httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: [PATCH] add ListenBacklog
Date Tue, 10 Jun 1997 10:08:51 GMT
Does this really need to be a run-time parameter? Couldn't conf.h
set it correctly or at least have it a compile-time change?

I like the idea of having it changable, but _another_ "variable"
for httpd.conf??

Marc Slemko wrote:
> 
> It is bogus to hardcode the backlog passed to the listen(2) directive.
> The easy way out would be a define in httpd.h, but I like adding a
> directive.  This is very useful (and I would have found it handy) in cases
> where a server is being SYN flooded.
> 
> Most kernels include the unacked fake SYNs in the backlog, which means
> that it can be necessary to boost it very high to avoid an artifically low
> limit on the queue of incomplete connections.  512 is too low under many
> kernels when under a full SYN attack, but boosting it to 2k or 4k can work
> well; again, depending on the kernel.
> 
> Now, some systems don't put the SYNs in that queue (BSD/OS, I think; they
> use a seperate minimal-state table for SYNs that isn't counted against the
> backlog) but many do...
> 
> I also decided to change the 512 default to 511 for those broken linux
> systems.
> 
> Global server variables are yuccky, but I think it is bogus to do this in
> a per-server config.  SendBufferSize and a number of others are, IMHO,
> bogusly using per-server server_rec variables.  Am I misunderstanding
> something?
> 
> Oh, and there is a PR somewhere that mentions this too...
> 
> Index: htdocs/manual/mod/core.html
> ===================================================================
> RCS file: /export/home/cvs/apache/htdocs/manual/mod/core.html,v
> retrieving revision 1.57
> diff -c -r1.57 core.html
> *** core.html	1997/06/10 00:28:33	1.57
> --- core.html	1997/06/10 03:55:52
> ***************
> *** 43,48 ****
> --- 43,49 ----
>   <li><A HREF="#keepalivetimeout">KeepAliveTimeout</A>
>   <li><A HREF="#limit">&lt;Limit&gt;</A>
>   <li><A HREF="#listen">Listen</A>
> + <li><A HREF="#listenbacklog">ListenBacklog</A>
>   <li><A HREF="#location">&lt;Location&gt;</A>
>   <li><A HREF="#maxclients">MaxClients</A>
>   <li><A HREF="#maxkeepaliverequests">MaxKeepAliveRequests</a>
> ***************
> *** 657,662 ****
> --- 658,676 ----
>   <strong>See Also:</strong>
>   <a href="../misc/known_bugs.html#listenbug">Known Bugs</a></p>
>   <hr>
> + 
> + <A NAME="listenbacklog"<H2>ListenBacklog</H2></A>
> + <strong>Syntax:</strong> ListenBacklog <em>backlog</em><br>
> + <strong>Default:</strong> <code>ListenBacklog 511</code><br>
> + <strong>Context:</strong> server config<br>
> + <strong>Status:</strong> Core<br>
> + <strong>Compatibility:</strong> ListenBacklog is only available in Apache
> + versions after 1.2.0.<p>
> + 
> + The maximum length of the queue of pending connections.  Generally no
> + tuning is needed or desired, however on some systems it is desirable
> + to increase this when under a TCP SYN flood attack.  See 
> + the backlog parameter to the <code>listen(2)</code> system call.
>   
>   <A name="limit"><h2>&lt;Limit&gt; directive</h2></A>
>   <!--%plaintext &lt;?INDEX {\tt Limit} section directive&gt; -->
> Index: htdocs/manual/mod/directives.html
> ===================================================================
> RCS file: /export/home/cvs/apache/htdocs/manual/mod/directives.html,v
> retrieving revision 1.20
> diff -c -r1.20 directives.html
> *** directives.html	1997/06/04 16:14:14	1.20
> --- directives.html	1997/06/10 03:55:52
> ***************
> *** 103,108 ****
> --- 103,109 ----
>   <li><A HREF="mod_negotiation.html#languagepriority">LanguagePriority</A>
>   <li><A HREF="core.html#limit">&lt;Limit&gt;</A>
>   <li><A HREF="core.html#listen">Listen</A>
> + <li><A HREF="core.html#listenbacklog">ListenBacklog</A>
>   <li><A HREF="mod_dld.html#loadfile">LoadFile</A>
>   <li><A HREF="mod_dld.html#loadmodule">LoadModule</A>
>   <li><A HREF="core.html#location">&lt;Location&gt;</A>
> Index: src/http_conf_globals.h
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_conf_globals.h,v
> retrieving revision 1.9
> diff -c -r1.9 http_conf_globals.h
> *** http_conf_globals.h	1997/01/01 18:10:16	1.9
