Re: [users@httpd] Optimal way to trigger logging if certain URL is accessed

[Rainer Jung]

Am 23.10.2019 um 18:33 schrieb Martin T:

Hi,

I have a following Apache virtual host configuration where custom
call_Google_MP_API script receives the IP address and HTTP User-Agent
string as standard input if https://www.example.com/doc.pdf is
downloaded:


 
 /* configuration removed for brevity */
 SetEnvIf Request_URI "^/doc\.pdf$" pdfdoc
 LogFormat "%h %{User-agent}i" ga
 CustomLog "|/usr/local/bin/call_Google_MP_API" ga env=pdfdoc
 


As my web server had setenvif_module and log_config_module already
loaded, then I used SetEnvIf directive to set the "pdfdoc" internal
variable when doc.pdf is downloaded, LogFormat directive to set the
nickname "ga" for specific log format and finally CustomLog directive
to pipe this custom log format to call_Google_MP_API script if
"pdfdoc" variable is set, i.e https://www.example.com/doc.pdf URL is
accessed.

While this seems to work fine, then is this the correct/optimal way to
accomplish this?

I'm using Apache version 2.4.38 on Debian 10.


You could also use mod_log_debug:

https://httpd.apache.org/docs/2.4/en/mod/mod_log_debug.html

Despite it's name it is very useful not only for debugging but adding 
general custom log messages. The output goes to the ErrorLog though 
(which can be a pipe). The log messages generated can include references 
to request details, like e.g. %{REMOTE_ADDR} and %{HTTP_USER_AGENT}:


https://httpd.apache.org/docs/2.4/en/expr.html

and can be generated inside Location blocks.

Furthermore one can control, at what point in time during request 
processing the message is generated.


Since it goes to the error log, you would need to send it to a piped 
process separatig these log lines from the remaining error log lines, 
because I guess you want to only send the new log lines to your script 
and the remaining ones still to rotatelogs or similar.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_ajp: adding "secret=xxx" parameter to config yields syntax error

[Rainer Jung]

Am 13.02.2020 um 19:29 schrieb Mark H. Wood:

HTTPD 2.4.41

I'm trying to set up authenticated proxying between HTTPD and Tomcat.
I have, for example:

   ProxyPass "/host-manager/" \
 "ajp://[::1]:8009/host-manager/" \
 secret="secret"

When I run configtest, the result is:
  * apache2 has detected an error in your setup:
AH00526: Syntax error on line 101 of 
/etc/apache2/vhosts.d/default_vhost.include:
ProxyPass unknown Worker parameter

Line 101 is the one with the 'secret' keyword.  If I un-fold the
directive to a single line, the same error is called against line 99
(the same ProxyPass directive).  The directive was previously working
before I added the 'secret' parameter.

What am I missing?


The feature was added in r1738878 (BZ53098) to httpd trunk and is not 
yet backported to 2.4.x.


Due to recent default config changes in Tomcat it would make sense to 
backport now.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Issues with files accessed over NFS

[Rainer Jung]

Am 30.06.2022 um 21:07 schrieb Chris Woelkers - NOAA Federal:
Although I realize that this question is more about NFS than Apache it 
still concerns my web server so here goes. This is at work so a bit of 
history first, sorry for the novel length email in advance.


The set up I have was already in existence when I started my current 
position. The web server, running Apache on top of Debian 8, was 
directly connected to a storage server, also on Debian 8, via a 
dedicated 10Gbps network link. The storage was accessed via NFS mounts, 
different mounts for different areas in order to section them off within 
the website with aliases. Not all of the website  was stored on the 
server, just the ones that used the most disk space.
Of course this was three years ago and Debian 8 went EOL. Before that 
occurred it was my job to upgrade the servers to a later version of 
Debian. In order to keep the distribution upgrades as far apart as 
possible I went with Debian 11, upgrading on a path from 9 to 10 to 11. 
During the upgrade all services were checked out for basic functionality 
and no problems were seen.
Not long after the upgrade an interesting problem was apparent. Files 
accessed over NFS were not downloading properly. The download would 
start but then stop anywhere from 30% to 60%. These files were not large 
with the smallest ones being just over 1MB. Any file stored on the web 
server itself downloaded just fine, no matter the size. I checked just 
about everything on that connection from the cable, which was only 1 
foot in length so I got a longer one, to the NFS mount options. Changes 
were made but they did not seem to make a difference and all file 
transfer tests done within the OS itself worked fine with files up to 
100MB tested.
The only thing I did not check until recently was the NFS version. The 
mounts were automatically using NFSv4 which I considered, at this point 
in its development, to be stable. However when I switched to NFSv3 the 
problem went away. So after all that I seemed to have "solved" it by 
dropping back to an older version of NFS.


So the questions I have for the community are: Has anyone seen a similar 
issue and solved it? If so did you find another solution other than 
reverting to NFSv3?


Try disabling sendfile and mmap:

https://httpd.apache.org/docs/2.4/en/mod/core.html#enablesendfile

https://httpd.apache.org/docs/2.4/en/mod/core.html#enablemmap

If that helps, check out, which of the two is the culprit.

Best regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Default of ErrorLogFormat

[Rainer Jung]

I hope the docs are correct:

https://httpd.apache.org/docs/2.4/en/mod/core.html#errorlogformat

look for "#Example (default format for threaded MPMs)".

Best regards,

Rainer

Am 01.03.24 um 17:12 schrieb Vladimir Chlup:

Hi,

In the referenced commit, there is a function `do_errorlog_default`
(in log.c:846) which should be used by default. Also, the if starting
at log.c:1174 might be helpful.

Regards,
Vladimir Chlup

On Fri, Mar 1, 2024 at 2:48 PM Marco Hald  wrote:


Hi,

How do I know what the Default of ErrorLogFormat is when it is not configured?
I found this commit 
https://github.com/apache/httpd/commit/70be0f7a073f54474461c22ba8ca943bf8e0373a 
where it was introduced but I'm not skilled enough to get the default from it.
I already tried apache2ctl -DDUMP_CONFIG to get it that way, but this only 
lists changed values like ErrorLog

Mit freundlichen Grüßen / Best regards,
Marco Hald
Cloud Engineer
USU GmbH
Charlottenburger Allee 60
52068 Aachen
marco.h...@usu.com
www.usu.com
USU GmbH, Sitz: Möglingen, Registergericht und Handelsregisternummer: 
Amtsgericht Stuttgart HRB 764549,
Geschäftsführer: Bernhard Oberschmidt, Dr. Benjamin Strehl


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problems with mod_proxy_balancer / slotmem_create @ apache 2.4.4

[Rainer Jung]

On 12.08.2013 13:19, andre.wen...@bmw.de wrote:
> since apache version 2.4.4 I have a problem by running multiple apache
> instances on my server. Normally we run multiple apaches, under
> different users, on one machine, but since 2.4.4 we have often the
> problem that apache is not able to reserve shared memory, because some
> other instance is using the same shared memory block.
> 
>  
> 
> The failure in the logs:
> 
>  
> 
> [Fri Aug 09 09:24:31.160654 2013] [:emerg] [pid 23958:tid
> 139658191218496] AH00020: Configuration Failed, exiting
> 
> [Fri Aug 09 11:09:46.919038 2013] [proxy_balancer:emerg] [pid 6549:tid
> 139675464337216] (17)File exists: AH01179: balancer slotmem_create failed
> 
>  
> 
> Also seen from another failure
> 
> 6989  shmget(0x1038007, 537, IPC_CREAT|IPC_EXCL|0600) = -1 EEXIST (File
> exists)
> 
>  
> 
> If I now check the shared memory with "ipcs -a" I see that the segment
> is reserverd by another instance of another user. After waiting a couple
> of minutes (up to hours) the apache is then able to start, but waiting
> is currently not really an option!?
> 
>  
> 
> Currently, I’m using apache 2.4.4 with the newest open ssl and and
> openldap version on Suse Linux 11 SP1/2.
> 
>  
> 
> Is there any work around or solution available, or an idea to solve this
> issue?

Can you try DefaultRuntimeDir ?

Regards,

Rainer

-- 
kippdata
informationstechnologie GmbH   Tel: 0228 98549 -0
Bornheimer Str. 33aFax: 0228 98549 -50
53111 Bonn www.kippdata.de

HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4 ReverseProxy Issue

[Rainer Jung]

On 21.08.2013 13:42, Womann, Sven wrote:
> Sorry, I meant to write example.com...
> 
> I use include my RP-Rules in a dedicated file.
> There I work with RewriteRule ^/(.*)$ http://internal.example.com/$1 [P,QSA,L]
> ProxyPassReverse is used in a Location directive like
> 
> 
>   ProxyPassReverse /
> 
> 
> The 302 Location is full qualified, so normaly the ProxyPassReverse shouldn' 
> t match...

A standards conforming Location header always if a full URL.
The only reason for a ProxyPassReverse is fixing Location headers, so
your assumptions are not valid here ;)

If your backend already provides the correct Location headers for any
redirect, then remove the ProxyPassReverse.

> The header is set correctly, but the 302 changes in front of the RP.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache %D and %T meanings...

[Rainer Jung]

On 09.09.2013 17:35, Tony Anecito wrote:
> Hi All,
> 
> I am using the Apache Realtime Plugin (APR) that comes with ApacheTomcat
> 7.0.33. I am using Java 7.0.5 64-bit on Windows 7 64-bit.
> 
> I have noticed in the logs that the %D looks like it gives me
> milliseconds when compared to the %T seconds. For example:
> 
> %D%T
> 72  0.072
> 1030.103
> 32  0.032
> 
> The Apache documention seems to indicate %D is microseconds not
> milliseconds.

%T is seconds, %D in the Tomcat access logs is milliseconds, %D in the
Apache web server access logs is microseconds.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache %D and %T meanings...

[Rainer Jung]

On 09.09.2013 20:50, Tony Anecito wrote:
> Many Thanks. I thought I was using the APR which is the native version
> of Apache so was thinking that produced the logs I was looking at. I
> will verify the valve is turned on for for APR. If it is should I see
> milliseconds for the %D?

APR does not influence the meaning of the pattern in the Tomcat access
log. If you are talking about a tomcat access log configured in
server.xml %D is always milliseconds.

For the Apache web server it is always microseconds.

If you need more advice on Tomcat, then I suggest you switch over to the
Tomcat users list.

Regards,

Rainer

> *From:* Rainer Jung 
> *To:* users@httpd.apache.org
> *Sent:* Monday, September 9, 2013 9:40 AM
> *Subject:* Re: [users@httpd] Apache %D and %T meanings...
> 
> On 09.09.2013 17:35, Tony Anecito wrote:
>> Hi All,
>>
>> I am using the Apache Realtime Plugin (APR) that comes with ApacheTomcat
>> 7.0.33. I am using Java 7.0.5 64-bit on Windows 7 64-bit.
>>
>> I have noticed in the logs that the %D looks like it gives me
>> milliseconds when compared to the %T seconds. For example:
>>
>> %D%T
>> 72  0.072
>> 1030.103
>> 32  0.032
>>
>> The Apache documention seems to indicate %D is microseconds not
>> milliseconds.
> 
> %T is seconds, %D in the Tomcat access logs is milliseconds, %D in the
> Apache web server access logs is microseconds.
> 
> Regards,
> 
> Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Proxy Timeout problem with proxy_balancer

[Rainer Jung]

On 08.03.2014 17:50, Sascha Kühndel (InuSasha) wrote:
> Hi,
> 
> i have actual an problem with my proxy-timeout configuration.
> (Apache 2.2.26, but 2.4 seems to have the same problem).
> 
> In my apache configuration we have defined a global ProxyTimeout to 30
> seconds.
> But one of our JBoss-backends have some slow pages, and we want to raise
> the timeout to 2 minutes.
> (without change of the default timeout).
> 
> But the timeout is not used, for the backend. The timeout change for an
> other backend works fine.
> Imho, the imported difference is the backend type.
> balancer doesn't work, http work.
> 
> Example:
> ...
> ProxyTimeout 30
> ProxyPass /content balancer://jboss timeout=120 # timeout after 30 secs
> ProxyPass /mon http://monitor timeout=10# timeout after 10 secs
> ProxyPass /other   http://other # timeout after 30 secs
> ...
> 
> In the documentation, the timeout parameter seems to be redefined for
> balancer.
> If this correct? Documentation bug? Software bug? My configuration buggy?

Configuration bug. The docs are correct, timeout for a balancer worker
has a different meaning than timeout for a normal http or ajp worker.

> Know anyone a simple solution?

Depending on how you defined your balancer members, add the timeout
either to each "BalancerMember" (likely) or ProxySet for each member
(unlikely).

> We have many backends,
> so the workaround to change the default ProxyTimeout and set the timeout
> per backend is the last way.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Slow performance in Apache

[Rainer Jung]

Am 25.08.2014 um 19:33 schrieb Frederik Nosi:

Hi,
On 08/19/2014 01:49 PM, Jeff Trawick wrote:

On Tue, Aug 19, 2014 at 6:00 AM, mailto:pratibha.dhank...@wipro.com>> wrote:

Hi All,

Need urgent help from all you experts. We have a tomcat and apache
server on same physical box .Earlier it was working fine however
last week application is integrated with IDAM, since then whenever
user is accessing the link through IDAM application is responding
either very slow or not at all, Once apache is restarted ,again it
start working and after 3-4 hours again same issue occurs. Please
suggest.

Have done some tuning at apache end as well like

Timeout 120

KeepAlive Off

MaxKeepAliveRequests 100

KeepAliveTimeout 15

Still not working.


See if there is a buildup over time of connections between httpd and
Tomcat.  netstat and mod_status with ExtendedStatus On would make this
relatively easy.  (mod_status won't show explicitly that the request
is handled by Tomcat, but you can check requests stuck in W state to
see if the URL is handled by Tomcat.)



Out of curiosity, on the summary page generated by mod_status, the
description of W is:

"*|W|*" Sending Reply

I thought that when in this state, the corresponding thread / proccess
was sending the reply to the client. From your reply if i understood
correctly seems that when using mod_proxy (and mod_jk right?) the W
state includes the time spent on sending the request and geting a reply
from the origin.

Is this right?


Yes, "W" is everything between having read the request and logging the 
request after having send the response. So especially it includes 
forwarding in proxy or mod_jk and waiting/reading the response from the 
origin server.


You should add response duration logging to the httpd server access log 
(%D) and to the origin server log file, if you want to track the 
performance of the latter. mod_jk allows you to additionally log origin 
server response times as observed by the httpd web server in the httpd 
access log.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AJP Errors?

[Rainer Jung]

Hi Burton,

Am 25.08.2014 um 22:14 schrieb Smith, Burton:

Can someone tell me about this error set?  They show up in the
Apache(mod_jk) log.  They may or may not indicate that one node is
down.  I would like to know how to differentiate between a recoverable
and a non-recoverable issue so that 24x7 support can monitor the issue.
My Apache version is 2.2.15 if that helps.

[error] ajp_connect_to_endpoint::jk_ajp_common.c (1026): (103t1)
cping/cpong after connecting to the backend server failed (errno=110)

[error] ajp_send_request::jk_ajp_common.c (1630): (103t1) connecting to
backend failed. Tomcat is probably not started or is listening on the
wrong port (errno=110)

[info] ajp_service::jk_ajp_common.c (2623): (103t1) sending request to
tomcat failed (recoverable), because of error during request sending
(attempt=1)

[error] ajp_connect_to_endpoint::jk_ajp_common.c (1026): (103t1)
cping/cpong after connecting to the backend server failed (errno=110)

[error] ajp_send_request::jk_ajp_common.c (1630): (103t1) connecting to
backend failed. Tomcat is probably not started or is listening on the
wrong port (errno=110)

[info] ajp_service::jk_ajp_common.c (2623): (103t1) sending request to
tomcat failed (recoverable), because of error during request sending
(attempt=1)


First: Since your Apache version 2.2.15 is pretty old and mod_jk had 
many improvements in the last years, I suggest that you check your 
mod_jk version and consider upgrading to latest.


"recoverable" means mod_jk will send the same request again. If mod_jk 
has already send part of the request to Tomcat and doesn't get back a 
response or something breaks while sending the request, it decides on 
the type of request and config, whether it is allowed to send the same 
request again.


Consider a final request in some flow ordering stuff from a shop. mod_jk 
might have send the request and an error happens when trying to read the 
response. Should it then send the request again or not?


You can influence behavior using the ajp13 worker config property 
recovery_options, which is a bit mask. Look for "recovery_options" in 
the docs:


http://tomcat.apache.org/connectors-doc/reference/workers.html

Often value "31" (all available bits set) is appropriate, but it depends 
on the application.


Using cping/cpong is nice, because it checks the connection before 
mod_jk tries to send the request. So if cping/cpong fails it is clear, 
that mod_jk can always retry, because Tomcat hasn't received any part of 
the request yet.


The number of retries mod_jk will use for a worker is also configurable, 
by default "2", property "retries" on an ajp13 worker, see the same docs 
page.


If all retries fail, then it will try a fail over (for a recoverable 
request), but often a failover will work on the http level, but not on 
the application level, because e.g. a web session on one Tomcat doesn't

exist on the failover Tomcat (without adding session replication).

Log messages:

- a load balancer worker will log after an unrecoverable failure:

  "unrecoverable error XXX, request failed. Tomcat failed in the middle 
of request, we can't recover to another instance.", where XX is a number.


The message will be marked with [error]

- an AJP13 worker can log several message containing "recoverable" or 
"unrecoverable". I'll list them here based on the current version. RRR 
will either be the strings "recoverable" or "unrecoverable", SSS a 
socket number, EEE an error number:


[info]: "(WORKERNAME) failed sending request (RRR) "
   "(errno=EEE)",

[error]: "(WORKERNAME) failed sending request on a fresh connection 
(RRR), socket SSS (errno=EEE)",


[error]: "(WORKERNAME) failed sending request body of size LLL (RRR), "
   "socket SSS (errno=EEE)",

[error]: "(WORKERNAME) failed sending request body of size LLL (lb mode) 
(RRR), socket SSS (errno=EEE)",


[error]: "(WORKERNAME) unexpected condition err=EEE recoverable=%d",

[error]: "(WORKERNAME) sending request to tomcat failed (unrecoverable), 
%s (attempt=%d)",


[info]: "(WORKERNAME) sending request to tomcat failed (RRR), %s 
(attempt=%d)",


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AJP Errors?

[Rainer Jung]

Am 28.08.2014 um 22:39 schrieb Smith, Burton:

-Original Message-

From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Tuesday, August 26, 2014 2:37 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] AJP Errors?



First: Since your Apache version 2.2.15 is pretty old and mod_jk had many 
improvements in the last years, I
suggest that you check your mod_jk version and consider upgrading to latest.


I thought I would start with the upgrades.  Yum pulled httpd-tools.x86_64 
0:2.2.15-31.el6_5 without mod_ssl and mod_jk.  I figured out the SSL part.  Can 
you recommend how to correct the JK?


It is possible that your linux distribution doesn't provide current 
mod_jk packages. But building mod_jk is very simple.


- You need to have gcc installed
- You need to have httpd and the httpd headers (httpd-dev?) installed

- Then you download the source release from 
http://tomcat.apache.org/download-connectors.cgi. Current version is 1.2.40.


- You extract the tarball and change into sub directory "native".

- You run "./configure --with-apxs=/path/to/my/apxs" where you replace 
/ath/to/my/apxs with the full path to your httpd apxs (or apxs2) command


- You run "make"

- You copy the new module file apache-2.0/mod_jk.so to wherever you want 
the module to be installed, e.g. in your httpd modules directory or 
elsewhere. Reference that chosen place in your "LoadModule" httpd 
directive for mod_jk.


- You add the example config files "conf/httpd-jk.conf" and 
"conf/workers.properties" from the extracted tarball to your httpd and 
customize it.


Regards,

Rainer




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AJP Errors?

[Rainer Jung]

Am 03.09.2014 um 23:23 schrieb Smith, Burton:

-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Saturday, August 30, 2014 3:12 AM



Am 28.08.2014 um 22:39 schrieb Smith, Burton:

-Original Message-

From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Tuesday, August 26, 2014 2:37 AM



It is possible that your linux distribution doesn't provide current mod_jk 
packages. But building mod_jk is very
simple.

- You need to have gcc installed
- You need to have httpd and the httpd headers (httpd-dev?) installed

- Then you download the source release from 
http://tomcat.apache.org/download-connectors.cgi. Current version
is 1.2.40.

- You extract the tarball and change into sub directory "native".

- You run "./configure --with-apxs=/path/to/my/apxs" where you replace 
/ath/to/my/apxs with the full path to your
httpd apxs (or apxs2) command



I'm hung up on apxs.  I can't find one.  Where should I look next?


Whoever provided you httpd should also provide you with the apxs script. 
Most Linux distros put it into an additional httpd-devel or 
apache2-devel or similar package. The script is sometimes names apxs2 
instead of apxs. Often it is installed in /usr/sbin if Apche is 
installed into the OS platform, or in the Apache bin directory if Apache 
has a completely separate installation directory.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Help needed with event MPM configuration

[Rainer Jung]

Am 04.11.2014 um 20:36 schrieb Rajalakshmi Iyer:

Ok. Thanks.

Does this situation sound plausible - Keep alive connections are not
being used effectively by client applications (i.e. subsequent requests
on keep-alive connections are not frequent enough to keep Apache workers
busy all the time, resulting in low CPU utilisation). At the same time,
because there are already so many keep-alive connections, the server is
not accepting any more new connections from the client application.
Thus, the server is mostly idle but not accepting new connections.

Apologies for repeating the question, but wanted to confirm before I
proceed to change the configuration.


I strongly suggest you monitor your server using server-status. It shows 
you details about threads and connections and also per process info 
whether it is still accepting connections or not.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyReverse Issue on - httpd-2.2.29

[Rainer Jung]

Am 23.02.2015 um 19:18 schrieb Otis Dewitt - NOAA Affiliate:

Everything works on this site except this url:
https://www.docu.com/class/page/createpdf.jsp?requestId=7

weird problem.

Thanks,
Otis

On Mon, Feb 23, 2015 at 1:15 PM, Otis Dewitt - NOAA Affiliate
mailto:otis.dew...@noaa.gov>> wrote:

oops yeah missed adding that to the email.

Its in the config:

# Class Directive (443) #EXAMPLE
RewriteRule ^/class$(.*) https://www.docu.com/class$1 [L,NC]


What is the "$" in the left side of the rule supposed to do?

If you remove the dollar sign, or we just ignore it for a moment, I 
would suspect a redirect loop here. Is this the config from the http or 
https VHost? If http, then redirecting to https would be fine, but I 
woudn't understand why it should also proxy. If https, then the 
RweriteRule looks suspect.



ProxyPass /class https://example.com:20201/class


 SetOutputFilter   proxy-html
 ProxyPassReverse https://example.com:20201/class
 ProxyHTMLEnable   On
 ProxyHTMLExtended On
 ProxyHTMLURLMap http://example.com:20201/class  /class
 RequestHeader unset  Accept-Encoding



Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Decompress requests using mod_deflate and uset Content-Encoding header

[Rainer Jung]

Am 09.03.2015 um 15:57 schrieb dennis.luna...@t-systems.com:

Hi,

I have some problems using mod_deflate to decompress requests.

I am using a apache 2.4 as a reverse proxy on Red Hat Enterprise Linux Server 
release 6.4 (Santiago). Within this apache I have to decompress requests and 
compress the answers.
To do this for some specific requests I defined a location:

   SetInputFilter DEFLATE   
   SetOutputFilter DEFLATE  

I got the result, that the request have been decompressed, but the header 
Content-Encoding gzip is still set causing problems on the next server.

So I removed the Content-Encoding header using mod_headers:

   RequestHeader unset Content-Encoding
   SetInputFilter DEFLATE   
   SetOutputFilter DEFLATE  
   Header set Content-Encoding gzip

As a result in the request the Content-Encoding is not set anymore. But the 
request is still compressed.
The manual of mod_deflate says that only requests with the header 
Content-Encoding gzip are decompressed. So it seems that mod_headers is 
executed before mod_deflate.

So basically either the decompression is done and the header is not changed or 
the header is changed but the decompression is not done.
Is there any way to decompress the request and remove the Content-Encoding gzip 
header?


mod_deflate does contain code to fix the content-encoding header. Could 
you provide info, how exactly your content-encoding request header looks 
like without and with inflation (no mod_headers manipulation)? Try to 
get the info directly on the reverse proxy, not on the backend, e.g. by 
logging %{Content-Encoding}i in the proxy access log.


mod_deflate did get quite a few fixes lately in 2.4. None of them was 
directly related to fixing the content-encoding header, but maybe you 
triger some other error path. Not likely, because the header fixing is 
done early but maybe still possible. Which version is your Apache httpd?


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to enable TLSV1.1 or above on Apache

[Rainer Jung]

Am 27.03.2015 um 06:22 schrieb Sailaja Gadireddy:

Hello Team,

I have upgraded my apache to Apache V2.4.3. and OpenSSL version is 0.9.8g

When I have modified httpd conf with SSLProtocol TLSV1.1, It says
Illegal protocol.

Do I need to install latest openssl version? If so please suggest the
version.

Please suggest me the way to enable TLSV1.1 on Apache.


