Re: [EMAIL PROTECTED] httpd.conf for oracle app 10g
Red al tubor wrote: Hello Guys, I am new here, i am facing a problem in our Oracle Application Server 10g ... i configured httpd.conf in a recommended way from oracle... The Problem is that when more than 500 session are opened the Server fails down and the cpu is running full 100% httpd process in top takes 100% from the cpu??? Any idea about how it works and how can i manage the TCP/IP connection? or Maximize the performance Any idea guys... Thanks in advance... Regards, RN Hi, Can you provide us with more information about your installation? 1. Are you running SSL? 2. What class (architecture, number of CPUs, physical configuration) of webserver platform? If your server hardware is moderately recent (i.e. pentium 4 xeon-class) with enough memory, you should be able to handle hundreds of clients easily. We run our Oracle AS frontends with 'MaxClients 1024' on dual-CPU xeon systems, hyperthreaded, and normally see a load average of about 1 with ~400 clients. These also run SSL natively. Thanks, Josh - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Apache Examples Extreme Web Servers
On Tue, 13 Mar 2007, linux guru wrote: Does anybody host about 2000-2500 virtual sites in single server? Which version of Apache do you prefer 2.0 or 2.2 for hosting thousands of websites? Do you have examples or some experiment about the httpd.conf for this kind of servers? Have you ever noticed an error like this below; apachectl stop, OK apachectl start, No responce. FAIL You're probably hitting some resource limit. Look within apachectl for the line which invokes httpd. Figure out the variables and try to start it with the "broken" config it from the command line with 'strace -f', like this: cd $APACHE_ROOT/bin # or wherever your httpd is strace -f ./httpd -k start # this is my server's config ...and at the end, check the return code: echo $? and post the last 20 lines or so to the list. Might help to capture all that to a file with either output redirection or 'script.' Thanks, Josh open the file which has virtual host records, inc.vhost.httpd.conf put # sign start of 30-40 lines save and close the file. apachectl start, OK open the file again and remove the #'s apachectl graceful, OK Please help :) We are getting mad more and more everyday. You could check the php config and other details at http://82.222.170.52/i.php We are using Redhat Enterprise Linux 4, we are installing apache , php , and modules from source. The servers are extremly powerful and does not have other services like mysql or mail server. only apache serving. Please contact me directly if you think you could help. Thanks. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Different direction - WAS: Reverse SSL proxy with NULL cipher on backend?
To ask a different way, and potentially simplify the question- On Apache 1.3.x webserver, when I specify the following cipher suite config using: SSLCipherSuite NULL:eNULL Apache demands a certificate and keyfile, even though the only valid request is for NULL. So, the question is, what is the format for NULL certificate files and key files? How do I generate them? Thanks, josh Josh Wyatt wrote: Spil Oss wrote: Hi Josh, When you say "https is hard-coded as the beginning of all URLs" you mean that that is done in all pages that the webserver generates? In that case you might just address oapache using http, and in apache2's config ProxyPass / http://localhost/. Kind Regards, Spil Hi Spil, Thank you for your response. Actually, the logic goes something like this: 1. End-human requests a report from the application server. 2. The request is handed off to a report server; 3. the report server generates the report himself via a special URL on the webserver; 4. The report retrieval URL is then mangled for security reasons, and sent back to the end-human 5. a new browser window pops up for the end-human, and retrieves the report via mangled URL. Now, step 3 uses a "hidden" internal URL which gets mangled later on in step 4. This mangling action doesn't happen unless SSL is enabled on on oapache. Sounds complicated, and I'm sure R. Goldberg had a hand in this. But stage 3 requires SSL. Thanks, Josh On 18/09/06, Josh Wyatt <[EMAIL PROTECTED]> wrote: Joshua Slive wrote: > On 9/16/06, Josh Wyatt <[EMAIL PROTECTED]> wrote: >> I'd like to use NULL authentication, ciphers, etc to reduce the >> proxyapache <-> oapache SSL overhead. How can I configure oapache and >> proxyapache to use NULL for authentication, ciphers, etc? > > > I don't know the answer to that. I suspect it is impossible without > modifying the configuratio n of oapache to accept null ciphers. > > But in any case, this is silly. Why no just configure oapache to use > ordinary http instead? > > Joshua. I agree it's silly that SSL is required. But it truly is for this application (https is hard-coded as the beginning of all URLs), and it's a COTS application, so we can't change that bit. Now, I absolutely DO have control over oapache's configuration. And as I stated in my initial post, I already tried specifying NULL ciphers with. Quoting my initial post: 'SSLProxyCipherSuite NULL' on proxyapache, and 'SSLCipherSuite NULL' on oapache. In oapache's logfiles I get: [Fri Sep 15 22:00:51 2006] [error] mod_ssl: SSL handshake failed (server oapache:, client proxyapache) (OpenSSL library error follows) [Fri Sep 15 22:00:51 2006] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?] Any help you can provide would be greatly appreciated. Thanks, Josh - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Reverse SSL proxy with NULL cipher on backend?