> --- http_conf_globals.h	1997/06/10 03:55:55
> ***************
> *** 69,74 ****
> --- 69,75 ----
>   extern int daemons_max_free;
>   extern int daemons_limit;
>   extern int suexec_enabled;
> + extern int listenbacklog;
>   
>   extern char *pid_fname;
>   extern char *scoreboard_fname;
> Index: src/http_config.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_config.c,v
> retrieving revision 1.49
> diff -c -r1.49 http_config.c
> *** http_config.c	1997/05/15 23:39:20	1.49
> --- http_config.c	1997/06/10 03:55:57
> ***************
> *** 1043,1048 ****
> --- 1043,1049 ----
>       max_requests_per_child = DEFAULT_MAX_REQUESTS_PER_CHILD;
>       bind_address.s_addr = htonl(INADDR_ANY);
>       listeners = NULL;
> +     listenbacklog = DEFAULT_LISTENBACKLOG;
>   }
>   
>   server_rec *init_server_config(pool *p)
> Index: src/http_core.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_core.c,v
> retrieving revision 1.82
> diff -c -r1.82 http_core.c
> *** http_core.c	1997/06/10 00:28:31	1.82
> --- http_core.c	1997/06/10 03:56:00
> ***************
> *** 1145,1150 ****
> --- 1145,1161 ----
>       return NULL;
>   }
>   
> + const char *set_listenbacklog (cmd_parms *cmd, void *dummy, char *arg) {
> +     int b;
> + 
> +     if (cmd->server->is_virtual) 
> +         return "ListenBacklog not allowed in <VirtualHost>";
> +     b = atoi (arg);
> +     if (b < 1) return "ListenBacklog must be > 0";
> +     listenbacklog = b;
> +     return NULL;
> + }
> + 
>   /* Note --- ErrorDocument will now work from .htaccess files.  
>    * The AllowOverride of Fileinfo allows webmasters to turn it off
>    */
> ***************
> *** 1258,1263 ****
> --- 1269,1275 ----
>   { "AddModule", add_module_command, NULL, RSRC_CONF, ITERATE,
>     "the name of a module" },
>   { "ClearModuleList", clear_module_list_command, NULL, RSRC_CONF, NO_ARGS, NULL },
> + { "ListenBacklog", set_listenbacklog, NULL, RSRC_CONF, TAKE1, "maximum length of the
queue of pending connections, as used by listen(2)" },
>   { NULL },
>   };
>   
> Index: src/http_main.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_main.c,v
> retrieving revision 1.149
> diff -c -r1.149 http_main.c
> *** http_main.c	1997/05/29 04:50:27	1.149
> --- http_main.c	1997/06/10 03:56:06
> ***************
> *** 147,152 ****
> --- 147,153 ----
>   int daemons_limit;
>   time_t restart_time;
>   int suexec_enabled = 0;
> + int listenbacklog;
>   
>   char server_root[MAX_STRING_LEN];
>   char server_confname[MAX_STRING_LEN];
> ***************
> *** 2049,2055 ****
>   #ifdef MPE
>       if (ntohs(server->sin_port) < 1024) GETUSERMODE();
>   #endif
> !     listen(s, 512);
>       return s;
>   }
>   
> --- 2050,2056 ----
>   #ifdef MPE
>       if (ntohs(server->sin_port) < 1024) GETUSERMODE();
>   #endif
> !     listen(s, listenbacklog);
>       return s;
>   }
>   
> Index: src/httpd.h
> ===================================================================
> RCS file: /export/home/cvs/apache/src/httpd.h,v
> retrieving revision 1.112
> diff -c -r1.112 httpd.h
> *** httpd.h	1997/06/06 13:51:10	1.112
> --- httpd.h	1997/06/10 03:56:08
> ***************
> *** 237,242 ****
> --- 237,254 ----
>   
>   #define DEFAULT_MAX_REQUESTS_PER_CHILD 0
>   
> + /* The maximum length of the queue of pending connections, as defined
> +  * by listen(2).  Under some systems, it should be increased if you
> +  * are experiencing a heavy TCP SYN flood attack.
> +  *
> +  * It defaults to 511 instead of 512 because some systems store it 
> +  * as an 8-bit datatype; 512 truncated to 8-bits is 0, while 511 is 
> +  * 255 when truncated.
> +  */
> + 
> + #define DEFAULT_LISTENBACKLOG 511
> + 
> + 
>   /* If you have altered Apache and wish to change the SERVER_VERSION
>    * identifier below, please keep to the HTTP specification.  This states that
>    * the identification string should consist of product tokens with an optional
> 


-- 
====================================================================
      Jim Jagielski            |       jaguNET Access Services
     jim@jaguNET.com           |       http://www.jaguNET.com/
            "Look at me! I'm wearing a cardboard belt!"

Mime
View raw message