You need OpenSSL 1.0.1 as a minimum for TLS 1.1 (and 1.2) support.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to enable TLSV1.1 or above on Apache

[Rainer Jung]

Am 27.03.2015 um 14:40 schrieb Cathy Fauntleroy:

I am on a Windows 2008 R2 server with Apache 2.2.25/OpenSSL 0.9.8 installed.  I 
am attempting to upgrade OpenSSL to 1.0.1 so that TLS 1.1 and 1.2 will be 
enabled.  I am having problems installing 1.0.1 because of what appears to be a 
platform conflict.  My installation halts because a file in what is definitely 
a Unix/Linux path is not found.  I am on a Windows platform and downloaded a 
file for windows.  Any help would be greatly appreciated.  Am I missing 
something or have I stumbled upon a mis-categorized download?  I've tried 
several sites.


On the Windows platform many use the binary Apache httpd downloads from 
ApacheLounge:


http://www.apachelounge.com/download/

Regards,

Rainer


-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Friday, March 27, 2015 5:53 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] How to enable TLSV1.1 or above on Apache

Am 27.03.2015 um 06:22 schrieb Sailaja Gadireddy:

Hello Team,

I have upgraded my apache to Apache V2.4.3. and OpenSSL version is
0.9.8g

When I have modified httpd conf with SSLProtocol TLSV1.1, It says
Illegal protocol.

Do I need to install latest openssl version? If so please suggest the
version.

Please suggest me the way to enable TLSV1.1 on Apache.


You need OpenSSL 1.0.1 as a minimum for TLS 1.1 (and 1.2) support.

Regards,

Rainer



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Dates in httpd.conf?

[Rainer Jung]

Am 31.03.2015 um 19:49 schrieb Joe Jensen (ConAgra Foods):

Can anybody tell me a good way to include a date in the apache
configuration?  For various reasons I’m trying to avoid |’s to logrotate
and want the date in a logfile’s name.  I’m really hoping to put the
date into an apache variable I can use within the config.

A prior install involved running sed commands to update the config files
on apache startup (!!) which I’m trying to get rid of.

Define DATE ??


If you only need a date which is per startup, but does not change after 
the web server start:


In you start script or in envvars define and export a shell variable, e.g.

NOW=`date +%Y%m%d_%H%M%S`
export NOW

and then in the config you can use ${NOW}

Note that this will not update the timestamp if you do a "apachectl 
restart" or "apachectl graceful", only by stop and then start.


What is your reason you don't want to use piped logging?

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Missing log entries?

[Rainer Jung]

Am 03.04.2015 um 03:41 schrieb Andrew Moise:

   Hi Richard.
   Okay, that was exactly my question -- yes, I'm pretty confident that
that's what's happening (the page is not completely being served and
the transfer is aborted, even though from the user's perspective the
page is present and they can interact with it e.g. click off onto
another page). I just didn't know that it didn't go into the log in
that case; I assumed that it would go in with a count of the bytes
that were successfully sent.
   That leads me to my next question: Assuming that I've understood
this correctly, is there any accurate way to see what apache is
serving (even partially sent pages)? This is forming a significant
part of my traffic (i.e. apache log analysis only shows a fraction of
the visitors that google analytics tells me are present).
   Thanks,
   Andrew


mod_log_forensic?

Regards,

Rainer


On Thu, Apr 2, 2015 at 8:29 PM, Richard
 wrote:

If the log entry for the image has a "referer" for a site page, then
it is unlikely that the image is being served from another page/site
(unless there is referer-based access control and someone *really*
wants the image(s), so is mucking the referer).

Apache doesn't write the log entry until the page has been delivered
(otherwise it wouldn't be able to give you the number of bytes
served). If your page(s) have something that keeps them from being
fully served (js, and ad, etc.) then the user may click off the page
before everything closes out and the entry is logged. I.e., this
wouldn't require the user to explicitly abort the page delivery,
they may just be doing it implicitly if the page has delivery issues.

You should be able to check this fairly easily yourself.



 Original Message 

Date: Thursday, April 02, 2015 20:00:00 -0400
From: 5k Kate <5k.kate.1...@gmail.com>

Is it possible that the image links are being shared separately
from the page? Theoretically someone could go and post your image
into another page.

-Kate

On Wed, Apr 1, 2015 at 1:09 PM, Andrew Moise
 wrote:


   Hello all.
   I'm trying to analyze the behavior of visitors to my web site by
parsing my Apache access log, and it seems that the log is missing
some entries. For example, it's happened before that there's an
entry in the log for serving an image, with a referrer set to one
of my HTML pages, but there is no entry in the log for that HTML
page (either before or after the entry for the image loading)
from any similar IP address. I don't think that the headers I'm
emitting would cause the browser to cache that particular HTML
page.
   Furthermore (and more to the point of why I'm concerned about
   this), parsing the apache log indicates a small fraction (maybe
25%) of the number of visitors indicated by a third party logging
tool (in this case clicky.com).
   Is there anything that could cause this? For example, does
   apache not put an entry in the log if the connection is
interrupted before the entire HTML file is emitted?
   Thanks in advance for your help.
   -Andrew


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Compile apache 2.4 on solaris 10 sparc with 64 bit openssl issue

[Rainer Jung]

Am 03.04.2015 um 16:53 schrieb ਜਤਿੰਦਰ ਸਿੰਘ:


uname -a
SunOS  5.10 Generic_150400-14 sun4u sparc SUNW,Netra-T12

src distribution used - apache-httpd-2_4_12-src-openssl-m.tar

/usr/sfw/bin/gcc -v
Reading specs from /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/specs
Configured with:
/sfw10/builds/build/sfw10-patch/usr/src/cmd/gcc/gcc-3.4.3/configure
--prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as
--with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++
--enable-shared
Thread model: posix
gcc version 3.4.3 (csl-sol210-3_4-branch+sol_rpath)

#Set ENV variables

export CFLAGS="-m64"
export LDFLAGS="-L/usr/sfw/lib -R/usr/sfw/lib -L/usr/X/lib -R/usr/X/lib
-L/usr/X11/lib -R/usr/X11/lib -L/usr/ccs/lib -R/usr/ccs/lib"
export LD_LIBRARY_PATH=/usr/sfw/lib/sparcv9:/usr/lib
export LD_LIBRARY_PATH_64=/usr/lib/64:/usr/sfw/lib/64
export PATH=$PATH:/usr/sfw/bin:/usr/ccs/bin:/usr/ccs/bin/sparcv9

# build pcre
cd ~/apache64-2-4-12/03-httpd/pcre-8.36
./configure --disable-cpp CFLAGS="-g" CC="gcc -m64"
--prefix=~/apache64-2-4-12/03-httpd/pcre-8.36
make clean
make
make install

# build apr
cd ~/apache64-2-4-12/03-httpd/apr-util-1.5.4
./configure --prefix=~/apache64-2-4-12/03-httpd/apr-1.5.1
make clean
make
make install

# build apr-util
cd ~/apache64-2-4-12/03-httpd/apr-util-1.5.4
./configure --prefix=~/apache64-2-4-12/03-httpd/apr-util-1.5.4
--with-apr=~/apache64-2-4-12/03-httpd/apr-1.5.1
make clean
make
make install

# build openssl
cd ~/apache64-2-4-12/02-openssl/openssl-1.0.1m
./config --prefix=~/openssl64


Here is it ~/openssl64


make clean
changed CGLAGS from m32 to m64 in makefile
make
make install


# build apache2.4-12
./configure --prefix=~/apache-64-2-4-12/Apache64HTTP --enable-ssl
--with-pcre=~/apache-64-2-4-12/03-httpd/pcre-8.36
--with-apr=~/apache-64-2-4-12/03-httpd/apr-1.5.1
--with-apr-util=~/apache-64-2-4-12/03-httpd/apr-util-1.5.4
--enable-ssl-staticlib-deps
make clean
make
Failing with below error...
ld: warning: file ~/openssl-64/lib/libssl.a(s2_clnt.o): wrong ELF class:
ELFCLASS32
ld: warning: file ~/openssl-64/lib/libcrypto.a(mem.o): wrong ELF class:
ELFCLASS32


Here it is ~/openssl-64, additional dash!


these files are 32 bit on rechecking with file command inside
openssl/lib, but openssl executable is 64 bits.


What is "openssl/lib"?

Very strange, because openssl binary should link with openssl libs.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Compile apache 2.4 on solaris 10 sparc with 64 bit openssl issue

[Rainer Jung]

Am 03.04.2015 um 17:50 schrieb ਜਤਿੰਦਰ ਸਿੰਘ:

~/openssl64/lib$ ls -ltr
total 10224
drwxr-x---   2 q1col2a1 q1col2a1  96 Apr  2 14:59 engines
-rw-r--r--   1 q1col2a1 q1col2a1 4401152 Apr  2 14:59 libcrypto.a
-rw-r--r--   1 q1col2a1 q1col2a1  823208 Apr  2 14:59 libssl.a
drwxr-x---   2 q1col2a1 q1col2a1  96 Apr  2 14:59 pkgconfig

by openssl/lib - i meant the lib generated after the openssl install.


So no shared libs.

Try adding "shared -fPIC" to your OpenSSL config flags. Note it is 
"shared" not "-shared". Check whether config output contains any 
warning. I remember openssl with gcc on Solaris having a problem when 
one wants to build 64Bit versions but the compiler gcc is a 32 bit 
binary. That is technically not a problem, but the detection method for 
64 bit support is broken on a platform, that supports 32 and 64 bits.


Youmight try the following patch to the OpenSSL config file:

@@ -446,7 +446,7 @@
   if [ $GCCVER -ge 30 ]; then
 # 64-bit ABI isn't officially supported in gcc 3.0, but it appears
 # to be working, at the very least 'make test' passes...
-if gcc -v -E -x c /dev/null 2>&1 | grep __arch64__ > /dev/null; then
+if gcc -m64 -v -E -x c /dev/null 2>&1 | grep __arch64__ > 
/dev/null; then

   GCC_ARCH="-m64"
 else
   GCC_ARCH="-m32"


Regards,

Rainer


On Fri, Apr 3, 2015 at 10:35 AM, Rainer Jung mailto:rainer.j...@kippdata.de>> wrote:

Am 03.04.2015 um 16:53 schrieb ਜਤਿੰਦਰ ਸਿੰਘ:


uname -a
SunOS  5.10 Generic_150400-14 sun4u sparc SUNW,Netra-T12

src distribution used - apache-httpd-2_4_12-src-__openssl-m.tar

/usr/sfw/bin/gcc -v
Reading specs from
/usr/sfw/lib/gcc/sparc-sun-__solaris2.10/3.4.3/specs
Configured with:
/sfw10/builds/build/sfw10-__patch/usr/src/cmd/gcc/gcc-3.4.__3/configure
--prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as
--with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++
--enable-shared
Thread model: posix
gcc version 3.4.3 (csl-sol210-3_4-branch+sol___rpath)

#Set ENV variables

export CFLAGS="-m64"
export LDFLAGS="-L/usr/sfw/lib -R/usr/sfw/lib -L/usr/X/lib
-R/usr/X/lib
-L/usr/X11/lib -R/usr/X11/lib -L/usr/ccs/lib -R/usr/ccs/lib"
export LD_LIBRARY_PATH=/usr/sfw/lib/__sparcv9:/usr/lib
export LD_LIBRARY_PATH_64=/usr/lib/__64:/usr/sfw/lib/64
export PATH=$PATH:/usr/sfw/bin:/usr/__ccs/bin:/usr/ccs/bin/sparcv9

# build pcre
cd ~/apache64-2-4-12/03-httpd/__pcre-8.36
./configure --disable-cpp CFLAGS="-g" CC="gcc -m64"
--prefix=~/apache64-2-4-12/03-__httpd/pcre-8.36
make clean
make
make install

# build apr
cd ~/apache64-2-4-12/03-httpd/__apr-util-1.5.4
./configure --prefix=~/apache64-2-4-12/03-__httpd/apr-1.5.1
make clean
make
make install

# build apr-util
cd ~/apache64-2-4-12/03-httpd/__apr-util-1.5.4
./configure --prefix=~/apache64-2-4-12/03-__httpd/apr-util-1.5.4
--with-apr=~/apache64-2-4-12/__03-httpd/apr-1.5.1
make clean
make
make install

# build openssl
cd ~/apache64-2-4-12/02-openssl/__openssl-1.0.1m
./config --prefix=~/openssl64


Here is it ~/openssl64

make clean
changed CGLAGS from m32 to m64 in makefile
make
make install


# build apache2.4-12
./configure --prefix=~/apache-64-2-4-12/__Apache64HTTP --enable-ssl
--with-pcre=~/apache-64-2-4-__12/03-httpd/pcre-8.36
--with-apr=~/apache-64-2-4-12/__03-httpd/apr-1.5.1
--with-apr-util=~/apache-64-2-__4-12/03-httpd/apr-util-1.5.4
--enable-ssl-staticlib-deps
make clean
make
Failing with below error...
ld: warning: file ~/openssl-64/lib/libssl.a(s2___clnt.o): wrong
ELF class:
ELFCLASS32
ld: warning: file ~/openssl-64/lib/libcrypto.a(__mem.o): wrong
ELF class:
ELFCLASS32


Here it is ~/openssl-64, additional dash!

these files are 32 bit on rechecking with file command inside
openssl/lib, but openssl executable is 64 bits.


What is "openssl/lib"?

Very strange, because openssl binary should link with openssl libs.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Compile apache2.4 with mod_proxy_html/libxml2

[Rainer Jung]

Am 14.04.2015 um 16:34 schrieb andre.wen...@bmw.de:

Hello,

today I tried to compile the current apache 2.4.12 together with
mod_proxy_html and xml2enc, but I ran into some problem with libxml2,
which is currently not installed on the system and I’m not able to
install the library in the system.

So what I did was to compile libxml2 as shared library with

./configure --prefix=//libxml2 --enable-shared=yes
--with-python=no

After that I tried to build the apache with the following parameters:

./configure

…

   --enable-proxy-html \

   --enable-xml2enc \

   --with-libxml2=${apache_prefix}/libxml2



I also tried the following:

./configure

…

   --enable-proxy-html \

   --enable-xml2enc \

   --with-libxml2 \

   --with-libxml2-include=${apache_prefix}/libxml2/include \

   --with-libxml2-lib=${apache_prefix}/libxml2/lib

But every time the following error comes up,

…

checking whether to enable mod_deflate... shared

checking whether to enable mod_xml2enc... checking dependencies

checking for libxml2... checking for libxml2... no

checking whether to enable mod_xml2enc... configure: error: mod_xml2enc
has been requested but can not be built due to prerequisite failures

…

Does somebody have any idea, what is the problem or which configuration
I need to set, so that I can build the apache with mod_proxy_html
support. But I don’t need to install libxml2 on the system? Is there any
additional compiler setting needed?


Try

   --with-libxml2=${apache_prefix}/libxml2/include/libxml2

(in my libxml2 installation all header files are in a directory 
.../include/libxml2/libxml which should be the default layout of libxml2).


In addition set the following envvars:

MOD_XML2ENC_LDADD="-L${apache_prefix}/libxml2/lib 
-R${apache_prefix}/libxml2/lib"


export MOD_XML2ENC_LDADD

MOD_PROXY_HTML_LDADD="-L${apache_prefix}/libxml2/lib 
-R${apache_prefix}/libxml2/lib"


export MOD_PROXY_HTML_LDADD

(the -R is optional for setting the RUNPATH in the binary module file).

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_rewrite vs. mod_jk

[Rainer Jung]

Am 06.05.2015 um 11:16 schrieb Hajo Locke:

Hello,

i have a small mod_jk.conf and want to use mod_rewrite also:

JkMount /* ajp13
JkUnmount /test/* ajp13
RewriteEngine On
RewriteRule ^/$ /java_app/ [L]

Rewriting by mod_rewrite only works with urls which are unmounted by
JkUnmount. So above Rule is not working because its immediately passed
to the java-worker.
Ist there a way to change this behaviour, so all mod_rewrite is done at
first and passing to java-worker follows last.
Or is unmounting mandatory for this?


Have a look at

http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Handling

Questions about mod_jk more likely get answered on the Apache Tomcat 
users list, because mod_jk is developed as part of the Tomcat project.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Response headers set by apache

[Rainer Jung]

Am 30.05.2015 um 02:26 schrieb Emir Ibrahimbegovic:

I've got an app that runs on a tomcat web server, and I use mod-jk on my
apache web server side.

I think I've managed to configure everything to work seamlessly, I ran
into issues when I wanted to cache static assets on webserver, for some
reason my response headers expires is set to **1994**, these are my
headers for one of the javascript files I want to server as static asset
and cache it:

 Accept-Ranges:bytes
 Cache-Control:no-cache
 Connection:Keep-Alive
 Content-Encoding:gzip
 Content-Type:application/javascript
 Date:Fri, 29 May 2015 23:18:25 GMT
 ETag:W/"604348-1432950682000"
 Expires:Thu, 01 Dec 1994 16:00:00 GMT
 Keep-Alive:timeout=5, max=100
 Last-Modified:Fri, 29 May 2015 23:18:25 GMT
 Server:Apache
 Transfer-Encoding:chunked
 Vary:Accept-Encoding


Before trying to fix it I would first analyze, where the strange value 
comes from.


You can

- Add ""%{Expires}o"" to the access log valve pattern in your 
tomcat server.xml and check in the access log, whether the 1994 value is 
already being sent by your webapp.


- you can switch you JkLogLevel for a temporary test to "trace" and do a 
single request. mod_jk will log all headers it receives from Tomcat in 
its own log, so you can check which response headers arrive at the 
Apache web server.


If the wrong header originates in your webapp, first try to fix it 
there.  Only as a last resort, try to overwrite them in the web server. 
If you don't even find it among the ones that mod_jk logs, it must be 
even inside your web server or between your web server and the client. 
The Apache httpd server by itself would not use such a strange date.


You might also look for the string 786297600 somewhere in configurations 
or your webapp, because that is the seconds since the epoch that would 
result in December 1st, 1994, 16:00 GMT. Is it always exactly the same 
value?


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Question on building mod_qos for Centos 6

[Rainer Jung]

Am 18.08.2015 um 09:59 schrieb Sophie Loewenthal:

Hi,

 I've been trying to build the module mod_qos on for Centos 6 and
wondered if somebody had some experience with this.

The documentation referred to a file buildconf but I did not find this
in the tarball mod_qos-11.16.tar.gz.   Does anybody know where I could
find the *buildconf* file?

Install guide read:

tar xfz httpd-2.2.27.tar.gz
tar xfz mod_qos-11.16-src.tar.gz
ln -s httpd-2.2.27 httpd
cd httpd
mkdir modules/qos
cp ../mod_qos-11.16/apache2/* modules/qos
./*buildconf*
./configure --with-mpm=worker --enable-so --enable-qos=shared --enable-ssl 
--enable-unique-id
make
cd ..

This creates a DSO module that can be loaded into the Apache server
using the following directive:

LoadModule qos_module /mod_qos.so


Typically a script named buildconf or similar is only needed for the 
people doing a release. It uses thr auto-tools (autoconf etc.) to 
generate the configure script.


If you have a real release tarball, configure should be already included 
and you don't need to run buildconf. Just start with the next step, 
running configure.


Regards,

Rainr


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Question on building mod_qos for Centos 6

[Rainer Jung]

Am 18.08.2015 um 12:09 schrieb Sophie Loewenthal:

Thanks Rainr.

I build the modules in the end with  apxs -i -c mod_qos.c -lcrypto
-lpcre because configure asked for items I could not find in my
repositories.

It build this in /etc/httpd/modules/mod_qos
-rw-r--r-- 1 root root 744576 Aug 18 11:37 mod_qos.o
-rw-r--r-- 1 root root276 Aug 18 11:37 mod_qos.lo
-rw-r--r-- 1 root root  0 Aug 18 11:37 mod_qos.slo
-rw-r--r-- 1 root root936 Aug 18 11:37 mod_qos.la

And put a compiled .so in :
# ls -l /usr/lib64/httpd/modules/mod_qos.so
-rwxr-xr-x 1 root root 518232 Aug 18 11:37
/usr/lib64/httpd/modules/mod_qos.so

:)


OK, if it loads that's fine.


Added to httpd.conf

LoadModule qos_module /usr/lib64/httpd/modules/mod_qos.so


Unsure for the conf file. I've created a file called mod_qos.conf in
/etc/httpd/conf.d/ and added:
## QoS Settings

 QS_LogOnly on#  put mod_qos into a permissive mode. No actions
are applied.
 # handles connections from up to 10 different IPs
 QS_ClientEntries 10


Does the last configuration step look correct?


mod_qos is quite complex and allows a lot of configuration depending on 
your use cases. You should probably switch over to the support channels 
provided by the people who created mod_qos. It is a 3rd party module, 
not one coming from the Apache Software Foundation. This list here is 
for questions concerning the Apache web server itself, not 3rd party 
modules.


The best configuration description for mod_qos is probably

http://opensource.adnovum.ch/mod_qos/

Support situation is a bit vague, but their sourceforge site

http://sourceforge.net/p/mod-qos/wiki/Home/

lists the project members and there is an issue tracker

http://sourceforge.net/p/mod-qos/bugs/?source=navbar

and a discusion forum

http://sourceforge.net/p/mod-qos/discussion/?source=navbar

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Configure Apache behind proxy with auth [wd-vc]

[Rainer Jung]

Am 16.10.2015 um 15:08 schrieb Lucas Santos Sanches:

using cUrl

here is

$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($curl, CURLOPT_TIMEOUT, $curl_timeout);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);


Look for "proxy" in http://php.net/manual/en/function.curl-setopt.php


if ($stream_context != null)
{
$opts = stream_context_get_options($stream_context);
if (isset($opts['http']['method']) &&
Tools::strtolower($opts['http']['method']) == 'post')
{
curl_setopt($curl, CURLOPT_POST, true);
if (isset($opts['http']['content']))
{
parse_str($opts['http']['content'], $post_data);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post_data);
}
}
}
$content = curl_exec($curl);
curl_close($curl);
return $content;
}


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] web server load testing

[Rainer Jung]

Am 16.10.2015 um 23:06 schrieb Rose, John B:

Does anyone have personal experience, or have heard anything, about any
of these load testing apps?

Soasta Cloudtest
http://www.soasta.com/cloudtest/

HP Stormrunner (Cloud)
http://www8.hp.com/us/en/software-solutions/stormrunner-load-agile-cloud-te
sting/

HP Loadrunner (Locally installed)
http://www8.hp.com/us/en/software-solutions/loadrunner-load-testing/

Flood I/O
https://flood.io 

Blazemeter
https://blazemeter.com 
Blazemeter Chrome extension
https://chrome.google.com/webstore/detail/blazemeter-the-load-testi/mbopgmd
npcbohhpnfglgohlbhfongabi?hl=en

Loadimpact
https://loadimpact.com 

Nouvola
http://www.nouvola.com


It depends a lot on what exact type of test you want to do but I often 
use Apache JMeter for web load testing.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] modifying Location header

[Rainer Jung]

Am 29.10.2015 um 10:11 schrieb Hleb Valoshka:

Hi!

Is it possible to modify Location using mod_headers? I want to replace
http:// with https:// but Header edit http://(.*) https://$1 does not
work, neither with always. unset and set don't work as well, only add
works.


I can't see the word "Location" in the configuration you cite.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Cross-compiled apache 2.4.17/OpenSSL 1.0.2d for SPARC fails to start on mutex error

[Rainer Jung]

Am 16.11.2015 um 10:22 schrieb spggwp7q:

Hi guys,

I cross-compiled apache 2.4.17 with APR 1.5.2 and APR Util 1.5.4 along
with OpenSSL 1.0.2d for 64-bit SPARC. I tried running it on one of my
boxes and got the following error in the apache error log (the box was
previously running 2.4.10):

[Mon Nov 16 10:04:52.463583 2015] [core:emerg] [pid 17310:tid 1]
(70023)This function has not been implemented on this platform: AH00023:
Couldn't create the ssl-cache mutex
AH00016: Configuration Failed

I suppose there are no changes between 2.4.10 and 2.4.17 that require
changes to the configuration, so I assume this is happening due to a
compile-time issue.

I was able to get over this error by explicitly setting:

Mutex sem default

However, now apache starts and then quickly dies.

[Mon Nov 16 10:13:59.531153 2015] [mpm_worker:notice] [pid 27481:tid 1]
AH00292: Apache/2.4.17 (Unix) OpenSSL/1.0.2d configured -- resuming
normal operations
[Mon Nov 16 10:13:59.532724 2015] [core:notice] [pid 27481:tid 1]
AH00094: Command line: '/opt/SP/apps/ena_apache/current/bin/httpd -f
/opt/SP/apps/apache/global/vfglfe/conf/httpd.conf'
[Mon Nov 16 10:14:02.533892 2015] [core:notice] [pid 27481:tid 1]
AH00051: child pid 27500 exit signal Bus error (10), possible coredump
in /var/tmp
[Mon Nov 16 10:14:02.534215 2015] [core:notice] [pid 27481:tid 1]
AH00060: seg fault or similar nasty error detected in the parent process

gdb is not installed on this box and I have no access to install
it...but just looking into the core file I see:

*** _THREAD_ERROR_DETECTION: lock usage error detected ***

Looking for this error, I found this:
https://issues.apache.org/jira/browse/STDCXX-1040, which seems to imply
a possible issue with certain versions of Solaris.

On my box, uname -a returns:

SunOS now-ena-fe346 5.10 Generic_150400-20 sun4v sparc
SUNW,SPARC-Enterprise-T5220

I don't know if this is impacted by the issue with the standard C++ library

Should I be using a specific version of the library for compilation?

Thanks in advance for your support.


