] Apache make fedora go into corner

[Dr James Smith]

On 27/12/2014 13:21, georg chambert wrote:
Hi, have for a bit of time had trouble with my server PC running 
Fedora Os and Apache.
After some time it goes into non-communicatable mode, does not take 
any input whatsover,
hard shutdown is only way to get out. It can be 24hours and it can be 
14days of running before this happes.

While if  the httpd is not active the machine has no issues.
So where do I look to find answers; short look in access_log for 
servere does not give any specific clues to what
happens, possibly because the "hard takedown" of the machine the file 
is not closed properly ?
Have you checked top regularly to see if you are running the machine out 
of memory.



Any suggestions ?
Georg




---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com



--
The Wellcome Trust Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.