Spil Oss wrote: Hi Josh, When you say "https is hard-coded as the beginning of all URLs" you mean that that is done in all pages that the webserver generates? In that case you might just address oapache using http, and in apache2's config ProxyPass / http://localhost/. Kind Regards, Spil Hi Spil, Thank you for your response. Actually, the logic goes something like this: 1. End-human requests a report from the application server. 2. The request is handed off to a report server; 3. the report server generates the report himself via a special URL on the webserver; 4. The report retrieval URL is then mangled for security reasons, and sent back to the end-human 5. a new browser window pops up for the end-human, and retrieves the report via mangled URL. Now, step 3 uses a "hidden" internal URL which gets mangled later on in step 4. This mangling action doesn't happen unless SSL is enabled on on oapache. Sounds complicated, and I'm sure R. Goldberg had a hand in this. But stage 3 requires SSL. Thanks, Josh On 18/09/06, Josh Wyatt <[EMAIL PROTECTED]> wrote: Joshua Slive wrote: > On 9/16/06, Josh Wyatt <[EMAIL PROTECTED]> wrote: >> I'd like to use NULL authentication, ciphers, etc to reduce the >> proxyapache <-> oapache SSL overhead. How can I configure oapache and >> proxyapache to use NULL for authentication, ciphers, etc? > > > I don't know the answer to that. I suspect it is impossible without > modifying the configuratio n of oapache to accept null ciphers. > > But in any case, this is silly. Why no just configure oapache to use > ordinary http instead? > > Joshua. I agree it's silly that SSL is required. But it truly is for this application (https is hard-coded as the beginning of all URLs), and it's a COTS application, so we can't change that bit. Now, I absolutely DO have control over oapache's configuration. And as I stated in my initial post, I already tried specifying NULL ciphers with. Quoting my initial post: 'SSLProxyCipherSuite NULL' on proxyapache, and 'SSLCipherSuite NULL' on oapache. In oapache's logfiles I get: [Fri Sep 15 22:00:51 2006] [error] mod_ssl: SSL handshake failed (server oapache:, client proxyapache) (OpenSSL library error follows) [Fri Sep 15 22:00:51 2006] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?] Any help you can provide would be greatly appreciated. Thanks, Josh - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Reverse SSL proxy with NULL cipher on backend?
Joshua Slive wrote: On 9/16/06, Josh Wyatt <[EMAIL PROTECTED]> wrote: I'd like to use NULL authentication, ciphers, etc to reduce the proxyapache <-> oapache SSL overhead. How can I configure oapache and proxyapache to use NULL for authentication, ciphers, etc? I don't know the answer to that. I suspect it is impossible without modifying the configuratio n of oapache to accept null ciphers. But in any case, this is silly. Why no just configure oapache to use ordinary http instead? Joshua. I agree it's silly that SSL is required. But it truly is for this application (https is hard-coded as the beginning of all URLs), and it's a COTS application, so we can't change that bit. Now, I absolutely DO have control over oapache's configuration. And as I stated in my initial post, I already tried specifying NULL ciphers with. Quoting my initial post: 'SSLProxyCipherSuite NULL' on proxyapache, and 'SSLCipherSuite NULL' on oapache. In oapache's logfiles I get: [Fri Sep 15 22:00:51 2006] [error] mod_ssl: SSL handshake failed (server oapache:, client proxyapache) (OpenSSL library error follows) [Fri Sep 15 22:00:51 2006] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?] Any help you can provide would be greatly appreciated. Thanks, Josh - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Reverse SSL proxy with NULL cipher on backend?
I have a situation in which I must run an old, insecure Apache (1.3.19, don't ask...). The application that runs with this webserver requires SSL from the client. Let's call this oapache. To help secure this situation, I have built a 2.0.59 with openssl configuration on this same host. Let's call this proxyapache. The intent is to configure oapache to listen on the loopback only, and use proxyapache as the user-facing frontend. For the SSL requirement reason, I use 'SSLProxyEngine on' on proxyapache. This works fine. I've done some trickery using /etc/hosts for hostnames so that I can even use the same certificate/key with both apaches. Here's the request. The above configuration uses twice the CPU that the old (using only oapache, listening to the public interface) because it's doing double the SSL work: User <-> proxyapache proxyapache <-> oapache I'd like to use NULL authentication, ciphers, etc to reduce the proxyapache <-> oapache SSL overhead. How can I configure oapache and proxyapache to use NULL for authentication, ciphers, etc? I tried the obvious: 'SSLProxyCipherSuite NULL' on proxyapache, and 'SSLCipherSuite NULL' on oapache. In oapache's logfiles I get: [Fri Sep 15 22:00:51 2006] [error] mod_ssl: SSL handshake failed (server oapache:, client proxyapache) (OpenSSL library error follows) [Fri Sep 15 22:00:51 2006] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?] This seems to hint that I need a different kind of certificate/key file. I tried not specifying a key/certificate file (why would I need one, for NULL everywhere?) but oapache will not start. I also tried using /dev/null for the cert and keyfiles, oapache complains that they are empty and will not start. So my question: How to configure oapache and proxyapache to use SSL, with no encryption/authentication/etc? Thanks, Josh - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]