The Bus error could also be due to this bug in 2.4.17, that was fixed 
after the release:


svn.apache.org/r1712294

Maybe you can try that patch?

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LogMessage not working

[Rainer Jung]

Am 01.01.2016 um 03:55 schrieb Michael D. Berger:

I am converting my old complex httpd.config from 2.2 to 2.4, and
having numerous problems.  I added mod_log_debug, but I cannot get
LogMessage to work.  Here is one of numerous things I tried inside
a VirtualHost that is working up to a point:


LogMessage "herebefore02 httpdViMn" hook=type_checker expr=true


The message does not appear the log files.  I have seen on the web
that I have to "enable" mod_log_debug, but I have not seen how to
do that.

Thanks for any advice.  Perhaps there is another way to print
things from various parts of the config file?


How is LogLevel set in your config?

Quoting from the docs, the messages logged by mod_log_debug "are logged 
at loglevel info." So if your server runs with "LogLevel warn", they 
won't be logged. In that case use


  LogLevel warn log_debug:info

instead, and start wth a simple

  
LogMessage "herebefore02 httpdViMn"
  

before trying more complex constructs.

Regards,

Rainer




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LogMessage not working

[Rainer Jung]

Am 01.01.2016 um 22:55 schrieb Michael D. Berger:

-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Friday, January 01, 2016 05:56
To: users@httpd.apache.org
Subject: Re: [users@httpd] LogMessage not working

Am 01.01.2016 um 03:55 schrieb Michael D. Berger:

I am converting my old complex httpd.config from 2.2 to 2.4, and
having numerous problems.  I added mod_log_debug, but I cannot get
LogMessage to work.  Here is one of numerous things I tried

inside a

VirtualHost that is working up to a point:


 LogMessage "herebefore02 httpdViMn" hook=type_checker expr=true


The message does not appear the log files.  I have seen on the web
that I have to "enable" mod_log_debug, but I have not seen

how to do

that.

Thanks for any advice.  Perhaps there is another way to

print things

from various parts of the config file?


How is LogLevel set in your config?

Quoting from the docs, the messages logged by mod_log_debug
"are logged at loglevel info." So if your server runs with
"LogLevel warn", they won't be logged. In that case use

LogLevel warn log_debug:info

instead, and start wth a simple


  LogMessage "herebefore02 httpdViMn"


before trying more complex constructs.

Regards,

Rainer


Thanks, but the above suggestions did not work.

I also tried:

LogLevel info

which also didn't work.  I did follow your suggestion for a simpler message.
FWIW, I forgot to mention that I am on Fedora 23.

Any other suggestions?


Do your requests actually hit the right vhost, the one into which you 
had put the LogMessage? Can you see the request in the access log if you 
add a separate access log in the same vhost?


Or in case you put the LogMessage into the global server: could it be 
that your request hits a vhost instead?


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

[Rainer Jung]

Am 08.04.2016 um 10:41 schrieb Rainer Canavan:

On Fri, Apr 8, 2016 at 12:31 AM, Yann Ylavic  wrote:

On Thu, Apr 7, 2016 at 5:21 PM, Poggenpohl, Daniel
 wrote:


LDFLAGS="-L$OPENSSLDIR/lib -R $OPENSSLDIR/lib"


I don't know which compiler you are using, but gcc's -R is not working
correctly (on Linux at least), whereas "-Wl,-rpath,$OPENSSLDIR/lib"
is...


-R used to work for us on Solaris with gcc to compile/link/run our own
httpd / php / curl / openssl stack. However, I'm not sure which linker we
used to use. If ldd claims it's picking up the correct libraries, I'd assume
it should work at runtime as well.  In case there's any doubt, lsof may show
which libraries are actually used.


... and you can check the result of the "-R" or "-Wl,-rpath" compilation 
using "elfdump":


  elfdump -d /path/to/modules/mod_ssl.so

will show you exactly, what NEEDED library names the linker has put into 
mod_ssl.so and also the RPATH and RUNPATH setting it has written to that 
shared object.


You can use that command on any shared object or binary (PHP libs etc.). 
I typically use it on Solaris Sparc, but I expect it to work as-is on 
Solaris x86. On Linux the info is available via "objdump -p".


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

[Rainer Jung]

Hi,

Am 07.04.2016 um 20:52 schrieb Poggenpohl, Daniel:

Hi,

my setup is: I have a Moodle installation I need to run. So I need Apache, PHP, OpenSSL, 
iconv, mbstring, curl, zip, etc. . The plan is to have a relatively new PHP (5.6.20) and 
stay "new" with Apache and OpenSSL.
Solaris 11.3 seems to come with Apache 2.4.16, PHP 5.3.29, OpenSSL 1.0.1q, curl 
7.35.0, OpenLDAP 2.4.30, and others using the official package repository, so I 
don't really want to use the official packages for Apache, PHP and OpenSSL.
I tried using another package repository (OpenCSW), which seems to provide 
Apache 2.4.18, PHP 5.6.20, curl 7.48.0, OpenSSL 1.0.1s runtime libraries, 
OpenLDAP 2.4.40, etc. .The problem there is that officially, the packages have 
these release numbers, but when I install PHP via pkgutil, I get 5.3.XX ínstead.
So I decided to compile from source.

I compiled OpenSSL 1.0.2g from source without SSLv2 support (without 
enable-ssl2), because I don't really want to have SSLv2 support if I don't need 
it.
Compiling Apache with the setup below posed no problem other than httpd not 
finding 1.0.2g without LD_LIBRARY_PATH.
But the problems began when I compiled PHP 5.6.20 from source (I will send my 
configure call when I'm back at work tomorrow).
Basically, the configure checks curl, uses the system curl which tries to use 
one of the functions in OpenSSL 1.0.2g which are gone. So I had to compile curl 
7.48.0.
The next problem was the jpeg extension which I solved by setting some -I and 
-L options and the PKG_CONFIG_PATH  (pointing to the openssl and curl dirs) . 
It seems to have used the system curl as well.
Then I had to compile iconv because of unrelated reasons.
Then the zip extension wouldn't work so I had to compile libzip.
And so on and so on.

This all didn't happen when I compiled OpenSSL 1.0.2g with SSLv2 support, by 
the way (we deactivated SSLv2 in our Apache anyway, and SSLLabs says we're in 
the clear regarding to Drown). With SSLv2 support, PHP's configure finished 
without a real warning. And I could build it as well. So I frowned and accepted 
SSLv2 support for the moment.


The removal of symbols when SSLv2 support was removed from OpenSSL 
1.0.2g happened by accident and was not intended.


Under

https://github.com/openssl/openssl/commit/133138569f37d149ed1d7641fe8c75a93fded445

you can find a simple patch that was already applied to OpenSSL 1.0.2 
and will be part of the next version 1.0.2h. You might want to add this 
patch to 1.0.2g before compiling. Such an API break is not normal and as 
I said happened this time by accident.



By the way, you didn't quote my CPPFLAGS and LDFLAGS that I set. Using LDFLAGS, or rather -R I 
understand that I can set the runtime search path when linking the library. When I "ldd -s 
httpd", no SSL library is necessary there. And "ldd -s modules/mod_ssl.so" tells me 
it finds the locally installed 1.0.2g version. So I still don't understand why I need to set 
LD_LIBRARY_PATH when the linker finds what I want.


Since LDFLAGS are used for all linking actions, you might better use

MOD_SSL_LDADD="-R/path/to/openssl/lib"

or as Yann said the more compatible

MOD_SSL_LDADD="-Wl,-rpath -Wl,/path/to/openssl/lib"

For the "ab" support binary if you want to compile it with ssl support, 
I think there's also a similar "ab_LDADD" variable and for the crypto 
support in the bundled APR 1.5 there's LDADD_crypto_openssl.



Yes, I want to avoid using LD_LIBRARY_PATH, because I read about methods (like 
using -R) that could tell libraries where they should look first and 
LD_LIBRARY_PATH seems to be a kind of last resort.

Notes:
- Yes, OpenSSL is compiled as a shared library.
- Ideally, I would use /latest links combined with -R to avoid recompiling.
- Do I understand the following right? -I tells the compiler where to look for 
headers during compile time. -L tells the compiler where to find libraries to 
use in linking during the build. -R tells the Linker where to search for 
libraries during runtime.


You did understand it right. See my other post about elfdump/objdump.

Regards,

Rainer













-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

[Rainer Jung]

Hi Chris,

Am 08.04.2016 um 18:09 schrieb Rainer Canavan:

On Fri, Apr 8, 2016 at 6:02 PM, Christopher Schultz
 wrote:
[...]

I'm speaking from a position of ignorance, here, but can a dynamic
library modify the main process's search path? If only mod_ssl is
compiled with the static-path to OpenSSL but httpd is not (and it's
not clear to me that httpd is missing this static-path), surely the
loadable module isn't modifying the process's library load-path, is it?


The manpage would indicate that the rnupath is only valid for the library
for which it has been set:

https://docs.oracle.com/cd/E19683-01/816-0210/6m6nb7md6/index.html

The runtime linker uses a prescribed search path for locating the
dynamic dependencies of an object. The default search paths are
therunpath recorded in the object, followed by /usr/lib for 32-bit
objects or /usr/lib/64 for 64-bit objects. This latter component can
be modified using a configuration file created with crle(1). The
runpath is specified when the dynamic object is constructed using the
-Roption to ld(1). LD_LIBRARY_PATH can be used to indicate directories
to be searched before the default directories.


Adding to that for Solaris:

- there's the loading of the dependencies
and
- there's symbol resolution in the loaded objects

The loading of the dependencies happens immediately. The name of the 
dependencies are encoded in the shared object as the NEEDED entries.


Example:

 index  tagvalue
   [0]  NEEDED0x1331  libssl.so.1.0.0
   [1]  NEEDED0x1341  libcrypto.so.1.0.0

These are shared object names, not file names.

Looking at some file libssl.so we can see its shared object name:

 index  tagvalue
...
   [7]  SONAME0x4930  libssl.so.1.0.0

Aha, so that file would satisfy the dependency. The SONAMEs are 
typically chosen to express API compatibility.


Where are the files searched for? That's the question Rainer Canavan 
just answered. First on the RUNPATH set in the shared object for which 
we are looking for the dependencies, then in the LD_LIBRARY_PATH, then 
in the globally defined search path.


Example RUNPATH entry:

 index  tagvalue
...
   [6]  RUNPATH   0x101ff /some/path/lib
   [7]  RPATH 0x101ff /some/path/lib

The ldd command (and ldd -v) shows us the list of dependencies and where 
they are found, but "elfdump -d" resp. "objdump -p" helps to understand, 
what the modules/libs originally demanded.


Finally there comes symbol resolution, i.e. a function that is called in 
a shared object, but provided by another loaded shared object like the 
OpenSSL library. Such a symbol is searched for in the binary and the 
full tree of loaded shared objects and dependencies of this process. On 
Solaris the default order - which can be changed during build time - is 
always first searching in the main binary and then in the other shared 
objects in the order they were loaded. So e.g. a symbol needed by 
mod_ssl will first be looked up in httpd, then in the libs loaded by 
httpd directly, then in the various web server modules and their 
dependencies until finally found e.g. in libssl. One can build modules 
so that symbols are always first searched in their direct dependencies 
before searching in the rest of the process, but that's not the default.


Regards,

Rainer (the other one)

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

[Rainer Jung]

Am 14.04.2016 um 17:02 schrieb Poggenpohl, Daniel:

Hello everyone,

thanks to this mailing list I have identified and solved many problems in my 
builds regarding my current setup for a Moodle installation.
- Removed unnecessary switches from Apache build
- Placement of switches inside commands
- new switches for selective runtime search path changing (even if I don't use 
them yet...)
- found new (to me) tools for checking info about binaries and libraries
- Facts about the order of checking in runtime linking paths (-R, crle, 
LD_LIBRARY_PATH)

So thanks for this so far, you've been very helpful.

Yet two problems remain, which may or may be the same problem.
- I have to set LD_LIBRARY_PATH to my own OpenSSL. Only then does PHPInfo tell 
me that the correct OpenSSL is in use.
- Using the system OpenLDAP, I can't connect using LDAPS. Using my own OpenLDAP 
2.4.44, I can use LDAPS on the prompt and I can process a php file containing 
commands to connect via LDAPS. I just can't request the same file via the 
browser (PHP then reports that it can't bind to the LDAP server. I also can't 
login via LDAP to Moodle, but get a an error that the secured connection can't 
be established. (I will send the exact error message if I recompile again to 
test).

Checking in with ldd, all runtime search paths are set. I checked the paths for
OpenSSL: openssl, libssl, libcrypto
OpenLDAP: ldapsearch, libldap, liblber
Apache: httpd, the apr and apr-util libraries, mod_ssl
PHP: php, libphp5.so (in Apache)

The only things that's looked strange are:
- PHP uses Postgres libraries, which in turn depend on libssl and libcrypto. 
When I ldd, I have dependencies to both /my/own/openssl/install/lib and to 
/usr/lib (libssl and libcrypto). But I think that's okay?
- PHP uses libcurl, it finds it in /usr/local/lib . This in turn depends on 
libssl and libcrypto and when I ldd libcurl, it finds them in /usr/lib. Again, 
I don't know? How deep do I have to go here?

My configure commands for each of the four tools:
# OpenSSL
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CFLAGS="-I$OPENSSLDIR/include" \
CFLAG= \
CPPFLAGS= \
LDFLAGS= \
; \
./Configure shared --openssldir=$OPENSSLDIR enable-ssl2 solaris-x86-gcc \
-I$OPENSSLDIR/include -L$OPENSSLDIR/lib -R$OPENSSLDIR/lib \

openssl-102g-configure.out


# OpenLDAP
OPENLDAPDIR=/moodle/openldap/2.4.44 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CPPFLAGS="-I$OPENSSLDIR/include" \
CFLAGS= \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$OPENLDAPDIR --disable-slapd --with-cyrus-sasl 
--with-tls=openssl \

openldap-2444-configure.out 2>&1


# Apache
APACHEDIR=/moodle/apache2/2.4.18 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS= \
CPPFLAGS="-I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$APACHEDIR \
--enable-rewrite --enable-deflate \
--enable-ssl --with-ssl=$OPENSSLDIR \
--disable-version \
--with-included-apr \
--with-mpm=prefork \

apache-2418-configure.out 2>&1


# PHP
APACHEDIR=/moodle/apache2/2.4.18 \
POSTGRESDIR= /usr/postgres/9.3-pgdg \
PHPDIR=/moodle/php/5.6.20 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS="-std=gnu99" \
CPPFLAGS="-I$OPENLDAPDIR/include -I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENLDAPDIR/lib -L$OPENSSLDIR/lib -R$OPENLDAPDIR/lib 
-R$OPENSSLDIR/lib" \
; \
./configure --prefix=$PHPDIR --with-config-file-path=$PHPDIR \
--enable-mbstring --enable-soap --enable-zip --enable-opcache \
--without-sqlite3 --without-pdo-sqlite \
--with-pgsql=$POSTGRESDIR --with-pdo-pgsql=$POSTGRESDIR \
--with-apxs2=$APACHEDIR/bin/apxs \
--with-gd --with-curl --with-xmlrpc --with-zlib --with-mcrypt \
--with-ldap=$OPENLDAPDIR \
--with-openssl=$OPENSSLDIR --with-jpeg-dir=$PHPDIR/jpeg \
--with-iconv=/usr/local \

php-5620-configure.out 2>&1


I also have output for the different stages of the build if that would help.


I don't have a complete answer, only some hints. The problem with PHP 
is, that is uses lots of libraries. Once you start updating some of the 
more complex ones, it can happen, that a non-updated lib uses the same 
other lib as a dependency that your updated lib also uses. OpenSSL is a 
common example for such a dependency. Than you run into trouble, because 
it starts to become harder to decide, which version of that dependency 
lib (OpenSSL in your case) is actually used when.


Here symbol resolution comes into play. Say OpenSSl is linked into all 
places it is needed as a shared object (dynamic linking, .so file), not 
statically. Say you use PHp as mod_php, not via FPM. You start httpd, 
which loads some modules and PHp as pone of the modules loads 
extensions. Assume we have the following load order:


- httpd
  - apr libs
  - ...
  - mod_php
- php curl extension
  - libcurl
- OpenSSL-old
- php ldap extension
  - libldap
- OpenSSL-new
  - ...
  - mod_ssl
   

Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

[Rainer Jung]

Am 14.04.2016 um 19:53 schrieb Rainer Jung:

Am 14.04.2016 um 17:02 schrieb Poggenpohl, Daniel:

Hello everyone,

thanks to this mailing list I have identified and solved many problems
in my builds regarding my current setup for a Moodle installation.
- Removed unnecessary switches from Apache build
- Placement of switches inside commands
- new switches for selective runtime search path changing (even if I
don't use them yet...)
- found new (to me) tools for checking info about binaries and libraries
- Facts about the order of checking in runtime linking paths (-R,
crle, LD_LIBRARY_PATH)

So thanks for this so far, you've been very helpful.

Yet two problems remain, which may or may be the same problem.
- I have to set LD_LIBRARY_PATH to my own OpenSSL. Only then does
PHPInfo tell me that the correct OpenSSL is in use.
- Using the system OpenLDAP, I can't connect using LDAPS. Using my own
OpenLDAP 2.4.44, I can use LDAPS on the prompt and I can process a php
file containing commands to connect via LDAPS. I just can't request
the same file via the browser (PHP then reports that it can't bind to
the LDAP server. I also can't login via LDAP to Moodle, but get a an
error that the secured connection can't be established. (I will send
the exact error message if I recompile again to test).

Checking in with ldd, all runtime search paths are set. I checked the
paths for
OpenSSL: openssl, libssl, libcrypto
OpenLDAP: ldapsearch, libldap, liblber
Apache: httpd, the apr and apr-util libraries, mod_ssl
PHP: php, libphp5.so (in Apache)

The only things that's looked strange are:
- PHP uses Postgres libraries, which in turn depend on libssl and
libcrypto. When I ldd, I have dependencies to both
/my/own/openssl/install/lib and to /usr/lib (libssl and libcrypto).
But I think that's okay?
- PHP uses libcurl, it finds it in /usr/local/lib . This in turn
depends on libssl and libcrypto and when I ldd libcurl, it finds them
in /usr/lib. Again, I don't know? How deep do I have to go here?

My configure commands for each of the four tools:
# OpenSSL
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CFLAGS="-I$OPENSSLDIR/include" \
CFLAG= \
CPPFLAGS= \
LDFLAGS= \
; \
./Configure shared --openssldir=$OPENSSLDIR enable-ssl2 solaris-x86-gcc \
-I$OPENSSLDIR/include -L$OPENSSLDIR/lib -R$OPENSSLDIR/lib \

openssl-102g-configure.out


# OpenLDAP
OPENLDAPDIR=/moodle/openldap/2.4.44 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CPPFLAGS="-I$OPENSSLDIR/include" \
CFLAGS= \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$OPENLDAPDIR --disable-slapd --with-cyrus-sasl
--with-tls=openssl \

openldap-2444-configure.out 2>&1


# Apache
APACHEDIR=/moodle/apache2/2.4.18 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS= \
CPPFLAGS="-I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$APACHEDIR \
--enable-rewrite --enable-deflate \
--enable-ssl --with-ssl=$OPENSSLDIR \
--disable-version \
--with-included-apr \
--with-mpm=prefork \

apache-2418-configure.out 2>&1


# PHP
APACHEDIR=/moodle/apache2/2.4.18 \
POSTGRESDIR= /usr/postgres/9.3-pgdg \
PHPDIR=/moodle/php/5.6.20 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS="-std=gnu99" \
CPPFLAGS="-I$OPENLDAPDIR/include -I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENLDAPDIR/lib -L$OPENSSLDIR/lib -R$OPENLDAPDIR/lib
-R$OPENSSLDIR/lib" \
; \
./configure --prefix=$PHPDIR --with-config-file-path=$PHPDIR \
--enable-mbstring --enable-soap --enable-zip --enable-opcache \
--without-sqlite3 --without-pdo-sqlite \
--with-pgsql=$POSTGRESDIR --with-pdo-pgsql=$POSTGRESDIR \
--with-apxs2=$APACHEDIR/bin/apxs \
--with-gd --with-curl --with-xmlrpc --with-zlib --with-mcrypt \
--with-ldap=$OPENLDAPDIR \
--with-openssl=$OPENSSLDIR --with-jpeg-dir=$PHPDIR/jpeg \
--with-iconv=/usr/local \

php-5620-configure.out 2>&1


I also have output for the different stages of the build if that would
help.


I don't have a complete answer, only some hints. The problem with PHP
is, that is uses lots of libraries. Once you start updating some of the
more complex ones, it can happen, that a non-updated lib uses the same
other lib as a dependency that your updated lib also uses. OpenSSL is a
common example for such a dependency. Than you run into trouble, because
it starts to become harder to decide, which version of that dependency
lib (OpenSSL in your case) is actually used when.

Here symbol resolution comes into play. Say OpenSSl is linked into all
places it is needed as a shared object (dynamic linking, .so file), not
statically. Say you use PHp as mod_php, not via FPM. You start httpd,
which loads some modules and PHp as pone of the modules loads
extensions. Assume we have the following load order:

- httpd
   - ap

Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

[Rainer Jung]

Am 14.04.2016 um 20:39 schrieb Poggenpohl, Daniel:

Hello,

I just realized that this may not be the problem, but the plugin architecture 
is. I would have to check all modules in Apache and all extensions in PHP for 
dependencies to see all involved dependencies, wouldn't I?


On Solaris "pldd" is your friend. It works on a running process, so also 
shows shared objects loaded programattically via dlopen() etc. like 
Apache modules or PHP extensions.


Regards,

Rainer



Von: Poggenpohl, Daniel [daniel.poggenp...@fernuni-hagen.de]
Gesendet: Donnerstag, 14. April 2016 20:36
An: users@httpd.apache.org
Betreff: AW: [users@httpd] Can't activate LDAPS support in my OpenSSL 
1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

Hello,

that sounds reasonable and enlightening to me. Is there a ldd switch or other 
method so that I see the complete dependency tree starting from a 
binary/library I select? ldd -s doesn't seem to go down to the bottom.

Regards,
Daniel P.

____
Von: Rainer Jung [rainer.j...@kippdata.de]
Gesendet: Donnerstag, 14. April 2016 19:53
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 
1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

Am 14.04.2016 um 17:02 schrieb Poggenpohl, Daniel:

Hello everyone,

thanks to this mailing list I have identified and solved many problems in my 
builds regarding my current setup for a Moodle installation.
- Removed unnecessary switches from Apache build
- Placement of switches inside commands
- new switches for selective runtime search path changing (even if I don't use 
them yet...)
- found new (to me) tools for checking info about binaries and libraries
- Facts about the order of checking in runtime linking paths (-R, crle, 
LD_LIBRARY_PATH)

So thanks for this so far, you've been very helpful.

Yet two problems remain, which may or may be the same problem.
- I have to set LD_LIBRARY_PATH to my own OpenSSL. Only then does PHPInfo tell 
me that the correct OpenSSL is in use.
- Using the system OpenLDAP, I can't connect using LDAPS. Using my own OpenLDAP 
2.4.44, I can use LDAPS on the prompt and I can process a php file containing 
commands to connect via LDAPS. I just can't request the same file via the 
browser (PHP then reports that it can't bind to the LDAP server. I also can't 
login via LDAP to Moodle, but get a an error that the secured connection can't 
be established. (I will send the exact error message if I recompile again to 
test).

Checking in with ldd, all runtime search paths are set. I checked the paths for
OpenSSL: openssl, libssl, libcrypto
OpenLDAP: ldapsearch, libldap, liblber
Apache: httpd, the apr and apr-util libraries, mod_ssl
PHP: php, libphp5.so (in Apache)

The only things that's looked strange are:
- PHP uses Postgres libraries, which in turn depend on libssl and libcrypto. 
When I ldd, I have dependencies to both /my/own/openssl/install/lib and to 
/usr/lib (libssl and libcrypto). But I think that's okay?
- PHP uses libcurl, it finds it in /usr/local/lib . This in turn depends on 
libssl and libcrypto and when I ldd libcurl, it finds them in /usr/lib. Again, 
I don't know? How deep do I have to go here?

My configure commands for each of the four tools:
# OpenSSL
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CFLAGS="-I$OPENSSLDIR/include" \
CFLAG= \
CPPFLAGS= \
LDFLAGS= \
; \
./Configure shared --openssldir=$OPENSSLDIR enable-ssl2 solaris-x86-gcc \
-I$OPENSSLDIR/include -L$OPENSSLDIR/lib -R$OPENSSLDIR/lib \

openssl-102g-configure.out


# OpenLDAP
OPENLDAPDIR=/moodle/openldap/2.4.44 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CPPFLAGS="-I$OPENSSLDIR/include" \
CFLAGS= \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$OPENLDAPDIR --disable-slapd --with-cyrus-sasl 
--with-tls=openssl \

openldap-2444-configure.out 2>&1


# Apache
APACHEDIR=/moodle/apache2/2.4.18 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS= \
CPPFLAGS="-I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$APACHEDIR \
--enable-rewrite --enable-deflate \
--enable-ssl --with-ssl=$OPENSSLDIR \
--disable-version \
--with-included-apr \
--with-mpm=prefork \

apache-2418-configure.out 2>&1


# PHP
APACHEDIR=/moodle/apache2/2.4.18 \
POSTGRESDIR= /usr/postgres/9.3-pgdg \
PHPDIR=/moodle/php/5.6.20 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS="-std=gnu99" \
CPPFLAGS="-I$OPENLDAPDIR/include -I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENLDAPDIR/lib -L$OPENSSLDIR/lib -R$OPENLDAPDIR/lib 
-R$OPENSSLDIR/lib" \
; \
./configure --prefix=$PHPDIR --with-config-file-path=$PHPDIR \
-

Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

[Rainer Jung]

Am 14.04.2016 um 20:51 schrieb Rainer Jung:

Am 14.04.2016 um 20:39 schrieb Poggenpohl, Daniel:

Hello,

I just realized that this may not be the problem, but the plugin
architecture is. I would have to check all modules in Apache and all
extensions in PHP for dependencies to see all involved dependencies,
wouldn't I?


On Solaris "pldd" is your friend. It works on a running process, so also
shows shared objects loaded programattically via dlopen() etc. like
Apache modules or PHP extensions.


And yet another debug attempt is looking at "man ld.so.1", setting 
LD_DEBUG. The possible settings can be seen by running e.g.


LD_DEBUG=help ANYCOMMAND

in any shell that supports that way of setting an env var for a command 
(like sh or ksh) and ANYCOMMAND can be anything that is not a shell 
builtin (e.g. you can use again "sh").


Symbol resolution should be trackable with LD_DEBUG=symbols, but it will 
give LOTS of output. Probably it helps to start Apache in single process 
mode (-X). The output of the debug flag can be written to a file whose 
name is given by the LD_DEBUG_OUTPUT env var (again see "man ld.so.1").


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Get UID/GID from a username string

[Rainer Jung]

Am 15.04.2016 um 18:35 schrieb Eric Covener:

Well, it is one option to extend mod_rewrite. What I meant
specifically was that any module can implement a rewritemap internal
function.


Yes, the feature seems to be a bit too specific for general 
implementation in mod_rewrite.


Ben: have a look at how mod_rewrite accesses its own 
ap_register_rewrite_mapfunc via


map_pfn_register = APR_RETRIEVE_OPTIONAL_FN(ap_register_rewrite_mapfunc);

Any module can access the function using this construct. And then 
mod_rewrite registers builtin rewrite map functions e.g. like


map_pfn_register("escape", rewrite_mapfunc_escape);

Your own module can also register your own functions like myuid and mygid:

map_pfn_register("escape", my_mapfunc_uid);

Then you can configure a RewriteMap to use these functions and they will 
call directly the my_mapfunc_uid function in your module to get the uid 
without the need of an external process with locking etc.


In short: the list of builtin functions for RewriteMap is extensible and 
can be extended by 3rd-arty modules using the above method.


If uid and gid alone isn't powerful enough, you can code whatever logic 
you need in your map function and register it with a name that is 
reasonable for you and doesn't clash with what's already there in 
mod_rewrite.


Regards,

Rainer


On Fri, Apr 15, 2016 at 12:19 PM, Ben RUBSON  wrote:

I can't think of any solution that would work out of the box, but
you can always write your own apache module in C.



Which could provide nothing but a new internal rewritemap type.


Rainer, Eric,
Thank you very much for your feedback.

Yes a new rewritemap seems to be the solution.
type name : usr
functions : uid, gid
parameter : name or #uid

For example :
RewriteMap getuid usr:uid
RewriteMap getgid usr:gid

C functions getpwnam and getpwuid would do the job.

Is a pull request here the right method to proceed ?
https://github.com/apache/httpd/blob/trunk/modules/mappers/mod_rewrite.c

Thank you very much,

Ben


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Get UID/GID from a username string

[Rainer Jung]

Am 15.04.2016 um 18:59 schrieb Rainer Jung:

Am 15.04.2016 um 18:35 schrieb Eric Covener:

Well, it is one option to extend mod_rewrite. What I meant
specifically was that any module can implement a rewritemap internal
function.


Yes, the feature seems to be a bit too specific for general
implementation in mod_rewrite.

Ben: have a look at how mod_rewrite accesses its own
ap_register_rewrite_mapfunc via

map_pfn_register = APR_RETRIEVE_OPTIONAL_FN(ap_register_rewrite_mapfunc);

Any module can access the function using this construct. And then
mod_rewrite registers builtin rewrite map functions e.g. like

map_pfn_register("escape", rewrite_mapfunc_escape);



Your own module can also register your own functions like myuid and mygid:

map_pfn_register("escape", my_mapfunc_uid);


Oups, I meant: map_pfn_register("myuid", my_mapfunc_uid);


Then you can configure a RewriteMap to use these functions and they will
call directly the my_mapfunc_uid function in your module to get the uid
without the need of an external process with locking etc.

In short: the list of builtin functions for RewriteMap is extensible and
can be extended by 3rd-arty modules using the above method.

If uid and gid alone isn't powerful enough, you can code whatever logic
you need in your map function and register it with a name that is
reasonable for you and doesn't clash with what's already there in
mod_rewrite.

Regards,

Rainer


On Fri, Apr 15, 2016 at 12:19 PM, Ben RUBSON 
wrote:

I can't think of any solution that would work out of the box, but
you can always write your own apache module in C.



Which could provide nothing but a new internal rewritemap type.


Rainer, Eric,
Thank you very much for your feedback.

Yes a new rewritemap seems to be the solution.
type name : usr
functions : uid, gid
parameter : name or #uid

For example :
RewriteMap getuid usr:uid
RewriteMap getgid usr:gid

C functions getpwnam and getpwuid would do the job.

Is a pull request here the right method to proceed ?
https://github.com/apache/httpd/blob/trunk/modules/mappers/mod_rewrite.c

Thank you very much,

Ben


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Get UID/GID from a username string

[Rainer Jung]

Am 16.04.2016 um 12:09 schrieb Ben RUBSON:

Ben: have a look at how mod_rewrite accesses its own 
ap_register_rewrite_mapfunc via


So Rainer, I just quickly wrote my module, it works, many thanks for your help.

Below is my code, I just have 2 questions regarding it :
1 - do I need to "free(pw)" ?


Good question. My (Solaris) man page for getpwnam() says:

  Reentrant Interfaces
 The  getpwnam(),  getpwuid(),  getpwent(),  and  fgetpwent()
 functions use thread-specific data storage that is reused in
 each call to one of these functions by the same thread, mak-
 ing  them  safe  to use but not recommeded for multithreaded
 applications.

The Linux man page says:

   The return value may point to a static area, and may be 
overwritten by subsequent calls to getpwent(3), getpwnam(), or 
getpwuid().   (Do  not  pass  the

   returned pointer to free(3).)

And the latest standards man page of the OpenGroup says:

The getpwnam() function need not be thread-safe.
...
The application shall not modify the structure to which the return value 
points, nor any storage areas pointed to by pointers within the 
structure. The returned pointer, and pointers within the structure, 
might be invalidated or the structure or the storage areas might be 
overwritten by a subsequent call to getpwent(), getpwnam(), or getpwuid().


So you must not free the returned pointer. Two of the man pages don't 
guarantee thread safety so to stay on the safe side you probably better 
use the reentrant variants getpwnam_r() and getpwuid_r(). For those you 
need to allocate the storage before calling them. You can either 
allocate storage from the request pool (apr_palloc(r->pool, N)) or using 
malloc/free. Modules typically prefer pool allocation. Pool allocation 
doesn't need to be freed. The request pool is automatically freed at the 
end of each request. Even if you need the memory only shorter, if it is 
not many bytes it should be OK to allocate from the request pool and let 
it free only at the end of the request.



2 - is "key = apr_palloc(r->pool, 7)" the right method ? Doing this I want to 
avoid buffer overflow in case of uid/gid greater in length than the key parameter.


Instead of

 key = apr_palloc(r->pool, 7);
 printf(key, "%d", pw->pw_uid);

you can also use

 key = apr_psprintf(r->pool, "%d", pw->pw_uid);

And if you are not going to use more complex formatting tokens

 key = apr_ltoa(r->pool, (long)pw->pw_uid);

There's also an apr_itoa() but we might not be sure, that uid_t fits 
into an int.


Finally as a matter of style, I wouldn't reuse the incoming variable 
"key" for outgoing tasks. Instead I would declare it "const char*" as a 
param, and where you set


 *key = '\0';

you could also

  return "";

and then later

 return apr_ltoa(r->pool, (long)pw->pw_uid);

Everything untested ...

But as always there are many solutions that will work.


Thank you very much,


You're welcome. Nice seeing you picking up that ball so quickly. Welcome 
to the world of module development :) Your example was a nice one, 
because you don't need much clutter to realize that module.


Regards,

Rainer


#include "http_core.h"
#include "mod_rewrite.h"
#include 

static char *uid(request_rec *r, char *key)
{
struct passwd *pw;
if((pw = getpwnam(key)) == NULL)
{
*key = '\0';
}
else
{
key = apr_palloc(r->pool, 7);
sprintf(key, "%d", pw->pw_uid);
}
return key;
}

static char *gid(request_rec *r, char *key)
{
int uid=atoi(key);
struct passwd *pw;
if((pw = getpwuid(uid)) == NULL)
{
*key = '\0';
}
else
{
key = apr_palloc(r->pool, 7);
sprintf(key, "%d", pw->pw_gid);
return key;
}
return key;
}

static void register_hooks(apr_pool_t *pool)
{
APR_OPTIONAL_FN_TYPE(ap_register_rewrite_mapfunc) *map_pfn_register;
map_pfn_register = 
APR_RETRIEVE_OPTIONAL_FN(ap_register_rewrite_mapfunc);
map_pfn_register("uid", uid);
map_pfn_register("gid", gid);
}

AP_DECLARE_MODULE(test) = {
STANDARD20_MODULE_STUFF,NULL,NULL,NULL,NULL,NULL,register_hooks
};


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache proxy keeps cache directory empty

[Rainer Jung]

Am 15.04.2016 um 23:02 schrieb Bjoern Voigt:

Since some years I run a local Apache proxy cache for localhost and the
192.168.1.0/24 network. My proxy cache directory /var/cache/apache-proxy
is cleaned by a htcacheclean weekly cron job.

In the meantime Apache stopped writing files in my cache directory
/var/cache/apache-proxy. The proxy function still works.

I doubt, that an Apache update with configuration directive changes may
have caused the problem. But I don't know after which event Apache
stopped caching.

Here is my Apache proxy configuration. I verified, that the modules
mod_proxy and mod_cache_disk are loaded, e.g. by making temporary syntax
errors between the "IfModule" directives and "apachectl configtest".
- Distribution: openSUSE Tumbleweed
- Apache 2.4.20
- /etc/apache2/conf.d/proxy.conf:


 ProxyRequests On
 ProxyVia On
 AllowCONNECT 443

 
   Require ip 192.168.1.0/255.255.255.0 127.0.0.0/255.0.0.0 ::1
 




 CacheRoot /var/cache/apache-proxy
 CacheEnable disk /
 CacheDirLevels 2
 CacheDirLength 2



How can I debug the problem?
(Btw. "strace" shows, that the cache configuration directory
/var/cache/apache-proxy is never touched by Apache.)


First personally I don't like the use of IfModule. That is a nice 
feature, if you want to be flexible in turning on or of functional 
blocks. But if you have a more rigid configuration and you need a 
feature, why enclose it in IfModule? If the module really isn't loaded, 
you like a clear startup error, that tells you about CacheRoot directive 
isn't known etc. and not instead just load without having the cache 
enabled. So I suggest removing the IfModule directives (assuming that 
the proxy and cache features are not just optional for you).


Can you see the two level directory structure for the cache underneath 
/var/cache/apache-proxy? Are ownerships and permissions OK?


For further debugging you can:

- Add

 %{cache-hit}e %{cache-revalidate}e %{cache-miss}e %{cache-invalidate}e 
%{no-cache}e


  to the LogFormat that you are using in your CustomLog definition 
(access log)


- Add "CacheDetailHeader on" to the config and look at the response 
header "X-Cache-Detail" which tells you about the caching decision and 
reasons.


- Increase the log level of mod_cache and mod_cache_disk via

 LogLevel warn cache:trace8 cache_disk:trace8

Depending on your request load and cache activity this might result in 
lots of error log output.


- Have a look for mod_cache and mod_cache_disk entries for the time 
between your newest working version and the broken one in CHANGES:


  http://www.apache.org/dist/httpd/CHANGES_2.4

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Using mod_lua to modify request body before being sent to mod_proxy

[Rainer Jung]

Am 19.04.2016 um 04:41 schrieb Matt Hughes:

Yeah, I misspoke when I said |LuaHookInsertFilter|; that isn’t actually
implemented yet at least on 2.4. Actually have been trying the quick
handler and hookfixups.

What hook should I be using? What value do I return from my handler so
that Apache will still send the request onto the reverse proxy?

I feel like this (http://www.modlua.org/recipes/loadbalancing) may be
what I want, but I don’t know how to hook that into my httpd.conf file.
Does this tie into mod_proxy at all, or is this instead of?

In that example, what is the magic string “proxy-server”?:


As far as I can see it is only used by mod_dir and set by mod_rewrite 
(in case a rewrite rule triggers proxying) and mod_proxy. I haven't 
inspected in detail, why mod_dir checks it.



|function proxy_handler(r) r.handler = "proxy-server" r.proxyreq =
apache2.PROXYREQ_REVERSE r.filename = "proxy:" ..
backends[math.random(1,#backends)] .. r.uri return apache2.DECLINED --
let the proxy handler do this instead end |


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] A cronjob for the apache user - is the home dir for apache really necessary?

[Rainer Jung]

Am 23.04.2016 um 14:05 schrieb Poggenpohl, Daniel:

Hello everyone,

Preface: My system is Solaris 11.2/11.3 X86/64.

I'm changing some cronjobs which previously ran as root which surely isn't 
really necessary.
I entered some cronjob in the crontab for the apache and wondered why it didn't 
execute. I also wondered where the heck I could see what was wrong? I even 
thought that maybe the cronjob isn't even tried to run because the apache user 
doesn't have login enabled and has no password set.

Well, after googling a lot, I found out about /var/cron/log and 
/var/mail/apache, which got me less helpful information (The script was 
executed, but got rc=1), and more helpful information (real error messages 
which helped determine the cause). One of the error messages was that the 
apache user couldn't change directory to his home dir, /export/home/apache. 
That's correct, because the apache user doesn't need a home dir, because he 
isn't a real user.
But the script didn't work without me making the directory for the apache user.

Is there some way to prevent this? My cronjob was just "runSomeScript.sh >> 
script.out", to test it.


I suggest having a read of "man cron" and "man crontab". The latter 
contains the following paragraph:


 The shell is invoked from your $HOME directory with an  arg0
 of sh. Users who desire to have their .profile executed must
 explicitly do so  in  the  crontab  file.  cron  supplies  a
 default environment for every shell, defining HOME, LOGNAME,
 SHELL(=/bin/sh), TZ, and PATH. The  default  PATH  for  user
 cron  jobs  is  /usr/bin;  while  root  cron jobs default to
 /usr/sbin:/usr/bin.  The  default  PATH  can   be   set   in
 /etc/default/cron (see cron(1M)).

So "The shell is invoked from your $HOME directory" describes the 
observed behavior. So I expect there's no way to prevent it.


You can of course run the script as root user and "su" inside the 
script, but that doesn't actually sound better. If the script only needs 
read access to files used by apache, like for log reporting, you can 
design a separate user to run that task. The correct solution might 
depend on what you want to achieve with "runSomeScript.sh".


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Restart or Reload after changing MaxClients and ServerLimit

[Rainer Jung]

ServerLimit and ThreadLimit configure the size of an internal structure 
which maintains data about processes and threads. This structure is only 
created during Apache start, so if you want to change these two params, 
you need to stop and start.


ThreadsPerChild and MaxClients can be changed and activates with 
"apachectl graceful", no need to restart. Only if ThreadsPerChild needs 
to get increased higher than ThreadLimit, or MaxClients/ThreadsPerChild 
needs to be increased higher than ServerLimit, you need to adjust these 
as well and therefore need a completely new start.


So if you want to reserve some reserve space for ThreadsPerChild or 
MaxClients, you should configure ThreadLimit = ThreadsPerChild + 
"reserved additional threads" and ServerLimit = 
MaxClients/ThreadsPerChild + "reserved additional clients"/ThreadsPerChild.


HTH,

Rainer

Am 24.04.2016 um 21:28 schrieb Cohen, Laurence:

Thanks,

I should have mentioned that I'm running Apache HTTPD 2.2 on a RHEL6.7
system.  There it is tied to MaxClients which is getting changed at
restart.  I believe, according to this that I need to do a full stop and
start to get this to work.

Thanks for your help!

Larry

On Sun, Apr 24, 2016 at 3:22 PM, Ben RUBSON mailto:ben.rub...@gmail.com>> wrote:

https://httpd.apache.org/docs/current/en/mod/mpm_common.html#serverlimit


Le 24 avr. 2016 à 21:20, Cohen, Laurence mailto:lco...@novetta.com>> a écrit :

Thank you!  Which doc are you reading?  I'd like to look at it.

On Sun, Apr 24, 2016 at 3:08 PM, Ben RUBSON mailto:ben.rub...@gmail.com>> wrote:

Reading the doc, seems that ServerLimit is related to
MaxRequestWorkers (which has a default set to 256).

Ben




Le 24 avr. 2016 à 20:52, Cohen, Laurence mailto:lco...@novetta.com>> a écrit :

Hello,

While reloading httpd did increase MaxClients to 400 as
specified, it did not increase ServerLimit to 400 as
specified.  What is worse is that since ServerLimit remained
at 256, this caused MaxClients to be reduced to 256 since
ServerLimit seems to be the hard limit for MaxClients.

Even more frustrating is that when I did a service httpd
restart, it not only did not increase ServerLimit to 400, but
it threw an error that the attempt to increase ServerLimit
during a restart was ignored.

Any ideas why I cannot increase the ServerLimit?

Thanks,

Laurence Cohen

On Sun, Apr 24, 2016 at 11:15 AM, Ben RUBSON
mailto:ben.rub...@gmail.com>> wrote:

Hi,

reload will do it !

Ben



Le 24 avr. 2016 à 17:14, Cohen, Laurence
mailto:lco...@novetta.com>> a écrit :

Hi,

I need to increase my httpd server's MaxClients and
ServerLimit.  Can I just do a

service httpd reload

to load the new settings?

Or do I need to do a

service httpd restart

to load the new settings?

This is on a production server with active users, so
obviously the former is preferable.

Thanks,

Larry Cohen






--
www.novetta.com
Larry Cohen
System Administrator

12021 Sunset Hills Road, Suite 400
Reston, VA 20190
Email lco...@novetta.com 
Office 703-885-1064






--
www.novetta.com
Larry Cohen
System Administrator

12021 Sunset Hills Road, Suite 400
Reston, VA 20190
Email lco...@novetta.com 
Office 703-885-1064






--

www.novetta.com

Larry Cohen

System Administrator


12021 Sunset Hills Road, Suite 400

Reston, VA 20190

Email lco...@novetta.com 

Office 703-885-1064


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Restart or Reload after changing MaxClients and ServerLimit

[Rainer Jung]

Am 25.04.2016 um 20:00 schrieb Cohen, Laurence:

Hi, I really appreciate your response.  What I'd like to know is, how do
I look up this information on my own?  I use this mailing list generally
as a last resort when I can't find the answer myself.  In the case, I
did a lot of research before I asked my question, but couldn't get a
definitive answer.  If you could point me to the documentation that you
are using I'd greatly appreciate it.


Since you are still using the slightly outdated 2.2, the page

https://httpd.apache.org/docs/2.2/en/mod/mpm_common.html

is the official documentation. Looking at for instance

https://httpd.apache.org/docs/2.2/en/mod/mpm_common.html#threadlimit

and

https://httpd.apache.org/docs/2.2/en/mod/mpm_common.html#serverlimit

there's at least some sort of info about restarts and how the params 
relate to each other. But maybe not as easy to grok as it should be.


Regards,

Rainer


On Mon, Apr 25, 2016 at 4:32 AM, Rainer Jung mailto:rainer.j...@kippdata.de>> wrote:

ServerLimit and ThreadLimit configure the size of an internal
structure which maintains data about processes and threads. This
structure is only created during Apache start, so if you want to
change these two params, you need to stop and start.

ThreadsPerChild and MaxClients can be changed and activates with
"apachectl graceful", no need to restart. Only if ThreadsPerChild
needs to get increased higher than ThreadLimit, or
MaxClients/ThreadsPerChild needs to be increased higher than
ServerLimit, you need to adjust these as well and therefore need a
completely new start.

So if you want to reserve some reserve space for ThreadsPerChild or
MaxClients, you should configure ThreadLimit = ThreadsPerChild +
"reserved additional threads" and ServerLimit =
MaxClients/ThreadsPerChild + "reserved additional
clients"/ThreadsPerChild.

HTH,

Rainer

Am 24.04.2016 um 21:28 schrieb Cohen, Laurence:

Thanks,

I should have mentioned that I'm running Apache HTTPD 2.2 on a
RHEL6.7
system.  There it is tied to MaxClients which is getting changed at
restart.  I believe, according to this that I need to do a full
stop and
start to get this to work.

Thanks for your help!

Larry

On Sun, Apr 24, 2016 at 3:22 PM, Ben RUBSON
mailto:ben.rub...@gmail.com>
<mailto:ben.rub...@gmail.com <mailto:ben.rub...@gmail.com>>> wrote:

https://httpd.apache.org/docs/current/en/mod/mpm_common.html#serverlimit

 Le 24 avr. 2016 à 21:20, Cohen, Laurence
mailto:lco...@novetta.com>
 <mailto:lco...@novetta.com
<mailto:lco...@novetta.com>>> a écrit :

 Thank you!  Which doc are you reading?  I'd like to
look at it.

 On Sun, Apr 24, 2016 at 3:08 PM, Ben RUBSON
mailto:ben.rub...@gmail.com>
 <mailto:ben.rub...@gmail.com
<mailto:ben.rub...@gmail.com>>> wrote:

 Reading the doc, seems that ServerLimit is related to
 MaxRequestWorkers (which has a default set to 256).

 Ben



 Le 24 avr. 2016 à 20:52, Cohen, Laurence
mailto:lco...@novetta.com>
 <mailto:lco...@novetta.com
<mailto:lco...@novetta.com>>> a écrit :

 Hello,

 While reloading httpd did increase MaxClients
to 400 as
 specified, it did not increase ServerLimit to
400 as
 specified.  What is worse is that since
ServerLimit remained
 at 256, this caused MaxClients to be reduced to
256 since
 ServerLimit seems to be the hard limit for
MaxClients.

 Even more frustrating is that when I did a
service httpd
 restart, it not only did not increase
ServerLimit to 400, but
 it threw an error that the attempt to increase
ServerLimit
 during a restart was ignored.

 Any ideas why I cannot increase the ServerLimit?

 Thanks,

 Laurence Cohen

 On Sun, Apr 24, 2016 at 11:15 AM, Ben RUBSON
 mailto:ben.rub...@gmail.com>
<mailto:ben.rub...@gmail.com
<mailto:ben.rub...@gmail.com>>> wrote:

 Hi,

 reload will do it !

  

Re: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: file ab.o: wrong ELF class: ELFCLASS32"

[Rainer Jung]

Am 28.04.2016 um 18:56 schrieb jinhui.huang@dot.gov:

I am following the "Compilling and Installing" guide from
[url]http://httpd.apache.org/docs/2.4/install.html[/url]

The configure running OK:

# export CC="gcc -m64"

# ./configure \

--prefix=/usr/local/apache2/httpd-2.4.20 \

--with-port=80 \

--with-mpm=worker \

--enable-mods-shared=most \

--enable-ssl \

--with-ssl=/usr/local/ssl \

--enable-proxy \

--disable-example \

--with-included-apr \

--with-pcre=/usr/local/apache2/pcre2/bin/pcre2-config

But got a fatal error when run make:

# make





Making all in generators

Making all in dav/fs

Making all in mappers

Making all in support

/usr/local/apache2/install/httpd-2.4.20/srclib/apr/libtool --silent
--mode=link gcc -m64 -std=gnu99  -g -O2   -L/usr/local/ssl/lib -lssl
-lcrypto -luuid -lsendfile -lrt -lsocket -lnsl -lpthread  \

  -o ab  ab.lo
/usr/local/apache2/install/httpd-2.4.20/srclib/apr-util/libaprutil-1.la
-lexpat /usr/local/apache2/install/httpd-2.4.20/srclib/apr/libapr-1.la
-luuid -lsendfile -lrt -lsocket -lnsl -lpthread -lm

ld: fatal: file ab.o: wrong ELF class: ELFCLASS32

ld: fatal: file processing errors. No output written to .libs/ab

collect2: ld returned 1 exit status

*** Error code 1

make: Fatal error: Command failed for target `ab'

Current working directory /usr/local/apache2/install/httpd-2.4.20/support

*** Error code 1

The following command caused the error:

otarget=`echo all-recursive|sed s/-recursive//`; \

list='  '; \

for i in $list; do \

.

.

After searching online, I think the issue is related to the 32-bit class
(ELFCLASS32). I am trying to add some compile/link flags. But there are
many options to try. Is there anyone have this experience? Thank you
very much if you can give my any hint or clue.


The object file ab.o is 32 bit but you want to compile a 64 bit "ab" binary.

How does the make output line look, which compiles ab.c into ab.o 
(libtool ... mode=compile)?


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: file ab.o: wrong ELF class: ELFCLASS32"

[Rainer Jung]

Am 28.04.2016 um 19:59 schrieb jinhui.huang@dot.gov:

Hi, Rainer:
The following is the output of make,  after I run a "make clean" first.
Jin

# make clean
Making clean in test
rm -f *.o *.lo *.slo *.obj *.a *.la
rm -rf .libs
Making clean in srclib
Making clean in apr-util
Making clean in test
rm -f ./*.o ./*.lo ./*.a ./*.la ./*.so ./*.obj
rm -rf ./.libs
rm -f manyfile.bin testfile.txt data/sqlite*.db dbd testall
rm -rf autom4te.cache
..
..

# make
Making all in srclib
Making all in apr
/usr/local/apache2/install/httpd-2.4.20/srclib/apr/build/mkdir.sh tools
/bin/bash /usr/local/apache2/install/httpd-2.4.20/srclib/apr/libtool --silent 
--mode=compile gcc -m64 -g -O2   -DHAVE_CONFIG_H  -DSOLARIS2=10 
-D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT   -I./include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include/arch/unix 
-I./include/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include/private 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include/private  -o 
tools/gen_test_char.lo -c tools/gen_test_char.c && touch tools/gen_test_char.lo
/bin/bash /usr/local/apache2/inst
..
..
pd-2.4.20/modules/ssl -I/usr/local/apache2/install/httpd-2.4.20/modules/test 
-I/usr/local/apache2/install/httpd-2.4.20/server 
-I/usr/local/apache2/install/httpd-2.4.20/modules/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/modules/dav/main 
-I/usr/local/apache2/install/httpd-2.4.20/modules/generators 
-I/usr/local/apache2/install/httpd-2.4.20/modules/mappers  -prefer-non-pic -static -c 
util_xml.c && touch util_xml.lo
/usr/local/apache2/install/httpd-2.4.20/srclib/apr/libtool --silent 
--mode=compile gcc -m64 -std=gnu99  -g -O2  -DSOLARIS2=10 
-D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -I. 
-I/usr/local/apache2/install/httpd-2.4.20/os/unix 
-I/usr/local/apache2/install/httpd-2.4.20/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr-util/include 
-I/usr/local/apache2/pcre2/include 
-I/usr/local/apache2/install/httpd-2.4.20/modules/aaa 
-I/usr/local/apache2/install/httpd-2.4.20/modules/cache 
-I/usr/local/apache2/install/httpd-2.4.20/modules/core 
-I/usr/local/apache2/install/httpd-2.4.20/modules/database 
-I/usr/local/apache2/install/httpd-2.4.20/modules/filters 
-I/usr/local/apache2/install/httpd-2.4.20/modules/ldap 
-I/usr/local/apache2/install/httpd-2.4.20/modules/loggers 
-I/usr/local/apache2/install/httpd-2.4.20/modules/lua 
-I/usr/local/apache2/install/httpd-2.4.20/modules/proxy 
-I/usr/local/apache2/install/httpd-2.4.20/!

modules/
session -I/usr/local/apache2/install/httpd-2.4.20/modules/ssl 
-I/usr/local/apache2/install/httpd-2.4.20/modules/test 
-I/usr/local/apache2/install/httpd-2.4.20/server 
-I/usr/local/apache2/install/httpd-2.4.20/modules/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/modules/dav/main 
-I/usr/local/apache2/install/httpd-2.4.20/modules/generators 
-I/usr/local/apache2/install/httpd-2.4.20/modules/mappers  -prefer-non-pic -static -c 
util_filter.c && touch util_filter.lo

/usr/local/apache2/install/httpd-2.4.20/srclib/apr/libtool --silent 
--mode=compile gcc -m64 -std=gnu99  -g -O2  -DSOLARIS2=10 
-D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -I. 
-I/usr/local/apache2/install/httpd-2.4.20/os/unix 
-I/usr/local/apache2/install/httpd-2.4.20/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr-util/include 
-I/usr/local/apache2/pcre2/include 
-I/usr/local/apache2/install/httpd-2.4.20/modules/aaa 
-I/usr/local/apache2/install/httpd-2.4.20/modules/cache 
-I/usr/local/apache2/install/httpd-2.4.20/modules/core 
-I/usr/local/apache2/install/httpd-2.4.20/modules/database 
-I/usr/local/apache2/install/httpd-2.4.20/modules/filters 
-I/usr/local/apache2/install/httpd-2.4.20/modules/ldap 
-I/usr/local/apache2/install/httpd-2.4.20/modules/loggers 
-I/usr/local/apache2/install/httpd-2.4.20/modules/lua 
-I/usr/local/apache2/install/httpd-2.4.20/modules/proxy 
-I/usr/local/apache2/install/httpd-2.4.20/!

modules/
session -I/usr/local/apache2/install/httpd-2.4.20/modules/ssl 
-I/usr/local/apache2/install/httpd-2.4.20/modules/test 
-I/usr/local/apache2/install/httpd-2.4.20/server 
-I/usr/local/apache2/install/httpd-2.4.20/modules/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/modules/dav/main 
-I/usr/local/apache2/install/httpd-2.4.20/modules/generators 
-I/usr/local/apache2/install/httpd-2.4.20/modules/mappers  -prefer-non-pic -static -c 
util_pcre.c && touch util_pcre.lo

util_pcre.c:49:18: pcre.h: No such file or directory
util_pcre.c: In function `ap_regfree':
util_pcre.c:104: error: `pcre_free' undeclared (first use in this function)
util_pcre.c:104: error: (Each undeclared identifier is reported only once
util_pcre.

Re: [users@httpd] HELP: apache 2.2.17 creating zombies that are increasing server load

[Rainer Jung]

Hi Martin,

Thanks for the detailed information.

The observed zombies are threads in Apache child processes. Those
processes (here PID 16042 are actually in the process of shutting down,
either due to a web server restart, or MPM configuration (like
MacRequestsPerChild or spare process configuration).

Unfortunately one of the threads falls into a non-terminated loop during
shutdown which consumes lots of cpu and prevents the process from
exiting. So the real problem is this looping thread:

> -  lwp# 24 / thread# 24  
> ff1577dc apr_brigade_cleanup (a5a500, 0, 10c0c, fec6367c, fee58624,
> a5a4f0) + 18
> ff014ab8 run_cleanups (a39a80, 0, 4, 0, 1, a65b00) + 20
> ff015b94 apr_pool_destroy (a39a70, a35aa0, ff017ddc, 0, de520, 0) + 38
> ff015dec apr_pool_clear (a35a60, a35aa0, a35aa0, 1d5, 0, 19ab58) + 1c
> 00099a2c worker_thread (19aef8, 7, 0, e0400, e0400, 54) + 230
> ff020640 dummy_worker (19aef8, fd47c000, 0, 0, ff020634, 1) + c
> fecc94f0 _lwp_start (0, 0, 0, 0, 0, 0)

Problems like that are unfortunately not easy to debug.

Do you use any 3rd-party modules, which did not come bundled with
Apache? Your config doesn't indicate it, but I'm asking to double check,
because e.g. "pfiles" lists OpenSSL libs without mod_ssl being loaded in
the config. It might be you compiled modules into httpd statically.

Any error message in the error_log?

Can you reproduce the problem? Even on a test system?

Although I'm not aware of any fixes directly related, it might be a good
first step to switch to 2.2.20 (or 2.2.21, which will be released likely
in few days) and apr 1.4.5 / apr-util 1.3.12 in order to start debugging
from recent versions.

Regards,

Rainer

On 07.09.2011 22:59, Martin, Jeff wrote:
> Hello,
> I have a Solaris 10 server running apache 2.2.17 and on a weekly basis
> its creating zombies and increasing the load to the point where we have
> to restart it every Thursday night. There are 6 apache instances running
> on this box but this is the only one seeing the issue. There have been
> no changes to the box that I am aware of or the developers are aware of.
> I've included a lot of output as I'm not sure what will be helpful and
> what won't. Any info or steps to resolve this is most appreciated. TIA.
> Jeff
> 
> bash-3.00# ulimit -a
> core file size(blocks, -c) unlimited
> data seg size (kbytes, -d) unlimited
> file size (blocks, -f) unlimited
> open files(-n) 256
> pipe size  (512 bytes, -p) 10
> stack size(kbytes, -s) 8192
> cpu time (seconds, -t) unlimited
> max user processes(-u) 29995
> virtual memory(kbytes, -v) unlimited
> 
> bash-3.00# netstat -an|grep 172.23.181.34.80|wc -l
> 3438
> 
> bash-3.00# uptime
>   1:43pm  up 343 day(s),  2:59,  2 users,  load average: 4.41, 4.50,
> 4.39
> 
> SunOS 5.10 Generic_142909-17 sun4v sparc SUNW,SPARC-Enterprise-T5120
> 
> httpd.conf
> ServerRoot "/web/apache2-prod-showcase_second"
> 
> Listen 172.23.181.34:80
> 
> LoadModule headers_module modules/mod_headers.so
> LoadModule rewrite_module modules/mod_rewrite.so
> 
> 
> 
> 
> User csdrd
> Group daemon
> 
> 
> 
> 
> ServerAdmin webmas...@xx.x.com
> 
> ServerName xx.x.com
> 
> DocumentRoot "/apps/doc-root"
> 
> ErrorLog "logs/error_log"
> LogLevel warn
> 
> DefaultType text/plain
> 
> # Cache control
> ExpiresActive   On
> ExpiresByType   image/gif   "access plus 1 weeks"
> ExpiresByType   image/jpg   "access plus 1 weeks"
> ExpiresByType   image/jpeg   "access plus 1 weeks"
> ExpiresByType   application/x-shockwave-flash   "access plus 1
> weeks"
> ExpiresByType   image/png   "access plus 1 weeks"
> FileETag none
> 
> ProxyRequests Off
> ProxyPreserveHost On
> 
> 
> Order deny,allow
> Deny from all
> Allow from all
> 
> 
> ProxyPass /showcase/explore balancer://exploreutc
> stickysession=JSESSIONID|jsessionid timeout=5 lbmethod=byrequests nofail
> over=Off
> # Port 8180 service bind
> 
> BalancerMember http://172.22.81.99:8080/utc route=host3
> BalancerMember http://172.22.81.100:8080/utc route=host4
> BalancerMember http://172.22.81.99:8180/utc route=host3a
> BalancerMember http://172.22.81.100:8180/utc route=host4a
> 
> 
> 
> Options FollowSymLinks
> AllowOverride None
> Order deny,allow
> Deny from all
> 
> 
> 
> Options FollowSymLinks
> AllowOverride All
> Order allow,deny
> Allow from all
> 
> 
> 
> AllowOverride None
> Options None
> Order allow,deny
> Allow from all
> 
> 
> 
> Order allow,deny
> Deny from all
> Satisfy All
> 
> 
> 
> DirectoryIndex index_explore.html
> 
> 
> 
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
>  
> 
>   # You need to enable mod_logio.c to use %I and %O
>   LogFormat "%h %l %u %t \"%r\" %

Re: [users@httpd] Apache freezes after running for 2 days.

[Rainer Jung]

On 26.09.2011 23:35, Abhi Auradkar wrote:
> I have been running the apache server to load test a application. 
> 
> The apache 2.2.20 is running on CentOS 5.6
> 
> -bash-3.2$ uname -a
> Linux hdm102 2.6.18-238.19.1.el5.centos.plus #1 SMP Mon Jul 18 10:05:09
> EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
> -bash-3.2$ cat /etc/issue
> CentOS release 5.6 (Final)
> Kernel \r on an \m
> 
> 
> -bash-3.2$ ./httpd -V
> Server version: Apache/2.2.20 (Unix)
> Server built:   Sep  8 2011 23:41:28
> Server's Module Magic Number: 20051115:28
> Server loaded:  APR 1.4.5, APR-Util 1.3.12
> Compiled using: APR 1.4.5, APR-Util 1.3.12
> Architecture:   64-bit
> Server MPM: Worker
>   threaded: yes (fixed thread count)
> forked: yes (variable process count)
> Server compiled with
>  -D APACHE_MPM_DIR="server/mpm/worker"
>  -D APR_HAS_SENDFILE
>  -D APR_HAS_MMAP
>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>  -D APR_HAS_OTHER_CHILD
>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>  -D DYNAMIC_MODULE_LIMIT=128
>  -D HTTPD_ROOT="/usr/local/apache2"
>  -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>  -D DEFAULT_ERRORLOG="logs/error_log"
>  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
>  -D SERVER_CONFIG_FILE="conf/httpd.conf"
> 
> 
> I have a custom module(mod_.so) and oracle weblogic apache
> plugin(mod_wl_22.so) loaded via LoadModule directive into apache. 
> 
> The load that is being tested is 2500 req/second. 
> 
> Under this load apache continues to run for 2-3 days but suddnely stops
> responding.  Has been happening consistently. 
> Once this condition occurs apache stops serving even static pages exa:
> index.html or does not display server-status(mod_status).
> 
> And the only way to recover is to restart the server. 
> 
> The errors that I see in the error log are the following ones, which
> keep showing up frequently of which the first one when the weblogic
> server refuses connections dues to overload condition.
> 
> *1.* [Tue Sep 20 08:15:11 2011] [error] [client 135.115.142.108]
> ap_proxy: trying POST /cwmp-allow/cwmpWeb/CPEMgt at backend host
> '64.186.185.155/7003; got exception 'CONNECTION_REFUSED [os error=0,
> line 1715 of ../nsapi/URL.cpp]: Error connecting to host
> 64.186.185.155:7003'
> *2.* [Tue Sep 20 08:15:12 2011] [error] [client 135.115.142.100]
> *(34)Numerical result out of range: *mod_: _throttle_handler():
> failed to release the mutex lock
> 
> Had a look at the errno of apr and *(34)Numerical result out of range
> *doesn't seem to be coming from APR. 
> 
> Has some come across such a issue? Any kind of help/advice will really
> helpfull. 

Use gstack or similar against the hangingApache processes to inspect
what they are doing. My guess: since your modules logs "failed to
release the mutex lock", the worker threads micht block in trying to
acquire the unreleased lock.

Regards,

Rainer

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_include.so: undefined symbol: ap_escape_html2 Error

[Rainer Jung]

On 01.10.2011 16:17, Wang, Mary Y wrote:
> After a system upgrade, I'm unable to start the Apache server anymore.
> Using the following command to start Apache server 'httpd -f
> /opt/csvn/data/conf/httpd.conf -k start' , I got the following error:
> httpd: Syntax error on line 20 of /opt/csvn/data/conf/httpd.conf: Cannot
> load /opt/csvn/lib/modules/mod_include.so into server:
> /opt/csvn/lib/modules/mod_include.so: undefined symbol: ap_escape_html2
>  
> I'm not sure what to do with the undefined symbol: ap_escape_html2
>  
> Running on FC5 and httpd-2.2.0-5.1.2.

The function was included in Apache 2.2.12. It is used by mod_include
and provided by the Apache core (the httpd binary). So it seems you
updated the module, but not the httpd binary itself.

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] problem with rotatelogs time of day formatting

[Rainer Jung]

On 01.10.2011 05:20, Albert Lunde wrote:
> The date substitutions are working, but the time of day characters come
> out as zeros. An example, and some system information, are quoted below.

> ErrorLog "|/usr/local/sbin/rotatelogs -f
> /var/log/httpd/error_log_chnuinfow3.%Y-%m-%d-%H_%M_%S.txt 86400"
> 
> [root@chnuinfow3 conf]# ls -1 /var/log/httpd
> access_log_chnuinfow3.2011-09-30-00_00_00.txt
> access_log_chnuinfow3.2011-10-01-00_00_00.txt
> access_log_skipped_chnuinfow3.2011-09-30-00_00_00.txt
> access_log_skipped_chnuinfow3.2011-10-01-00_00_00.txt
> error_log_chnuinfow3.2011-09-30-00_00_00.txt
> error_log_chnuinfow3.2011-10-01-00_00_00.txt

The timestamp used for the file names is always the previous point in
time where rotation would have happended. You configured a daily
rotation pattern (86400 seconds). By default it rotates at midnight in
GMT timeone, or using the local timezone if rotatelogs is used with the
flag "-l".

So I guess either your system runs on GMT, or you used "-l". With 86400
rotation always happens at midnight (GMT or localtimewith -l) and the
time 00:00:00 is correct. Note that even the new files created when you
start Apache will have the formatted timestamp for the "previous point
in time where rotation would have happended", so when using 86400 it
would be last midnight (relative to GMT or localtimewhen using -l).

Try using a very different interval, like e.g. "90" and observe, whether
the files rotate every 90 seconds and now produce more interesting
formatted timestamps.

Regards,

Rainer

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] serving pre-compressed content

[Rainer Jung]

On 06.10.2011 18:36, Xavier Noria wrote:
> Does anyone have a well-tested and idiomatic Apache configuration to serve
> pre-compressed content? Vary header, Content-Type header, browser gotchas,
> and everything robustly sorted out?

Yes, see below.

> The situation is that you have foo.css and foo.css.gz on disk, and want
> Apache to serve foo.css.gz directly if asked for foo.css and the clients
> accepts the compressed content.

Note, that because of mime type handling our convention for the filename
is foo.gz.css. Also my recipe expects you to have both files available,
foo.css and foo.gz.css.

> I guess that's going to be based on content negotiation with MultiViews, but
> a google search suggests there are practical issues to get this right that
> may not be obvious at first.

Not necessary.

> And also a curiosity: After all these years, why doesn't mod_deflate do this
> by itself? Compressing with max ratio to disk on a first request, and
> serving the cached .gz in subsequent requests?

Patches welcome!

Now to the config and how it works:

General description

1) mod_rewrite checks, whether the browser accepts gzipped content
(RewriteCond against Accept-Encoding request header)

2) If so, check whether the URL belongs to the range of URLs, for which
we provide pre compressed static content
(prefix and suffix matches, you might need to adjust)
You can also use "-f" to check for existance, but I prefer a more
tightly managed environment, were it is clear that for certain URL
pattern all files exist compressed and uncompressed and wedon't have to
do a "-f" for each request.

3) If 1) and 2) are true, insert ".gz" before the file name suffix,
adjust the URL accordingly and set a marker environment variable we can
later check.

4) Now if the env var in 3) is set, use mod_headers toset the
Content-Encoding response header to "gzip".

Why does it work? By changing the request URL we let Apache send the
compressed file. The content Type doesn't change, because the filesuffix
hasn't changes (foo.gz.css). Browsers who don't accept gzipped content
should not indicate gzip support in the Accept-Encoding request header
so we send uncompressed content.

Caches need to be made aware of whether the response is compressed or
not. For this one uses the Vary response header. Fortunately since we
make our response depending on the Accept-Encoding request header using
mod_rewrite, mod_rewrite automaticcaly adds it to Vary for us. Nice.

Note: mod_deflate is not involved.

Following is a commented example config snippet:

# This needs mod_rewrite and mod_headers
# loaded as modules.

# Make static content available.
# Not needed if already mounted elsewhere.

Alias /myapp/static /opt/myapp/static/

# Activate mod_rewrite and debug logging.
# Not needed if mod_rewrite is already
# activated for this VHost elsewhere.

RewriteEngine On
# Configure RewriteLog according to your needs
# RewriteLog ...
# RewriteLogLevel ...

# Flip in compressed content if allowed.
# Assumes all the compressed files are on disk
# having the correct names:
# something.css -> something.gz.css
# something.js -> something.gz.js

# 1) Check whether browser accepts "gzip" encoding
RewriteCond %{HTTP:Accept-Encoding} gzip
# 2) Check whether request belongs to our
#static URLs and has the right suffix
#If yes, add ".gz" to URL before existing suffix
#and remember this in our custom environment variable.
RewriteRule (/myapp/static/.*)\.(css|js)$ $1.gz.$2 [E=gz:1]

# Fix returned encoding header if we use the gzippped file.
Header set Content-Encoding gzip env=gz

# Notes:
#
# - Be careful when introducing loops for rewrite rules:
#   The new .gz.js etc. file would again match the rule
#   leading to unterminated recursion.
#   Make regexp more precise in that case (not allowing the .gz.)
#   to match again.
#
# - Content-Type header works OK, because file suffix hasn't changed.
#   This would not work for files without suffix, because then
#   we end up with a ".gz" suffix!
#
# - Vary header is automatically extended with "Accept-Encoding"
#   by mod_rewrite because of using the "Accept-Encoding" header
#   in the RewriteCond
#
# - Old-style "Accept-Encoding: x-gzip" in request also works.
#   The "gzip" is a sub pattern match (not anchored).
#
# Open Questions:
#
# - Is there any interoperability issue when mod_deflate is
#   activated in addition (double compress or similar).
#   If so, try to set env var "no-gzip" to deactivate mod_deflate
#   for those requests.

Example shell script to generate the compressed content (in addition to
the uncompressed already existing files), here for *.css and *.js:

CONTENT_DIR=/opt/myapp/static/
for suffix in css js
do
for file in \
  `find $CONTENT_DIR -type f -name "*.$suffix" -a ! -name "*.gz.*"`
do
gzfile=`echo $file | sed -e 's#\.'$suffix'#.gz.'$suffix'#'`
gzip --best -c $file > $gzfile
chmod 644 $gzfile
echo === $file $gzfile ===
ls -ld $file 

Re: [users@httpd] vulnerabilities-oval.xml

[Rainer Jung]

On 08.10.2011 22:51, Pascal HERAUD wrote:
> Hello,
> 
> Does anybody know where did go the
> http://httpd.apache.org/security/vulnerabilities-oval.xml page ?

The page was removed:

http://svn.apache.org/viewvc?view=revision&revision=1179600

Regards,

Rainer

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AJP proxy timeout problem

[Rainer Jung]

Which version of httpd?

On 28.10.2011 08:49, SpliFF wrote:
> I've having an issue where a long-running backend script behind AJP is 
> causing apache to error with "Service Temporarily
> Unavailable" after exactly 5 minutes.
> 
> I tried to solve this by moving from mod_rewrite to mod_proxy, with the 
> following configuration:
> 
> # Search Engine Safe URL rewrite
> # Redirect Coldfusion requests to index.cfm
> # matches /file.mp4 but not /file:name.mp4 (ie; is a real file)
> RewriteCond %{REQUEST_FILENAME} !/[^/:]+\.[^/:]{2,5}$
> RewriteRule (.*) /index.cfm$1 [PT]
> 
> # Proxy CFML files to Jetty via AJP connector
> 
> Allow from 127.0.0.1
> 
> ProxyPreserveHost On
> ProxyRequests Off
> ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ ajp://localhost:8009/$1$2 
> connectiontimeout=6000 timeout=6000
> 
> 
> If I'm not mistaken those timeouts are in seconds so AJP should be waiting at 
> least 100 minutes.
> 
> I also made sure the Railo backend would wait long enough, using the 
> following CFML tag:
> 
> 
> 
> I checked the Jetty (Application server) config but there doesn't seem to be 
> any timeout options.
> 
> The apache error log (with debugging) says:
> 
> [Fri Oct 28 15:28:45 2011] [debug] mod_proxy_ajp.c(45): proxy: AJP: 
> canonicalising URL
> //localhost:8009/index.cfm/subscribers/importold
> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(1525): [client 192.168.1.60] 
> proxy: *: found reverse proxy worker for
> ajp://localhost:8009/index.cfm/subscribers/importold
> [Fri Oct 28 15:28:45 2011] [debug] mod_proxy.c(1015): Running scheme ajp 
> handler (attempt 0)
> [Fri Oct 28 15:28:45 2011] [debug] mod_proxy_ajp.c(659): proxy: AJP: serving 
> URL
> ajp://localhost:8009/index.cfm/subscribers/importold
> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(2011): proxy: AJP: has 
> acquired connection for (*)
> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(2067): proxy: connecting
> ajp://localhost:8009/index.cfm/subscribers/importold to localhost:8009
> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(2193): proxy: connected 
> /index.cfm/subscribers/importold to localhost:8009
> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(2444): proxy: AJP: fam 2 
> socket created to connect to *
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(224): Into 
> ajp_marshal_into_msgb
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): ajp_marshal_into_msgb: 
> Header[0] [Host] =
> [users.arcmail.betamax.arc.net.au]
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): ajp_marshal_into_msgb: 
> Header[1] [User-Agent] = [Mozilla/5.0 (X11;
> Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1]
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): ajp_marshal_into_msgb: 
> Header[2] [Accept] =
> [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): ajp_marshal_into_msgb: 
> Header[3] [Accept-Language] = [en-us,en;q=0.5]
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): ajp_marshal_into_msgb: 
> Header[4] [Accept-Encoding] = [gzip, deflate]
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): ajp_marshal_into_msgb: 
> Header[5] [Accept-Charset] =
> [ISO-8859-1,utf-8;q=0.7,*;q=0.7]
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): ajp_marshal_into_msgb: 
> Header[6] [DNT] = [1]
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): ajp_marshal_into_msgb: 
> Header[7] [Connection] = [keep-alive]
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): ajp_marshal_into_msgb: 
> Header[8] [Cookie] =
> [CFID=d5b4b21d-bea4-4875-b2f3-7dc003c7fa64; CFTOKEN=0; FW_BUGZ=; 
> RAILO_ADMIN_LANG=en; RAILO_ADMIN_LASTPAGE=server.cache]
> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(450): ajp_marshal_into_msgb: 
> Done
> [Fri Oct 28 15:28:45 2011] [debug] mod_proxy_ajp.c(265): proxy: 
> APR_BUCKET_IS_EOS
> [Fri Oct 28 15:28:45 2011] [debug] mod_proxy_ajp.c(270): proxy: data to read 
> (max 8186 at 4)
> [Fri Oct 28 15:28:45 2011] [debug] mod_proxy_ajp.c(285): proxy: got 0 bytes 
> of data
> [Fri Oct 28 15:28:46 2011] [debug] ajp_header.c(687): ajp_read_header: 
> ajp_ilink_received 06
> [Fri Oct 28 15:28:46 2011] [debug] ajp_header.c(697): ajp_parse_type: got 06
> [Fri Oct 28 15:33:46 2011] [error] ajp_read_header: ajp_ilink_receive failed
> [Fri Oct 28 15:33:46 2011] [debug] mod_proxy_ajp.c(531): (120006)APR does not 
> understand this error code:
> ajp_read_header failed
> [Fri Oct 28 15:33:46 2011] [debug] mod_proxy_ajp.c(546): proxy: Processing of 
> request failed backend: 1, output: 0
> [Fri Oct 28 15:33:46 2011] [error] (120006)APR does not understand this error 
> code: proxy: dialog to (null) (*) failed
> [Fri Oct 28 15:33:46 2011] [debug] proxy_util.c(2029): proxy: AJP: has 
> released connection for (*)
> 
> Note the delay between "ajp_parse_type: got 06" and "ajp_ilink_receive 
> failed" is 5 minutes accurate to the second. I
> read somewhere that 5 minutes is the default timeout for mod_proxy so 

Re: [users@httpd] Enabling mod_expires and mod_headers

[Rainer Jung]

On 28.10.2011 08:19, Brent Clark wrote:
> On 27/10/2011 15:11, Eric Covener wrote:
>> If you want them cached, there's a benefit in enabling caching.
> 
> Thanks for replying.
> 
> But would I be correct in thinking that they both ultimately do the same
> task, I.e. work on the headers. So would I be right in thinking that
> there is no point to enabling both mod_expires and mod_headers.
> Or is there an added benefit.

mod_expires only handels the Expires and Cache-Control: max-age headers.
There exist more headers that are relevant for cache control. If expires
is enough for you, you won't need mod_headers.

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AJP proxy timeout problem

[Rainer Jung]

On 29.10.2011 10:21, SpliFF wrote:
> 2.2.20 running on Gentoo 64-bit.
> 
> Server version: Apache/2.2.20 (Unix)
> Server built:   Sep 22 2011 02:42:57
> Server's Module Magic Number: 20051115:28
> Server loaded:  APR 1.4.5, APR-Util 1.3.12
> Compiled using: APR 1.4.5, APR-Util 1.3.12
> Architecture:   64-bit
> Server MPM: Worker
>   threaded: yes (fixed thread count)
> forked: yes (variable process count)
> Server compiled with
>  -D APACHE_MPM_DIR="server/mpm/worker"
>  -D APR_HAS_SENDFILE
>  -D APR_HAS_MMAP
>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
>  -D APR_HAS_OTHER_CHILD
>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>  -D DYNAMIC_MODULE_LIMIT=128
>  -D HTTPD_ROOT="/usr"
>  -D SUEXEC_BIN="/usr/sbin/suexec"
>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>  -D DEFAULT_ERRORLOG="logs/error_log"
>  -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
>  -D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"
> 
> 
> On 28/10/11 19:16, Rainer Jung wrote:
>> Which version of httpd?
>>
>> On 28.10.2011 08:49, SpliFF wrote:
>>> I've having an issue where a long-running backend script behind AJP is 
>>> causing apache to error with "Service Temporarily
>>> Unavailable" after exactly 5 minutes.
>>>
>>> I tried to solve this by moving from mod_rewrite to mod_proxy, with the 
>>> following configuration:
>>>
>>> # Search Engine Safe URL rewrite
>>> # Redirect Coldfusion requests to index.cfm
>>> # matches /file.mp4 but not /file:name.mp4 (ie; is a real file)
>>> RewriteCond %{REQUEST_FILENAME} !/[^/:]+\.[^/:]{2,5}$
>>> RewriteRule (.*) /index.cfm$1 [PT]
>>>
>>> # Proxy CFML files to Jetty via AJP connector
>>> 
>>> Allow from 127.0.0.1
>>> 
>>> ProxyPreserveHost On
>>> ProxyRequests Off
>>> ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ ajp://localhost:8009/$1$2 
>>> connectiontimeout=6000 timeout=6000
>>>
>>>
>>> If I'm not mistaken those timeouts are in seconds so AJP should be waiting 
>>> at least 100 minutes.
>>>
>>> I also made sure the Railo backend would wait long enough, using the 
>>> following CFML tag:
>>>
>>> 
>>>
>>> I checked the Jetty (Application server) config but there doesn't seem to 
>>> be any timeout options.
>>>
>>> The apache error log (with debugging) says:
>>>
>>> [Fri Oct 28 15:28:45 2011] [debug] mod_proxy_ajp.c(45): proxy: AJP: 
>>> canonicalising URL
>>> //localhost:8009/index.cfm/subscribers/importold
>>> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(1525): [client 
>>> 192.168.1.60] proxy: *: found reverse proxy worker for
>>> ajp://localhost:8009/index.cfm/subscribers/importold
>>> [Fri Oct 28 15:28:45 2011] [debug] mod_proxy.c(1015): Running scheme ajp 
>>> handler (attempt 0)
>>> [Fri Oct 28 15:28:45 2011] [debug] mod_proxy_ajp.c(659): proxy: AJP: 
>>> serving URL
>>> ajp://localhost:8009/index.cfm/subscribers/importold
>>> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(2011): proxy: AJP: has 
>>> acquired connection for (*)
>>> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(2067): proxy: connecting
>>> ajp://localhost:8009/index.cfm/subscribers/importold to localhost:8009
>>> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(2193): proxy: connected 
>>> /index.cfm/subscribers/importold to localhost:8009
>>> [Fri Oct 28 15:28:45 2011] [debug] proxy_util.c(2444): proxy: AJP: fam 2 
>>> socket created to connect to *
>>> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(224): Into 
>>> ajp_marshal_into_msgb
>>> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): 
>>> ajp_marshal_into_msgb: Header[0] [Host] =
>>> [users.arcmail.betamax.arc.net.au]
>>> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): 
>>> ajp_marshal_into_msgb: Header[1] [User-Agent] = [Mozilla/5.0 (X11;
>>> Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1]
>>> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): 
>>> ajp_marshal_into_msgb: Header[2] [Accept] =
>>> [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
>>> [Fri Oct 28 15:28:45 2011] [debug] ajp_header.c(290): 
>>> ajp_marshal_into_msgb: Header[3] [Accept-Language] = [en-us,en;q=0.5]
>>> [Fri Oct 2

Re: [users@httpd] HTTP meetup at ApacheCon?

[Rainer Jung]

On 29.10.2011 17:38, Sander Temme wrote:
> 
> On Oct 29, 2011, at 7:20 AM, Eric Covener wrote:
> 
>> Please bump the interest count linked below if you'll attend the HTTP
>> meetup on Thursday Nov 11 at ApacheCon in Vancouver:
> 
> Done... who else is coming?

I'm coming.

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apr_off_t mismatch

[Rainer Jung]

On 09.11.2011 22:17, William A. Rowe Jr. wrote:

On 11/9/2011 11:52 PM, Asaf Dalet wrote:

the precompiled apache version is definitely 2.2.0 (according to httpd
-V) and there is
definitely some mismatch between request_rec size between it and my
compiled module. Of
course i don't know it for sure because i don't know the exact
sizeof(request_rec) in the
precompiled apache. In my module the sizeof is 424.


What does it say for the APR version from httpd -V? That is the
element that has control over apr_off_t structs.

It sounds as if the packagers of this particular precompile happened
to override our preference to define LARGE_FILES whenever possible
for APR versions from 1.0 onwards.


There was an APR bug fixed in APR 1.2.10, where LFS detection failed on 
Solaris when the build was done on NFS (I was bitten by that myself in 
2007). Maybe that happened here too?


See:

https://issues.apache.org/bugzilla/show_bug.cgi?id=42821

http://mail-archives.apache.org/mod_mbox/apr-commits/200707.mbox/%3c20070705220704.307fa1a9...@eris.apache.org%3E

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apr_off_t mismatch

[Rainer Jung]

On 09.11.2011 23:31, Asaf Dalet wrote:

i don't see APR version in httpd -V when i run it on an accidental apache,
only "Server version"

also, is there a way to compile the APR without LARGE_FILES? i would like
to do it so i can test the scenario.


It would help, if you provided a bit more info. Usually the output of 
"httpd -V" does contain the needed version strings. Example here:


bin/httpd -V
Server version: Apache/2.2.6 (Unix)
Server built:   Oct 19 2007 22:50:30
Server's Module Magic Number: 20051115:5
Server loaded:  APR 1.2.11, APR-Util 1.2.10
Compiled using: APR 1.2.11, APR-Util 1.2.10
Architecture:   32-bit
Server MPM: Prefork
  threaded: no
forked: yes (variable process count)
Server compiled with
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_FCNTL_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/some/path/run"
 -D SUEXEC_BIN="/some/path/bin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="run/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

So please post your output.

Regards,

Rainer


On Thu, Nov 10, 2011 at 8:17 AM, William A. Rowe Jr.wrote:


On 11/9/2011 11:52 PM, Asaf Dalet wrote:


the precompiled apache version is definitely 2.2.0 (according to httpd
-V) and there is
definitely some mismatch between request_rec size between it and my
compiled module. Of
course i don't know it for sure because i don't know the exact
sizeof(request_rec) in the
precompiled apache. In my module the sizeof is 424.



What does it say for the APR version from httpd -V?  That is the
element that has control over apr_off_t structs.

It sounds as if the packagers of this particular precompile happened
to override our preference to define LARGE_FILES whenever possible
for APR versions from 1.0 onwards.




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] response time in jmeter

[Rainer Jung]

On 12.11.2011 08:44, Marco Di Sano wrote:

Hi all,
someone can tell me what parameter is the response time to serve an http 
request in JMETER?
Is it latency parameter???

Please help me


Please post your question to the JMeter users list:

http://jmeter.apache.org/mail.html
http://jmeter.apache.org/mail2.html

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2 server hangs when CGI script is executed

[Rainer Jung]

On 29.11.2011 07:43, garima goel wrote:

Hi All,

I work for Oracle, India. I deployed Oracle Access Manager Webgate
module on Apache 2 Server which provides single sign-on solution.
I also configured Apache 2 server in SSL mode on Solaris 10 and enabled
hardware acceleration by setting "SSLCryptoDevice" to "pkcs11".
When CGI script is accessed using the above configuration, then the
Apache Server hangs and the script does not get executed.
The issue is not seen when Apache 2 server is configured in non-SSL
mode. Also, the issue is not seen when "SSLCryptoDevice" is set to
"built-in".


Use Solaris pstack and check, where the process that handles the request 
hangs. You mind need to go through all of the Apache processes to find 
the correct one (or use pfiles first to find the one that's connected to 
the client).


Regards,

Rainer

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy ProxyPass max parameter and ThreadsPerChild

[Rainer Jung]

On 29.11.2011 11:29, codefruit wrote:

Hello,

I am using Apache 2.2 with the MPM worker. I have some questions about
the interaction between the 'max' parameter that can be added to a
mod_proxy ProxyPass configuration line and the MPM worker
ThreadsPerChild value.

 From reading the docs, my understanding is that if I add a 'max'
key/value to a ProxyPass line then the max should only be less than or
equal to ThreadsPerChild.



1) Is this correct?


Yes.


2) If I do not add a max value to the ProxyPass line is the maximum
amount of connections allowed through still subject to the limit of
ThreadsPerChild?


Docs say: The default for this limit is the number of threads per 
process in the active MPM. In the Prefork MPM, this is always 1, while 
with other MPMs it is controlled by the ThreadsPerChild directive.


So: "yes"


3) If I have a configuration such as:

ProxyPass /examples http://backend.example.com/examples max=10
ProxyPass /docs http://backend.example.com/docs max=100

ThreadsPerChild=150

Can both ProxyPass connection pools use the same server child process
(for example a single one with 150 threads)?


Yes.

Incoming requests are mapped to threads, threads work on the request and 
finally need to contact a backend server depending on configuration and 
URL. At that point in time they try to get a backend connection from the 
pool.


Each process has its own proxy pools (all with the same config).

Regards,

Rainer

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy ProxyPass max parameter and ThreadsPerChild

[Rainer Jung]

On 07.12.2011 18:41, codefruit wrote:

Hi,

Thank you for the information. I have one more question on this subject

You say that each server process has its own mod_proxy proxy pools
(all with the same config).

So, if I configure my mod_proxy like so:

ProxyPass /examples http://backend.example.com/examples max=10

And there happen to 5 server child processes running, does that mean
that each of process has a max of 10, so, in total, 50 concurrent
connections will be allowed through to the backend?


Yes.

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_rewrite / mod_jk not working together

[Rainer Jung]

On 27.12.2011 17:12, Eric Covener wrote:

What am I missing?  How do I make mod_jk use the mapped URL from
mod_rewrite?  (And send the mapped URL on to Tomcat instead of sending the
original URL)?


The PT flag, but there is also a mod_jk bug or config element that can
prevent that from working IIRC.


Correct, apart from the needed [PT] flag for the RewriteRule there are 
old outdated mod_jk config snippets floating in the web containing


JkOptions +ForwardURICompatUnparsed

which is garbage. With non-antique mod_jk versions (>=1.2.24), it is 
best to remove any ForwardURI* JkOption.


Jerry: you might want to read about it on

http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html

and

http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 2.4.0 fails

[Rainer Jung]

On 17.01.2012 01:25, Nick Edwards wrote:

Hello,

I was not sure if I should subscribe to dev list to send this, but, I
guess here is better?
Trying out 2.4.0 from 2.2.21

Well, the config file from 2.2.21 is not going to work, fine, I'll
deal with that in time, obviously things that were defaulted to under
some IFs are no longer so a full rewrite of config is going to be
needed, I mean User/Group clearly are options but apparently not for
me LOL.. but anyway the more pressing thing is the build...

I liked the earlier method where when using:

  --enable-so --enable-modules=all --disable-dav --enable-suexec   ..snip..
Would statically build my modules leaving only  httpd.exp  libphp5.so
(yes, from php) in modules/   just like in 2.2.x, but not so, I'm left
with 100 .so's in modules/
and 100 loadmodule options in config file to scratch my head at what
ones I need to return too to get back to the old behaviour

then I found new option --enable-mods-static  which I assumed would
revert back to how it used to be, but alas build now fails:


Which should work. Can you please post your complete configure line? Not 
sure how you merged your first attempt with the static switch.


Regards,

Rainer


modules/dav/lock/.libs/libmod_dav_lock.a(locks.o): In function
`dav_generic_dbm_new_error':
/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:226: undefined
reference to `dav_new_error'
modules/dav/lock/.libs/libmod_dav_lock.a(locks.o): In function
`dav_generic_really_open_lockdb':
/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:328: undefined
reference to `dav_push_error'
modules/dav/lock/.libs/libmod_dav_lock.a(locks.o): In function
`dav_generic_save_lock_record':
/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:447: undefined
reference to `dav_new_error'
/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:531: undefined
reference to `dav_push_error'
modules/dav/lock/.libs/libmod_dav_lock.a(locks.o): In function
`dav_generic_load_lock_record':
/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:664: undefined
reference to `dav_new_error'
modules/dav/lock/.libs/libmod_dav_lock.a(locks.o): In function
`dav_generic_resolve':
/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:721: undefined
reference to `dav_new_error'
modules/dav/lock/.libs/libmod_dav_lock.a(locks.o): In function
`dav_generic_get_locks':
/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:798: undefined
reference to `dav_new_error'
modules/dav/lock/.libs/libmod_dav_lock.a(locks.o): In function
`dav_generic_open_lockdb':
/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:363: undefined
reference to `dav_new_error'
modules/dav/lock/.libs/libmod_dav_lock.a(locks.o): In function
`dav_generic_parse_locktoken':
/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:264: undefined
reference to `dav_new_error'
modules/dav/lock/.libs/libmod_dav_lock.a(locks.o):/usr/local/src/httpd-2.4.0/modules/dav/lock/locks.c:273:
more undefined references to `dav_new_error' follow
collect2: ld returned 1 exit status
make[1]: *** [httpd] Error 1
make[1]: Leaving directory `/usr/local/src/httpd-2.4.0'
make: *** [all-recursive] Error 1


any suggestions?


I must also say, that 2.4.0 documentation leaves a  lot to be desired
for those upgrading, like no mention we also now need to separately
get the -deps  file as well.

the CHANGES file does not include any stand out gotyas either for
those using major upgrades,  from 2.2 to 2.4, and that's going to be a
lot.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_dav, XP-File Explorer and ErrorDocument 404

[Rainer Jung]

On 23.01.2012 14:44, Hendrik Schmieder wrote:

Michael Renner schrieb:

I guess this is more or less a bug, isn't it? Can I solve it server side
without to do it without the external page?
CU


This looks like a know IE bug (at least for older versions).
IE expects that error documents have a minimal length.


That would be the problem mentioned at the end of

http://httpd.apache.org/docs/2.1/en/mod/core.html#errordocument

and in

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294807

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7

[Rainer Jung]

On 23.01.2012 20:02, Ruiyuan Jiang wrote:

Hi,

I have two Apache 2.2.21 reverse proxy servers on Solaris 10 (SPARC) and additional 
modules that not in the Apache distribution. They are running fine so far. Now we want to 
migrate Apache to Redhat Enterprise server v5.7. I compiled Apache the same way and same 
option as on the Solaris through a script that I saved. I copied all the modified 
necessary configuration files from Solaris and certificates from Solaris to Redhat and 
made necessary changes such as IP addresses. The syntax check is OK. When I start Apache 
on the Redhat, "apachectl start" just sits there without giving back the shell 
prompt. The access log and error log are empty so I don't know the reason. If I disable 
httpd-ssl.conf file which will not start https, Apache starts fine. Does anyone know what 
could be for ssl problem on Redhat?


Maybe not enough entropy on /den/random or /dev/urandom whatever is used?


Also I first compiled openssl 1.0.0f on Redhat, I then downloaded openssl 
1.0.0g once it became available and compiled it at the same location. On 
Solaris if I restart Apache, the error log will show the new version of Openssl 
but on Redhat, Apache shows the old version (1.0.0f) of OpenSSL. Why? Thanks.


Solaris doesn't have OpenSSL 1.0 linbs installed in the default lib 
directories, so mod_ssl will find your custom build one. RedHat comes 
with OpenSSL 1.0 installed, so you have to set LD_LIBRARY_PATH or link 
statically into mod_ssl in order to let mod_ssl find the right OpenSSL lib.


If there is other stuff in your Apache which also has dependencies to 
OpenSSL, like e.g. something doing ldaps, then things will become quite 
tricky :(


Regards,

Rainer



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] External module suspected to be slow - how to add timer around calls

[Rainer Jung]

On 25.01.2012 14:18, DENIS Laurent wrote:

Hello,


*** Question ***
How can I measure how much time is spent in the processing function of
module?

Of course, the supplier of the module does not provide any source code.

My idea is to add an APRLOG_DEBUG the "apr_time_now" before and after
the function is called (don't know yet which hook it's registered to,
guess I'll have to add debug around all hooks).
But I haven't found in which source code file the function is called.

Even the faintest hint would greatly help me.


*** Context ***
On a Sparc T5120 server with (1 CPUs, 64vCPU, 64GB memory), running
Solaris 10 + apache 2.2.21 worker / 2.2.17 prefork, I have
"intermittent" slow responses.
The server is not overloaded (5% CPU, 50GB free memory, 5MB/second on
network link).

The problem occurs for around 0.5% of the request (ran thousands of
request) - even for very simple pages like an index.html of 20 bytes on
non-SSL server.


Since it is on Solaris, you could try to use Dtrace.


The delay occurs between the moment the moment the request is received
and the moment the first byte of the header is sent to the client
(verified with tcpdump on server + perl script with IO::Socket to have a
better idea that with a wget).

The time shown by the logs (%D) is way above the second (sometimes up to
120 seconds where the average time is 4ms).


%T gives better resolution.


The server is under moderate load: 200 requests / second and have a very
complex configuration (lots of forwards, rewrite, aliases, vhosts,
etc...)

There's an external module loaded for CA Siteminder that performs
authentication. I suspect this one to be guilty for the delay, maybe by
its communication with the policy server.
I cannot isolate the traffic to the policy server for one request, the
channel is cyphered and used for all the requests.


And it is not one connection per request?


No "timing" log option available in this module as far as I can find.
On a lightly loaded server, the delay does not appear, so I need to test
on the production server.


mod_info could tell you about the hoks used by siteminder, so it could 
be possible to narrow down the cause with a custom module.


Regards,

Rainer

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RE: Can you use variables inside a conf file?

[Rainer Jung]

On 25.01.2012 14:47, Desilets, Alain wrote:

I use this syntax too, but I think it works for me only because of my   
loading of a NON-STANDARD module, mod_define.

http://people.apache.org/~rjung/mod_define/mod_define.html


It works for me and I don't have mod_define loaded.


Using an environment variable with the ${MYVAR} syntax works without 
mod_define. If you want to define the value of the variable inside the 
httpd configuration files, you would need mod_define.


Major difference: environment variables can't be changed with "apachectl 
restart" or "apachectl graceful", because in both cases the httpd parent 
process keept running and all child processes are forked from it with an 
unchanged environment.


If you define the variables inside the configuration and use the 
additional module, any changes to the definitions will become active by 
"apachectl restart" and "apachectl graceful".


Starting with the forthcoming Apache 2.4 defining variable inside the 
httpd configuration will become a core feature.


Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RE: Can you use variables inside a conf file?

[Rainer Jung]

On 29.01.2012 09:42, Steve Swift wrote:

Out of curiosity, is it possible to define the same environment
variable, but with different values, in different VirtualHosts? I
presume this can't be done, as all of the hosts would inherit the same
environment, including the environment variables.

For example, I have live and test versions of every "server" in our
apache. The live server uses directory /cgi-bin/ and the test server
uses /cgi-test/. This means that we have to define things like aliases
in both live and test VirtualHosts. This means we can screw them up...

I've always wanted to define some sort of "local" variable in each
VirtualHost, containing the location of the cgi directory. Then we could
INCLUDE the same set of aliases in both the live and test hosts, but
they would pick up their respective paths.

In fact, I've often wished that the Apache configuration would support
its own internal variables, but so far nothing has happened. I must not
be wishing hard enough.


Sorry, mod_define and the builtin variables for Apache 2.4 only support 
global variables.


Maybe mod_macro could help you. It allows to specify recurring config 
snipets which you can instantiate using parameters.


Regards,

Rainer


On 28 January 2012 14:53, Rainer Jung mailto:rainer.j...@kippdata.de>> wrote:

On 25.01.2012 14:47, Desilets, Alain wrote:

I use this syntax too, but I think it works for me
only because of my
loading of a NON-STANDARD module, mod_define.

http://people.apache.org/~__rjung/mod_define/mod_define.__html
<http://people.apache.org/~rjung/mod_define/mod_define.html>


It works for me and I don't have mod_define loaded.


Using an environment variable with the ${MYVAR} syntax works without
mod_define. If you want to define the value of the variable inside
the httpd configuration files, you would need mod_define.

Major difference: environment variables can't be changed with
"apachectl restart" or "apachectl graceful", because in both cases
the httpd parent process keept running and all child processes are
forked from it with an unchanged environment.

If you define the variables inside the configuration and use the
additional module, any changes to the definitions will become active
by "apachectl restart" and "apachectl graceful".

Starting with the forthcoming Apache 2.4 defining variable inside
the httpd configuration will become a core feature.

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem when building Apache 2.2.22 with --with-included-apr - libtool: link: only absolute run-paths are allowed

[Rainer Jung]

On 09.02.2012 02:33, Manuel Lemos wrote:

Hello,

I am trying to build Apache 2.2.22 from source.

Since it was giving some missing symbols in APR, I tried to build it
with --with-included-apr .

It compiles OK, but when it tries to link apr it gives me an libtool
error. Full output below.

libtool: link: only absolute run-paths are allowed

Anybody has a clue what is the matter and how can I avoid this?


I guess we could provide a clue, once we get your exact configure 
command with all params. If you don't have them any longer you can post 
the contents of config.nice.


It seems you got the "--prefix" wrong (but that's just a guess).

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] concurrent connections and netstat

[Rainer Jung]

On 11.02.2012 06:11, Ishita Kapadiya wrote:

Hi All,

Recently I did 'ab' test just to check performance of my new setup. so
far, if we want to check concurrent users for that server, we were
using "netstat -an | grep 'EST' | wc -l" to check how many total no of
connections being used. I know we can use mod_status to get the
accurate results. but I am curious to know, how to determine total no
of concurrent connections being served by Apache web server at any
point of time. Even though I have set 50 concurrent users test with
'ab', I hardly see 50 ESTABLISHED connections! Even I checked total no
of CLOSE_WAIT, TIME_WAIT&   ESTABLISHED connections but that was also
not matching with the result of what mod_status was showing.

Can anyone let me know what could be the reason? I want to know how to
determine that MaxClients limit is approaching just by looking into
netstat o/p (or any other command)  without using mod_status.


netstat established and mod_status should show figures close to each 
other. The deltas are:


- If using ab without "-k" you are not using HTTP Keep-Alive, i.e. each 
request needs to open an new TCP connection. When using "-k", mod_status 
shows established connections which did not yet receive any follow-on 
requests with a "K"


- When doing HTTPS, SSL handshakes are between connection establishment 
and requests


- ab itself is single threaded but very efficient. So if you push 
concurrency very far, ab itself will need to process the results send 
back from the web server. Concurrency 50 should be fine though.


Can cou give us some numbers? If you let run ab with "-k" for a longer 
time, what numbers do you see in netstat, and which number of each 
letter typically in the server-status? Are you using HTTPS?


Regards,

Rainer

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] concurrent connections and netstat

[Rainer Jung]

On 11.02.2012 21:05, Ishita Kapadiya wrote:

Hi Rainer,

Thanks.  I forogt to mention that I was using HTTPS with Keepalive
disabled. Based on your hint, i again tried to monitor netstat o/p and
mod_status o/p.
I have used below command for ab script -  ./ab -n 1 -c 50
http://1.2.3.4/xyz.html
I was monitoring netstat o/p through script each second - netstat
-antp | grep -w 1.2.3.4:80 | grep EST | wc -l
Here is the o/p -
16
27
13
13
8
18
9
18
16
2
16
18
13
22
18
31
60
0
0
14
115
0
13
7
0
72
0
111
0
0
65

When I was monitoring mod_status o/p it was showing almost 45-49
requests currently being processed which is matching with 50
concurrent users test.


Good, so Apache itself is seeing the kind of load you try to produce 
with ab.



Of course, as expected no "K" present in the
o/p as i have disabled keepalive. All req were showing as etiher "C"
or "W"


OK


My concern is netstat o/p shown above. why there is so much variation?
Even if we take avg. of above values, it comes to 23.06 connections!

Please provide your thoughts.


Actually no idea. The consistency of the "-c 50" switch with mod_status 
at the other end suggests that something is wrong with the netstat 
measurement. Have a look at the full output instead of immediately 
throwing away everything apart from EST.


The numbers bigger than 50 indicate that there might also be connections 
from some other client involved, the much lower numbers are very strange.



On Sat, Feb 11, 2012 at 7:25 AM, Rainer Jung  wrote:

On 11.02.2012 06:11, Ishita Kapadiya wrote:


Hi All,

Recently I did 'ab' test just to check performance of my new setup. so
far, if we want to check concurrent users for that server, we were
using "netstat -an | grep 'EST' | wc -l" to check how many total no of
connections being used. I know we can use mod_status to get the
accurate results. but I am curious to know, how to determine total no
of concurrent connections being served by Apache web server at any
point of time. Even though I have set 50 concurrent users test with
'ab', I hardly see 50 ESTABLISHED connections! Even I checked total no
of CLOSE_WAIT, TIME_WAIT& ESTABLISHED connections but that was also

not matching with the result of what mod_status was showing.

Can anyone let me know what could be the reason? I want to know how to
determine that MaxClients limit is approaching just by looking into
netstat o/p (or any other command)  without using mod_status.



netstat established and mod_status should show figures close to each other.
The deltas are:

- If using ab without "-k" you are not using HTTP Keep-Alive, i.e. each
request needs to open an new TCP connection. When using "-k", mod_status
shows established connections which did not yet receive any follow-on
requests with a "K"

- When doing HTTPS, SSL handshakes are between connection establishment and
requests

- ab itself is single threaded but very efficient. So if you push
concurrency very far, ab itself will need to process the results send back
from the web server. Concurrency 50 should be fine though.

Can cou give us some numbers? If you let run ab with "-k" for a longer time,
what numbers do you see in netstat, and which number of each letter
typically in the server-status? Are you using HTTPS?

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4.1 and mod cband

[Rainer Jung]

On 23.02.2012 01:25, Eric Covener wrote:

On Wed, Feb 22, 2012 at 6:52 PM, Nick Edwards  wrote:

Hi,
I know this may be a little off-topic, but am asking here because mod
cband has it seems been abandon-ware for few years now, even half the
authors I contacted have no idea about the main developers
whereabouts.

mod_cband works fantastic, except in trying 2.4.1 of apache httpd it
no longer builds.
I hope someone has an idea on as to how to fix

/usr/sbin/apxs -Wc,-Wall -Wc,-DDST_CLASS=3 -c src/mod_cband.c
/opt/apache/build/libtool --silent --mode=compile gcc -std=gnu99
-prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE
-g -O2 -pthread -I/usr/include/libxml2 -I/opt/apache/include
-I/opt/apache/include -I/opt/apache/include -Wall -DDST_CLASS=3 -c -o
src/mod_cband.lo src/mod_cband.c&&  touch src/mod_cband.slo

src/mod_cband.c: In function 'mod_cband_create_traffic_size':
src/mod_cband.c:1054: warning: comparison with string literal results
in unspecified behavior
src/mod_cband.c:1054: warning: comparison with string literal results
in unspecified behavior
src/mod_cband.c:1058: warning: comparison with string literal results
in unspecified behavior
src/mod_cband.c:1058: warning: comparison with string literal results
in unspecified behavior
src/mod_cband.c: In function 'mod_cband_get_dst':
src/mod_cband.c:1333: error: 'conn_rec' has no member named 'remote_ip'
src/mod_cband.c: In function 'mod_cband_get_remote_host':
src/mod_cband.c:1362: error: 'struct conn_rec' has no member named 'remote_ip'
src/mod_cband.c:1363: error: 'struct conn_rec' has no member named 'remote_ip'
src/mod_cband.c:1365: error: 'struct conn_rec' has no member named 'remote_addr'
apxs:Error: Command failed with rc=65536



Apache 2.4 splits the "remote_ip" into a client IP (TCP peer) and a
useragent_ip (e.g. X-Forwarded-For)

Arbitrarily choosing the former for mod_cband lets it build:

http://apache.pastebin.ca/2120923
http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html


... and for very simple tasks you might want to have a look at 
mod_ratelimit, which is bundled with 2.4. Improvements welcome ;)


Regards,

Rainer

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4.1 and mod cband

[Rainer Jung]

On 23.02.2012 13:35, Nick Edwards wrote:

On 2/23/12, Rainer Jung  wrote:

On 23.02.2012 01:25, Eric Covener wrote:

On Wed, Feb 22, 2012 at 6:52 PM, Nick Edwards
wrote:

Hi,
I know this may be a little off-topic, but am asking here because mod
cband has it seems been abandon-ware for few years now, even half the
authors I contacted have no idea about the main developers
whereabouts.

mod_cband works fantastic, except in trying 2.4.1 of apache httpd it
no longer builds.
I hope someone has an idea on as to how to fix

/usr/sbin/apxs -Wc,-Wall -Wc,-DDST_CLASS=3 -c src/mod_cband.c
/opt/apache/build/libtool --silent --mode=compile gcc -std=gnu99
-prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE
-g -O2 -pthread -I/usr/include/libxml2 -I/opt/apache/include
-I/opt/apache/include -I/opt/apache/include -Wall -DDST_CLASS=3 -c -o
src/mod_cband.lo src/mod_cband.c&&   touch src/mod_cband.slo

src/mod_cband.c: In function 'mod_cband_create_traffic_size':
src/mod_cband.c:1054: warning: comparison with string literal results
in unspecified behavior
src/mod_cband.c:1054: warning: comparison with string literal results
in unspecified behavior
src/mod_cband.c:1058: warning: comparison with string literal results
in unspecified behavior
src/mod_cband.c:1058: warning: comparison with string literal results
in unspecified behavior
src/mod_cband.c: In function 'mod_cband_get_dst':
src/mod_cband.c:1333: error: 'conn_rec' has no member named 'remote_ip'
src/mod_cband.c: In function 'mod_cband_get_remote_host':
src/mod_cband.c:1362: error: 'struct conn_rec' has no member named
'remote_ip'
src/mod_cband.c:1363: error: 'struct conn_rec' has no member named
'remote_ip'
src/mod_cband.c:1365: error: 'struct conn_rec' has no member named
'remote_addr'
apxs:Error: Command failed with rc=65536



Apache 2.4 splits the "remote_ip" into a client IP (TCP peer) and a
useragent_ip (e.g. X-Forwarded-For)

Arbitrarily choosing the former for mod_cband lets it build:

http://apache.pastebin.ca/2120923
http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html


... and for very simple tasks you might want to have a look at
mod_ratelimit, which is bundled with 2.4. Improvements welcome ;)


Would be fantastic if it did similar to cband though, we really only
use it for quota limits on hosts, any future plans?


Not yet, it might be driven by contributions :)

Note that the bandwidth limit enforced by mod_ratelimit isn't configured 
as a hard limit, but can be set as an Apache environment variable. That 
means it is very flexible. You can set it individually for VHosts or 
Locations/Diroetories or even using mod_rewrite depending on request 
attributes.


Disclaimer: Haven't used it yet myself, just judging from looking at the 
code and docs.


Regards,

Rainer

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Make error, apache 2.4.1

[Rainer Jung]

On 23.02.2012 16:11, Zaxy wrote:

Hi,

first time posting here.

Before I go to my problem, let me just clarify that I did everything
in my power to solve it before writing here.

The problem is as follows:

After a successful ./configure --prefix=/usr/local/apache2.4.1
the "make" command exits with an error.

Making all in srclib
make[1]: Entering directory `/usr/local/src/httpd-2.4.1/srclib'
Makefile:49: *** missing separator. Stop.
make[1]: Leaving directory `/usr/local/src/httpd-2.4.1/srclib'
make: *** [all-recursive] Error 1

49th line of srclib/Makefile:

@INCLUDE_RULES@

The system is Ubuntu 11.04 32-bit.

I would really appreciate any ideas. If I need to post more
information, I will do so gladly.


The line you quoted is expected in a Makefile coming from the apr 
library (or apr-util). Such a Makefile is not expected in srclib, but 
insteadf in srclib/apr resp. srclib/apr-util.


So if you tell us how you try to build, we might be able to guide you.

- Where is your apr and apr-util? If you added it to srclib, how exactly 
did you do that?


- is the above configure command complete, ie.e. you didn't give 
additional flags like telling configure where your apr is?


- if the line is complete, do your have the approprite apr and apr-util 
versions installed in your system default library location?


- did configure complain about anything (and you tried to call "make" 
nevertheless) - rephrased: is there a way you can post your configure 
output?


...

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Make error, apache 2.4.1

[Rainer Jung]

On 23.02.2012 18:46, Zaxy wrote:

On 23.02.2012 16:11, Zaxy wrote:

Hi,

first time posting here.

Before I go to my problem, let me just clarify that I did everything
in my power to solve it before writing here.

The problem is as follows:

After a successful ./configure --prefix=/usr/local/apache2.4.1
the "make" command exits with an error.

Making all in srclib
make[1]: Entering directory `/usr/local/src/httpd-2.4.1/srclib'
Makefile:49: *** missing separator. Stop.
make[1]: Leaving directory `/usr/local/src/httpd-2.4.1/srclib'
make: *** [all-recursive] Error 1

49th line of srclib/Makefile:

@INCLUDE_RULES@

The system is Ubuntu 11.04 32-bit.

I would really appreciate any ideas. If I need to post more
information, I will do so gladly.


The line you quoted is expected in a Makefile coming from the apr
library (or apr-util). Such a Makefile is not expected in srclib, but
insteadf in srclib/apr resp. srclib/apr-util.

So if you tell us how you try to build, we might be able to guide you.

- Where is your apr and apr-util? If you added it to srclib, how
exactly did you do that?


They are both in srclib located in srclib/apr and srclib/apr-util.


Good


Basically I downloaded them from apr.apache.org, extracted, copied into
srclib, then renamed to apr/apr-util to remove the versions.


Correct


I double checked that files are actually in the srclib/apr/ directory,
not in the srclib/apr/apr-1.6.4 dir or something else.


OK


- is the above configure command complete, ie.e. you didn't give
additional flags like telling configure where your apr is?


I tried with --with-included-apr flag but got this make error. Then I
thought I'd try without the flag and got the same result.


OK, --with-included-apr should be safer, but from what you write that's 
not related to the root cause of your problem.



- if the line is complete, do your have the approprite apr and
apr-util versions installed in your system default library location?


To be honest, I have no idea how to install it. So my guess would be
that I don't.


The configure output shows that you are successfully configuring against 
the one provided in srclib.



- did configure complain about anything (and you tried to call "make"
nevertheless) - rephrased: is there a way you can post your configure
output?


I didn't notice any errors in configure. The whole configure output can
be found here: http://pastebin.com/3t1BrsvH


Output looks good!

So back to the original error message ..


Making all in srclib
make[1]: Entering directory `/usr/local/src/httpd-2.4.1/srclib'
Makefile:49: *** missing separator.  Stop.
make[1]: Leaving directory `/usr/local/src/httpd-2.4.1/srclib'
make: *** [all-recursive] Error 1

49th line of srclib/Makefile:

@INCLUDE_RULES@


Directly in srclib there should be a file named Makefile.in and with the 
contents:



BUILD_SUBDIRS = $(AP_BUILD_SRCLIB_DIRS)
CLEAN_SUBDIRS = $(AP_CLEAN_SRCLIB_DIRS)

include $(top_builddir)/build/rules.mk

Correct? This file comes directly from expanding the httpd source download.

Then configure should add another file named Makefile with the content:

top_srcdir   = /usr/local/src/httpd-2.4.1
top_builddir = /usr/local/src/httpd-2.4.1
srcdir   = /usr/local/src/httpd-2.4.1/srclib
builddir = /usr/local/src/httpd-2.4.1/srclib
VPATH= /usr/local/src/httpd-2.4.1/srclib

BUILD_SUBDIRS = $(AP_BUILD_SRCLIB_DIRS)
CLEAN_SUBDIRS = $(AP_CLEAN_SRCLIB_DIRS)

include $(top_builddir)/build/rules.mk

As you write, your srclib/Makefile is different. Correct? Can you please 
post the full srclib/Makefile?


Apart from Makefile, Makefile.in and the two directories apr and 
apr-util, there is an additional directory .deps and nothing else in 
srclib, correct?


Next: the file srclib/Makefile is generated from srclib/Makefile.in 
using the script build/fastgen.sh.


It could be something is wrong when running this script, but note that 
this script hasn't changed since the days of Apache 2.0 so is very stable.


Let us first check until here, and if we do not find anything new, we'll 
proceed with how the file srclib/Makefile is generated from 
srclib/Makefile.in.


Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Make error, apache 2.4.1

[Rainer Jung]

On 24.02.2012 11:45, Zaxy wrote:

On 23.2.2012 19:33, Rainer Jung wrote:

On 23.02.2012 18:46, Zaxy wrote:

On 23.02.2012 16:11, Zaxy wrote:

As you write, your srclib/Makefile is different. Correct? Can you
please post the full srclib/Makefile?

Apart from Makefile, Makefile.in and the two directories apr and
apr-util, there is an additional directory .deps and nothing else in
srclib, correct?


As it turns out, this was not correct. Which got me thinking. So instead
of "make clean" I reproduced my steps from the beginning.

It seems that I mistakenly copied some apr files into the srclib and
(possibly later) copied it also properly into the apr/apr-util.

Which in turn made me think I did it correctly when in fact I did not.

Now make works perfectly!

I'm very sorry if I wasted your time and very grateful for your replies.

Thank you again. :)


No problem, everything is very fresh, and even the result "Sorry I was 
wrong myself" is helping in growing confidence that what we delivered 
does not only work on our test systems, but for our huge user community 
as well.


Have fun!

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stable Version of Httpd

[Rainer Jung]

On 28.02.2012 07:23, Harsimranjit singh Kler wrote:

Hi
Thanks for reply
i have these setting for build::

Server version: Apache/2.2.17 (Unix)

Server built:Apr 19 2011 21:11:59

Server's Module Magic Number: 20051115:25

Server loaded:APR 1.4.2, APR-Util 1.3.10

Compiled using: APR 1.4.2, APR-Util 1.3.10

Architecture:64-bit

Server MPM:Worker

threaded:yes (fixed thread count)

forked:yes (variable process count


1)i am using worker mpm and had done lot performance  tests to set
parameters like start server,ServerLimit  ,MaxClients  etc.So now i can
use same parameter values or again i have to go through that tests for
values?


You can and 2.4 will happily run with the known worker MPM, but the new 
default MPM is caled "event" and will need new tuning. Some of the 
parameter names (like MaxClients) are deprecated now, because their 
names are missleading, but they still will work.



2)I have plan to use SSL as well so all required ssl libs are available
and compatible?


mod_ssl will now only support OpenSSL (I think starting at 0.9.7, but is 
also fine with 0.9.8 and 1.0.0 and likely also 1.0.1 beta).



3) Using modjk any change for that?


I added two small fixes to mod_jk for use with 2.4 to the current code, 
but those are not yet released. A release should not be far away, but 
you can also use the latest version and apply the following two patches 
yourself:


http://svn.apache.org/viewvc?diff_format=h&view=revision&revision=1022975

(the real patch is:

http://svn.apache.org/viewvc/tomcat/jk/trunk/native/apache-2.0/mod_jk.c?r1=1022975&r2=1022974&pathrev=1022975&view=patch
)

and

http://svn.apache.org/viewvc?diff_format=h&view=revision&revision=1293818

(the real patch is:

http://svn.apache.org/viewvc/tomcat/jk/trunk/native/apache-2.0/mod_jk.c?r1=1293818&r2=1293817&pathrev=1293818&view=patch
)

Regards,

Rainer



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4.1, regression, caching forward proxy configuration

[Rainer Jung]

On 01.03.2012 17:19, Juergen Daubert wrote:

On Thu, Mar 01, 2012 at 03:38:10PM +, Nick Kew wrote:

On Thu, 1 Mar 2012 12:34:22 +0100
Juergen Daubert  wrote:


Any ideas or suggestions?


Set Loglevel to debug, or if necessary high-level trace,
for the relevant modules.


Thanks for the hint but I've tried that already, with no result.

Even with a

LogLevel cache:trace8
LogLevel cache_disk:trace8

there's nothing in the logfile. To verify the syntax I've done the
same for the proxy module with proxy:trace8 which works, meaning a
lot of traces in the logfile.

The strange thing is that everything works with apache 2.2.x, so
my guess is that there are either new but undocumented configuration
switches or we have a regression in 2.4.1.
BTW, I've found another report for probably the same issue, see [1].



[1] http://article.gmane.org/gmane.comp.apache.user/98771


Could it be some VHost config merging thing? Cache defined in the main 
server, but requests handled in some VHost? I don't have much experience 
with mod_cache, but I vaguely remember some VHost config support being 
added or improved in 2.4.


Double check, that your rquests are actually handled by the global 
server and if not, copy or moce the cache config to the correct VHost 
and retest.


HTH

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.1 third party dependencies

[Rainer Jung]

On 02.03.2012 23:28, Andy Wang wrote:

I've been following the various changes with Apache 2.4.x (and 2.3.x
during development regarding the removal of apr/apr-util and pcre from
the Apache source bundle and noted that:
http://httpd.apache.org/docs/2.4/install.html

says nothing about PCRE as a requirement, but the default configure
options look for pcre and blow up if it can't find it.

I see in Makefile.win that srclib\pcre will be processed for the Windows
build but there's no facility to handle that outside of the Windows builds.

I take it there's no alternative to building PCRE as an external dependency?

I have to build and bundle Apache on enough platforms that don't have
pcre available by default that I was hoping there would be some way to
just extract the source into the old srclib location had have it handle
the build for me like I can with apr/apr-util.


No there isn't. AFAIR on Windows modern PCRE supports building with cmake.

Regards,

Rainer


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] getting the svn revision number out of tree.

[Rainer Jung]

On 04.03.2012 08:42, Michael Felt wrote:

Hi,

When checking out a tree the last line is a "revision number" that has
been checked out. Is there a simple way to get that revision number
using a script similar to
the build/pkg/pkginfo script in the httpd distributions?


Parse the output of

svn info /path/to/your/working/copy

or if you want to get the revision of the original repository tree:

svn info URL-of-repos-tree

There's the nice http://svnbook.red-bean.com/ ...

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stable Version of Httpd

[Rainer Jung]

On 06.03.2012 06:42, Harsimranjit singh Kler wrote:

Is 2.4.1 is compatible with OpenSSL 1.0.0.?


Yes.

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Disappearing requests / tuning event MPM, 2.2.22

[Rainer Jung]

On 06.03.2012 18:26, Tom Evans wrote:

On Tue, Mar 6, 2012 at 1:44 PM, Tom Evans  wrote:

On Tue, Mar 6, 2012 at 1:01 PM, Tom Evans  wrote:

So, we've been trying to track disappearing requests. We see lots of
requests that go via the CDN to reach our data centre failing with
error code 503. This error message is produced by the CDN, and the
request is not logged in either of the FEPs.

We've been trying to track what happens with tcpdump running at SQUID
and at FW. At SQUID, we see a POST request for a resource, followed by
a long wait, and then a 503 generated by the CDN. Interestingly, 95%
of the failing requests are POST requests.

Tracking that at FW, we see the request coming in, and no reply from
the FEP. The connection is a keep-alive connection, and had just
completed a similar request 4 seconds previously, to which we returned
a 200 and data. This (failing) request is made on the same connection,
we reply with an ACK, then no data for 47 seconds (same wait as seen
by squid), and finally the connection is closed with a FIN.



Sorry, one final thing - we can see these hanging connections on the FEP:

netstat -an | head -n 2 ; netstat -an | fgrep EST | fgrep -v  "tcp4   0"

This shows the established sockets with unread recv-q. Obviously not
every socket shown is hanging; but by observing it over an extended
(10s) period, you can quickly see connections whose recv-q is not
drained.



A final follow up for today. We have dramatically* improved the error
rates by tuning the event MPM, so that child processes were not being
constantly reaped and re-spawned.

In brief, we massively increased MaxSpareThreads, so that it wouldn't
start reaping until more than 75% of potential workers (MaxClients)
are idle. We're now running:

StartServers 8
MaxClients 1024
MinSpareThreads 128
MaxSpareThreads 768
ThreadsPerChild 64

We now are not seeing apache children getting reaped or re-spawned
(good!) and we're also not seeing any hanging established connections
with unread recv-q, nor any failures from our squid proxy (good!). I
don't think we've solved anything though, I think we have just
engineered a sweet spot where the problems do not occur (not good!).

Our tentative hypothesis for what is happening is this. Apache notices
that there are too many idle workers, and decides to shutdown one of
the processes.
It marks that process as shutting down, and no new requests are
allocated to workers from that process.
Meanwhile, a keep-alive socket which is allocated to that child
process comes alive again, and a new request is pushed down it.
Apache never bothers to read the request, as the child is marked as
shutting down.
Once the child does finish all outstanding requests, the child does
indeed shut down, and the OS sends a FIN packet to shut down the
unread socket.

Does this sound remotely possible? I would really appreciate some
advice/insight here.


Yes it reminds me of a similar observation using event on 2.2 about 1-2 
years ago. When Apache needed to recycle a process due to either spare 
thread checking, max requests per child or just a graceful restart, the 
event MPM handled existing keep alive connections more unfriendly than 
other MPMs. The expectation though was that an HTTP client using 
Keep-Alive should be able to resend a failed request on another 
connection, because race conditions can not be avoided with HTTP keep 
alive (it is always possible, that the server closes the connection and 
in parallel the client started to send the next request). It's just that 
event seems to show that behaviour more often than other MPMs.


I did not yet check, whether the overhauled event MPM in 2.4 handles 
this better.


Originally I was able to reproduce this behaviour by:

- setting MaxRequestsPerChild to triger frequent process recycling
- Increase Keep Alive count and timeout to allow longer than usual keep 
alive usage

- Adding the process PID to the AccessLog LogFormat (%P)
- Adding the keep alive count of a connection to the AccessLog LogFormat
- (I think) adding the client connection port to the AccessLog LogFormat
- adding some log statements to ab.c, which shows local port number when 
sending a request on an established connection fails


It could be seen, that connections were exactly failing when processes 
were stopped and that the connections were the one that did not 
completely exhaust there allowed keep alive count.


If you can easily reproduce the problem and have a test environment, it 
would be very interesting whether 2.4 behaves better.


Adjusting min and max spare (increasing the difference between the two) 
threads to reduce creation and destruction of processes is a good 
optimization nevertheless.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Serving pre-compressed static content using httpd 2.2.x

[Rainer Jung]

Hi Chris,

On 28.03.2012 23:10, Christopher Schultz wrote:

All,

Replying to see if I can get a response. Anyone?

Thanks,
-chris

On 3/22/12 3:10 PM, Christopher Schultz wrote:

...


If I don't use content-negotiation, I can use mod_rewrite to fake it:
it's a lot easier to just look for Accept-Encoding and then do an
internal redirect to a pre-compressed file, especially since there's no
issues with language or other Accept-* headers confusing things.



This is great because the original file can sit there on the disk and I
can provide compressed versions of it to clients who can deal with it.
No changing URIs or anything like that.

Only problem is that setting the Content-Encoding header doesn't appear
to be working. When set unconditionally, it works, but when attempting
to use the "gz" environment variable, Content-Encoding doesn't seem to
be set.


I'd start debugging this detail problem. I'm pretty sure I got this 
working at least twice. using Apache 2.2.not_too_old.


So first check, whether the "gz" environment variable is actually set. 
For this add %{gz}e (and %{Content-Encoding}o) to your LogFormat. Also 
add a RewriteLog with a high RewriteLogLevel.


Note that I personally didn't use the rules inside a Directory block. I 
also prefer to add the .gz file suffix in front of the originsal suffix, 
so e.g. .gz.css instead of .css.gz, because that way Apache will 
automatically set the Content-Type header correct using the suffix list 
in the mime types file.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSLCipherSuite

[Rainer Jung]

On 20.06.2012 22:44, Vivek Nambiar wrote:

A quick question .

When I define the SSLCipherSuite ,would there be a difference in the
syntax according to the OS like windows and Unix? If yes please let me
know the difference in syntax.


No OS dependency. The allowed values depend a bit on the OpenSSL version 
that sits underneath your mod_ssl.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Solaris 11 compile/configure problems with httpd 2.2.22 and 2.4.2

[Rainer Jung]

On 23.06.2012 04:32, Jerry K wrote:

I am experiencing problems with the configure script in attempting to
compile, and actually just running the ./configure script on (2)
different Solaris 11 Sparc based systems.

Systems - T5120 w/32 Gb ram and ample disk space
   T2000 w/16 Gb ram and also ample disk space

Both systems are new/fresh/recent Solaris 11 installs.
I have compiled a multitude of other open source software under Solaris
11, and I am confident in my C compiler (GCC 4.5.2 as supplied by
Oracle/Solaris 11).

==
bash-4.1# which gcc
/bin/gcc

bash-4.1# gcc -v

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/gcc/4.5/lib/gcc/sparc-sun-solaris2.11/4.5.2/lto-wrapper
Target: sparc-sun-solaris2.11
Configured with:
/export/home/hudson/workspace/nightly/build/sparc/components/gcc45/gcc-4.5.2/configure
CC=/ws/onnv-tools/SUNWspro/sunstudio12.1/bin/cc
CXX=/ws/onnv-tools/SUNWspro/sunstudio12.1/bin/CC --prefix=/usr/gcc/4.5
--mandir=/usr/gcc/4.5/share/man --bindir=/usr/gcc/4.5/bin
--libdir=/usr/gcc/4.5/lib --sbindir=/usr/gcc/4.5/sbin
--enable-languages=c,c++,fortran,objc --enable-shared
--with-gmp-include=/usr/include/gmp
--with-mpfr-include=/usr/include/mpfr --prefix=/usr/gcc/4.5
--mandir=/usr/gcc/4.5/share/man --infodir=/usr/gcc/4.5/share/info
--libexecdir=/usr/gcc/4.5/lib CFLAGS='-g -O2 '
Thread model: posix
gcc version 4.5.2 (GCC)
bash-4.1#
==

I am failing at the same place, both with Apache httpd 2.2.22 and 2.4.2.

It should go without saying that I successfully compiled and installed
apr and apr-util prior to attempting the 2.4.2 compile.


This is what my ./configure output looks like for httpd-2.2.22.  It is
identical on both systems.  I get similar, if not identical, output for
httpd 2.4.2.

bash-4.1# pwd

/usr/local/src/h/httpd-2.2.22

bash-4.1# ./configure

checking for chosen layout... Apache
checking for working mkdir -p... yes
checking build system type... sparc-sun-solaris2.11
checking host system type... sparc-sun-solaris2.11
checking target system type... sparc-sun-solaris2.11

Configuring Apache Portable Runtime library ...

checking for APR... yes
   setting CPP to "cc -E"
   setting CFLAGS to " "
   setting CPPFLAGS to " -DSOLARIS2=11 -D_POSIX_PTHREAD_SEMANTICS -mt
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
   setting LDFLAGS to " "

Configuring Apache Portable Runtime Utility library...

checking for APR-util... yes
checking for gcc... gcc
checking for C compiler default output file name...
configure: error: in `/usr/local/src/h/httpd-2.2.22':
configure: error: C compiler cannot create executables
See `config.log' for more details.

bash-4.1#

==

I am not sure what the correct procedure is for sharing the config.log
file.  Rather that making this email longer that it already is or adding
it to this email as an attachment, I placed it here:

http://www.oryx.cc/config.log

TIA for any positive comments or suggestions.


I'd say the first problematic output line is:

configure:4764: gcc-DSOLARIS2=11 -D_POSIX_PTHREAD_SEMANTICS -mt 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64   conftest.c  >&5

cc1: error: unrecognized command line option "-mt"

The flag "-mt" is valid for your bootstrap compiler, ie. the Sun 
Workshop compiler, but not for gcc. It seems you have it somewhere set 
in CFLAGS, CPPFLAGS or LDFLAGS.


Regards,

Rainer



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.2 compilation problem on CentOS 5.7

[Rainer Jung]

On 23.06.2012 07:23, linuxsupport wrote:

Hi All,

I am trying to install Apache 2.4.2 on CentOS 5.7 but configure script
is failing as below

./configure --prefix=/usr/local/apache --enable-mpms-shared=all
--enable-suexec --with-suexec --with-suexec-caller=apache
--with-suexec-docroot=/var/www --with-suexec-uidmin=500
--with-suexec-gidmin=100 --enable-pie --enable-mods-shared=all
--enable-ssl --with-ssl --enable-socache-dc --enable-bucketeer
--enable-case-filter --enable-case-filter-in --disable-imagemap
--build=x86_64-redhat-linux-gnu --host=x86_64
--target=x86_64-redhat-linux-gnu --with-apr=/usr/local/apr
--with-apr-util=/usr/local/apr-util --with-pcre=/usr


Why are you setting:

--build=x86_64-redhat-linux-gnu --host=x86_64 
--target=x86_64-redhat-linux-gnu


Shouldn't the right values be detected by config.guess which is run by 
configure. I'd remove those hard set values.



checking for chosen layout... Apache
checking for working mkdir -p... yes
checking for egrep... grep -E
checking build system type... x86_64-redhat-linux-gnu
checking host system type... x86_64-pc-none
checking target system type... x86_64-redhat-linux-gnu
.

checking for getgrnam... yes
checking for initgroups... yes
checking for bindprocessor... no
checking for prctl... yes
checking for timegm... yes
checking for getpgid... yes
checking for fopen64... yes
checking for void pointer length... yes
configure: error: Size of "void *" is less than size of "long"


gcc version 4.1.2 20080704 (Red Hat 4.1.2-52)
Apr version 1.4.6
Apr Util version 1.4.1
config.log is attached


The configure line numbers in config.log and the given autoconf version 
are not the ones contained in the original 2.4.2 configure script. It 
seems you or someone else recreated the configure script using other 
versions of the auto tools. I'd use an original source tarball coming 
from the ASF and remove the above mentioned configure flags.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Solaris 11 compile/configure problems with httpd 2.2.22 and 2.4.2

[Rainer Jung]

On 23.06.2012 22:56, Rainer Jung wrote:

On 23.06.2012 04:32, Jerry K wrote:

I am experiencing problems with the configure script in attempting to
compile, and actually just running the ./configure script on (2)
different Solaris 11 Sparc based systems.

Systems - T5120 w/32 Gb ram and ample disk space
   T2000 w/16 Gb ram and also ample disk space

Both systems are new/fresh/recent Solaris 11 installs.
I have compiled a multitude of other open source software under Solaris
11, and I am confident in my C compiler (GCC 4.5.2 as supplied by
Oracle/Solaris 11).

==
bash-4.1# which gcc
/bin/gcc

bash-4.1# gcc -v

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/gcc/4.5/lib/gcc/sparc-sun-solaris2.11/4.5.2/lto-wrapper

Target: sparc-sun-solaris2.11
Configured with:
/export/home/hudson/workspace/nightly/build/sparc/components/gcc45/gcc-4.5.2/configure

CC=/ws/onnv-tools/SUNWspro/sunstudio12.1/bin/cc
CXX=/ws/onnv-tools/SUNWspro/sunstudio12.1/bin/CC --prefix=/usr/gcc/4.5
--mandir=/usr/gcc/4.5/share/man --bindir=/usr/gcc/4.5/bin
--libdir=/usr/gcc/4.5/lib --sbindir=/usr/gcc/4.5/sbin
--enable-languages=c,c++,fortran,objc --enable-shared
--with-gmp-include=/usr/include/gmp
--with-mpfr-include=/usr/include/mpfr --prefix=/usr/gcc/4.5
--mandir=/usr/gcc/4.5/share/man --infodir=/usr/gcc/4.5/share/info
--libexecdir=/usr/gcc/4.5/lib CFLAGS='-g -O2 '
Thread model: posix
gcc version 4.5.2 (GCC)
bash-4.1#
==

I am failing at the same place, both with Apache httpd 2.2.22 and 2.4.2.

It should go without saying that I successfully compiled and installed
apr and apr-util prior to attempting the 2.4.2 compile.


This is what my ./configure output looks like for httpd-2.2.22.  It is
identical on both systems.  I get similar, if not identical, output for
httpd 2.4.2.

bash-4.1# pwd

/usr/local/src/h/httpd-2.2.22

bash-4.1# ./configure

checking for chosen layout... Apache
checking for working mkdir -p... yes
checking build system type... sparc-sun-solaris2.11
checking host system type... sparc-sun-solaris2.11
checking target system type... sparc-sun-solaris2.11

Configuring Apache Portable Runtime library ...

checking for APR... yes
   setting CPP to "cc -E"
   setting CFLAGS to " "
   setting CPPFLAGS to " -DSOLARIS2=11 -D_POSIX_PTHREAD_SEMANTICS -mt
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
   setting LDFLAGS to " "

Configuring Apache Portable Runtime Utility library...

checking for APR-util... yes
checking for gcc... gcc
checking for C compiler default output file name...
configure: error: in `/usr/local/src/h/httpd-2.2.22':
configure: error: C compiler cannot create executables
See `config.log' for more details.

bash-4.1#

==

I am not sure what the correct procedure is for sharing the config.log
file.  Rather that making this email longer that it already is or adding
it to this email as an attachment, I placed it here:

http://www.oryx.cc/config.log

TIA for any positive comments or suggestions.


I'd say the first problematic output line is:

configure:4764: gcc-DSOLARIS2=11 -D_POSIX_PTHREAD_SEMANTICS -mt
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64   conftest.c  >&5
cc1: error: unrecognized command line option "-mt"

The flag "-mt" is valid for your bootstrap compiler, ie. the Sun
Workshop compiler, but not for gcc. It seems you have it somewhere set
in CFLAGS, CPPFLAGS or LDFLAGS.


Note also, that you have

CC='gcc'

but

CPP='cc -E'
CPPFLAGS=' -DSOLARIS2=11 -D_POSIX_PTHREAD_SEMANTICS -mt 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'


So you are using Sun Workshop Compiler as preprocessor, but gcc as 
compiler. Mixing tools from cc and gcc will likely not work.


In addition you gcc seems to be in /usr/gcc/4.5, but your path contains:

PATH: /sbin
PATH: /usr/sbin
PATH: /usr/local/bin
PATH: /usr/dt/bin
PATH: /bin
PATH: /usr/bin
PATH: /usr/sfw/bin
PATH: /usr/local/sbin
PATH: /usr/openwin/bin
PATH: /usr/ccs/bin
PATH: /usr/local/scripts

so configure should not even find gcc, except you moved it into one of 
those directories.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Still showing 2.3.16, etc. as the latest release.

[Rainer Jung]

On 24.07.2012 18:17, Michael Felt wrote:

FYI: I navigated from the page: http://http://projects.apache.org/ ,
clicked on Alaphabetical, clicked on H, clicked on "Apache HTTP Server"
and see (on http://projects.apache.org/projects/http_server.html)

Most recent releases:
Release Version Date
Recommended current 2.2 release 2.2.22 2012-01-31
Development 2.3 beta release 2.3.16-beta 2011-12-20
Legacy 2.0 release 2.0.64 2010-10-19

I am sure there is a better place to be, but just thought what seems to
be a default path is giving outdated info.


Thanks for the heads up. Fixed by Eric Covener.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Intermittent mod_proxy_ajp error - APR does not understand this error code: proxy: dialog

[Rainer Jung]

On 23.07.2012 20:36, Carlucci, Tony wrote:

Hello, I’ve been trying to track down an intermittent problem with a
Java web application that is running on tcServer fronted by Apache HTTP
Server.We get intermittent “Server Unavailable / HTTP 500” errors,
and when we do see them, there is the same set of log statements written
to the Apache HTTP Server error log:

[Mon Jul 23 10:03:15 2012] [error] (70014)End of file found:
ajp_ilink_receive() can't receive header

[Mon Jul 23 10:03:15 2012] [error] ajp_read_header: ajp_ilink_receive failed

[Mon Jul 23 10:03:15 2012] [error] (120006)APR does not understand this
error code: proxy: dialog to 127.0.0.1:7071 (127.0.0.1) failed

We are not seeing any error messages in the tcServer logs.

I believe the issue is with the mod_proxy_ajp module but it’s been very
difficult tracking down what exactly the problem is.   What’s
interesting is that this Apache / tcServer configuration is used with
other applications that work just fine and never have the intermittent
500 error.   We also can run our application strictly in Tomcat (no
Apache front) without any intermittent errors.

We haven’t ruled out that there could be something in our Java
application code that is causing this, in combination with the
mod_proxy_ajp module, but we have hit a wall as to what this issue could
be.  Has anyone else experienced a similar intermittent issue combined
with the above error messages?  Below is a copy of the error log and
some configuration settings.


You might want to check the following discussion thread:

   http://marc.info/?t=12390526557&r=1&w=2

To actually narrow down the cause I would:

- use ping as mentioned in the thread
- check whether the timeout you have set on the Tomcat connector is 
roughly the same as used by mod_proxy_ajp
- check whether it looks like happening mostly for the same URL, then it 
is more likely a servlet issue
- if it happens often enough sniff the traffic between Apache and Tomcat 
and then check the packet details for one of the broken requests. For 
this to work you might need to move Tomcat away from localhost.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to debug 70014 and 70007 errors

[Rainer Jung]

On 25.07.2012 09:52, ivan Gouin wrote:

Hi,

I've got those error in my httpd error log:

[Wed Jul 25 08:10:55 2012] [error] (70014)End of file found: proxy:
prefetch request body failed to *.*.*.*:50300 (...) from . ()
[Wed Jul 25 00:13:18 2012] [error] (70007)The timeout specified has
expired: proxy: prefetch request body failed to  to *.*.*.*:50300 (...)
from . ()


Maybe the Timeout has expired?


Those error occurs with client accessing a tomcat WS through mod_proxy .

Not all the requests are rejected for today, 416 out of 2194 got one of
these errors.

don't really know how to proceed to debug this error.
thanks for your help


Add %D to your Tomcat and Apache Access Logs. It is the response time in 
milloiseconds (Tomcat) resp. microseconds (Apache). If the number is 
e.g. slightly above 6000 for Apache and you had set a timeout of 60 
seconds, then you know the problem is that the response takes to long. 
You can then check Tomcats Access Log to see how long it actually took. 
If it really takes to long in Tomcat, then take thread dumps to analyze 
and switch to the Tomcat users mailing list.


HTH.

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd v2.2.22 with openssl 1.0.1c

[Rainer Jung]

On 25.07.2012 16:31, Ruiyuan Jiang wrote:

Hi, all

Last month, I posted a problem that httpd v2.2.22 did not work with openssl v1.0.1c. For 
me, it worked with openssl v1.0.0g with the same "configure" options for httpd 
and openssl. So far I did not hear anything. I am re-post my message here and hopefully I 
can get response this time. Thanks.

# ./configure --enable-ssl=shared --enable-ssl --with-ssl=/usr/local/ssl

...
checking whether to enable mod_ssl... checking dependencies
checking for SSL/TLS toolkit base... /usr/local/ssl
   adding "-I/usr/local/ssl/include" to CPPFLAGS
   adding "-I/usr/local/ssl/include" to INCLUDES
   adding "-L/usr/local/ssl/lib" to LDFLAGS
checking for OpenSSL version... checking openssl/opensslv.h usability... yes
checking openssl/opensslv.h presence... yes
checking for openssl/opensslv.h... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
OK
   forcing SSL_LIBS to "-lssl -lcrypto  "
   adding "-lssl" to LIBS
   adding "-lcrypto" to LIBS
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for SSLeay_version... yes
checking for SSL_CTX_new... no
checking for ENGINE_init... no
checking for ENGINE_load_builtin_engines... no
checking for SSL_set_cert_store... no
configure: error: ... Error, SSL/TLS libraries were missing or unusable
[root@server httpd-2.2.22]#


Usually more detailed error infomration can be found in the file 
config.log in the build directory. The information we are looking for is 
not at the end of the file, but directly before the long list of 
variables and values that ends the file.


Especialy we are looking for the detailed error messages leading to:

> checking for SSL_CTX_new... no
> checking for ENGINE_init... no
> checking for ENGINE_load_builtin_engines... no
> checking for SSL_set_cert_store... no

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache server returned a lots Continuation or non-HTTP traffic packages instead of full package

[Rainer Jung]

On 27.07.2012 08:11, shuoshi chen wrote:

Hi, all

I recently use apache server to provide mp3 stream for playing. The
content type is specified as audio/mpeg, and everything is ok when I use
a test server( Apache/2.2.22 (Unix)), it returned an HTTP/1.1 200
(audio/mpeg) package. But when I put my code to a VPS server, I can't
get a full package as normal. The VPS server returned a
lots Continuation or non-HTTP traffic packages. Is it because of some
wrong configuration in httpd.conf?


What is a VPS server? How is the production VPS server related to your 
test Apache server? I guess you need to give more details ...


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to debug 70014 and 70007 errors

[Rainer Jung]

Hi Ivan,

On 03.08.2012 17:23, ivan Gouin wrote:

Here's what i see on the tcpdump:

Got a TCP connect  3-way handshake. (SYN/SYN-ACK/ACK)
Got 7 POST request who got a return code 200

After the 7 POST, got a [ FIN, ACK] from th server.
Then RST from the server

Then the 8th request who goes in time out

Is there some kind of timeout in a tcp keep alive?


Your information is a bit to short. AFAIR we have three communication 
nodes, client, proxy and origin server. In addition there was a timeout 
happening suspected.


Your info on packets doesn't contain enough about who is communicating 
("return code 200", "the server") not about the timing (what time 
intervals are between packets.


Regards,

Rainer


On 25 July 2012 11:29, ivan Gouin mailto:gouin.i...@gmail.com>> wrote:

Hi rainer,
For case 70007,  the timeout expired, in access log , i've got a 300
second timeout
In the same time, tomcat's access log haven't any trace of the
corresponding request.

For these request, response time is about 30-100ms

Apache is Apache/2.2.17
Tomcat is 6.0.26 (jdk1.6.0_24)

I'm preparing a tcpdump on each side to see if i can see something
received by tomcat .

Ivan


On 25 July 2012 11:02, Rainer Jung mailto:rainer.j...@kippdata.de>> wrote:

On 25.07.2012 09 :52, ivan Gouin wrote:

Hi,

I've got those error in my httpd error log:

[Wed Jul 25 08:10:55 2012] [error] (70014)End of file found:
proxy:
prefetch request body failed to *.*.*.*:50300 (...) from
. ()
[Wed Jul 25 00:13:18 2012] [error] (70007)The timeout
specified has
expired: proxy: prefetch request body failed to  to
*.*.*.*:50300 (...)
from . ()


Maybe the Timeout has expired?


Those error occurs with client accessing a tomcat WS through
mod_proxy .

Not all the requests are rejected for today, 416 out of 2194
got one of
these errors.

don't really know how to proceed to debug this error.
thanks for your help


Add %D to your Tomcat and Apache Access Logs. It is the response
time in milloiseconds (Tomcat) resp. microseconds (Apache). If
the number is e.g. slightly above 6000 for Apache and you
had set a timeout of 60 seconds, then you know the problem is
that the response takes to long. You can then check Tomcats
Access Log to see how long it actually took. If it really takes
to long in Tomcat, then take thread dumps to analyze and switch
to the Tomcat users mailing list.

HTH.

Rainer



--__--__-
To unsubscribe, e-mail: users-unsubscribe@httpd.__apache.org
<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: users-h...@httpd.apache.org
<mailto:users-h...@httpd.apache.org>




--
*Ivan GOUIN**
*

***Mob (Suisse**)* : +41 (0)79 94107 90

*Mail* : gouin.i...@gmail.com <mailto:gouin.i...@gmail.com>




--
*Ivan GOUIN**
*

***Mob (Suisse**)* : +41 (0)79 94107 90

*Mail* : gouin.i...@gmail.com <mailto:gouin.i...@gmail.com>


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to debug 70014 and 70007 errors

[Rainer Jung]

On 08.08.2012 16:20, ivan Gouin wrote:

Hi,

Here's more information about my issue:

Here i will call
user : the application  who post the request.
apache : the httpd server who receive request from the client and send
them to tomcat
tomcat: the web server tomcat, a Web Service application

Versions
user : Apache CXF client 2.2.9
apache: httpd 2.2.17 (tried a 2.2.22 too)
tomcat: 6.0.26 (jdk1.6.0_24)

Here's the post request send by user ( * are for anonymise)

POST /***/***/ws/v2?test HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: ""
Authorization: Basic Z3ZkMHRhb2FwcDpkbmVlc3cyYQ==
Accept: */*
User-Agent: Apache CXF 2.2.9
Content-Length: 304
Host: ***
Connection: Keep-Alive

http://schemas.xmlsoap.org/soap/envelope/";>

Start at 11:56:57
Between 11:56:57.5357 and 11:56:58:4784: 4 request pass OK

Here's the sequence after that : (Time is of tomcat seem too be a little
shifted, user and apache are on the same host)

11:56:58.4817user : POST request
*11:56:58.459722tomcatTCP55150300 > 41323 [PSH, ACK] Seq=3187 Ack=3818
Win=22400 Len=485 TSval=345704305 TSecr=749474400 (HTTP 200)*
11:56:58.491981apacheTCP55150300 > 41323 [PSH, ACK] Seq=3187 Ack=3818
Win=22400 Len=485 TSval=345704305 TSecr=749474400 (HTTP 200)
11:56:58.492251userHTTP/XML594HTTP/1.1 200 OK


Did this packet contain the full response?


*11:56:58.501457tomcatTCP6641323 > 50300 [ACK] Seq=3818 Ack=3672
Win=15872 Len=0 TSval=749474449 TSecr=345704305*
11:56:58.531503apacheTCP6641323 > 50300 [ACK] Seq=3818 Ack=3672
Win=15872 Len=0 TSval=749474449 TSecr=345704305
11:56:58.585937userTCP6045501 > 80 [ACK] Seq=2893 Ack=3948 Win=49640 Len=0


5 seconds pause


*11:57:03.492499userTCP5480 > 45501 [FIN, ACK] Seq=3948 Ack=2893
Win=16640 Len=0*


KeepAlive Timeout 5 seconds configured for Apache?


11:57:03.494663userTCP6045501 > 80 [ACK] Seq=2893 Ack=3949 Win=49640 Len=0
11:57:08.694657userTCP335[TCP segment of a reassembled PDU]
11:57:08.694703userTCP5480 > 45501 [RST] Seq=3949 Win=0 Len=0
11:57:08.694661userHTTP/XML358POST /*/*/ws/v2?test HTTP/1.1
11:57:08.694763userTCP5480 > 45501 [RST] Seq=3949 Win=0 Len=0
*11:57:18.466178tomcatTCP6650300 > 41323 [FIN, ACK] Seq=3672 Ack=3818
Win=22400 Len=0 TSval=345724311 TSecr=749474449*
11:57:18.498510apacheTCP6650300 > 41323 [FIN, ACK] Seq=3672 Ack=3818
Win=22400 Len=0 TSval=345724311 TSecr=749474449
*11:57:18.508720tomcatTCP6641323 > 50300 [ACK] Seq=3818 Ack=3673
Win=15872 Len=0 TSval=749494456 TSecr=345724311*
11:57:18.538771apacheTCP6641323 > 50300 [ACK] Seq=3818 Ack=3673
Win=15872 Len=0 TSval=749494456 TSecr=345724311

What make me mad is why apache send a FIN/ACK closing the communication??
Is there a time out somewhere?
This seems to happen about 5 second after the last ACK
Or  6 second the opening of the socket ( at 11:56:57.53)


I guess its the Keep Alive Timeout of 5 seconds configured for Apache. 
Check configuration.


This should not produce a problem in itself. A client that observes a 
closed connection when trying to send a follow on request should 
transparently start a new connection.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache authentication - require group AND (not OR) user

[Rainer Jung]

On 14.08.2012 23:30, Ben Johnson wrote:

Hello,

I've scoured the Internet for examples of how to implement logical
operators where the "require" directive is concerned.

The dearth of documentation and discussion regarding this subject leads
me to believe that it has not been implemented, or was implemented at
one time and then removed.

This is the most thorough discussion I can find on the subject, which
dead-ends:
http://www.mombu.com/programming/linux/t-apache-22-both-require-user-and-require-group-739013.html

My location block, which, at present, only allows one group
("programmers"), looks something like this:


AuthType Basic
AuthName "SVN Repository"
AuthBasicProvider dbm
AuthDBMType DB
AuthDBMUserFile "/var/www/apache-users"
AuthDBMGroupFile "/var/www/apache-users"
require group programmers
DAV svn
AuthzSVNAccessFile /var/www/projects/svn-access-control.cfg
SVNPath /var/www/svn/project


Ideally, I wish to do something like the following (I'm using
pseudo-code here, because it's probably easier to understand than plain
English):

if ($group === 'programmers' || ($group === 'clients && $user === 'joe')) {
  //Allow access.
}
else {
  //Deny access.
}

Is this possible? Or do I need to give-up on controlling authentication
at this level and instead focus on authorization within
"svn-access-control.cfg"?

Thanks for any help!


You might be looking for the RequireAny and RequireAll container directives:

http://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall

See also

httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall

and finally the How To

http://httpd.apache.org/docs/2.4/en/howto/auth.html

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org