www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Delp <wwwad...@as-informatik.de>
Subject general/5089: Spawning childs up to MaxClients, decreasing traffic
Date Fri, 01 Oct 1999 14:24:32 GMT

>Number:         5089
>Category:       general
>Synopsis:       Spawning childs up to MaxClients, decreasing traffic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Oct  1 07:30:01 PDT 1999
>Last-Modified:
>Originator:     wwwadmin@as-informatik.de
>Organization:
apache
>Release:        1.3.6
>Environment:
Pentium III 450
256 MB RAM
1 Million hits per day
linux 2.2.5 #6; SuSE
gcc
>Description:
Big trouble with our Webserver

Lately strange things happen with our Server. We suddenly
had a huge traffic breakdown. Netscapes status bar showed: "Connecting to....
waiting for reply" and after a while it worked (but slowly).

Checking the server, I found that Apache spawned a lot of childs (up to the
limit of MaxClients which we never reached before, even in high-traffic
times!).

First I thought that a CGI was hanging, but there was none.

I restarted Apache and the access to our pages was normal again. But after
a few minutes the amount of child-processes had climbed up to MaxClients-limit
and the same thing occured, so I had to restart Apache again.

After reaching MaxClient, Apache doesn´t seem to kill any childs
anymore.

Our main traffic is usually during the working hours (max between 10am and
2pm) but the problems start much earlier and last up to the late evening.

At the moment, we restart Apache every 20 minutes, but this isn't a real
solution.

Any help would be highly appreciated.


Our httpd.conf (with cuts)


-----------
# This is the main server configuration file. See URL http://www.apache.org/
# for instructions.

# Do NOT simply read the instructions in here without understanding
# what they do, if you are unsure consult the online docs. You have been
# warned.  

# Originally by Rob McCool
ErrorDocument 404 /bad_url.html

# Fehler in Java 1.0:

#BrowserMatch Java1.0 force-response-1.0
#BrowserMatch JDK/1.0 force-response-1.0

# Meldung des Apache an Clients verkürzen

ServerTokens OS

# ServerType is either inetd, or standalone.

ServerType standalone

# If you are running from inetd, go to "ServerAdmin".

# Port: The port the standalone listens to. For ports < 1023, you will
# need httpd to be run as root initially.

Port 80

ExtendedStatus on


##
##  SSL Support
##
##  When we also provide SSL we have to listen to the
##  standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

#Redirect / http://www.as-informatik.de

# HostnameLookups: Log the names of clients or just their IP numbers
#   e.g.   www.apache.org (on) or 204.62.129.132 (off)
HostnameLookups on

# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  

# User/Group: The name (or #number) of the user/group to run httpd as.
#  On SCO (ODT 3) use User nouser and Group nogroup
User wwwrun
Group #-2

# ServerAdmin: Your address, where problems with the server should be
# e-mailed.

ServerAdmin wwwadmin@as-informatik.de

# ServerRoot: The directory the server's config, error, and log files
# are kept in

ServerRoot /httpd

# BindAddress: You can support virtual hosts with this option. This option
# is used to tell the server which IP address to listen to. It can either
# contain "*", an IP address, or a fully qualified Internet domain name.
# See also the VirtualHost directive.

# BindAddress 192.168.255.99
# BindAddress 192.168.255.100

# Informationen ueber den benutzen Server und das Betriebssystem
# hier: nur Servertyp mitschicken
ServerTokens Min

# ErrorLog: The location of the error log file. If this does not start
# with /, ServerRoot is prepended to it.

ErrorLog /var/log/httpd.error_log

# TransferLog: The location of the transfer log file. If this does not
# start with /, ServerRoot is prepended to it.

TransferLog /var/log/httpd.access_log

# The following directives define some format nicknames for use with
# a CustomLog directive (see below).

LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\"" mylog

# PidFile: The file the server should log its pid to
PidFile /var/run/httpd.pid
LockFile /var/apache.accept.lock

# ScoreBoardFile: File used to store internal server process information
ScoreBoardFile /var/log/apache_status

# ServerName allows you to set a host name which is sent back to clients for
# your server if it's different than the one the program would get (i.e. use
# "www" instead of the host's real name).
#
# Note: You cannot just invent host names and hope they work. The name you 
# define here must be a valid DNS name for your host. If you don't understand
# this, ask your network administrator.

# ServerName 192.168.255.99

# UseCanonicalName:  (new for 1.3)  With this setting turned on, whenever
# Apache needs to construct a self-referencing URL (a url that refers back
# to the server the response is coming from) it will use ServerName and
# Port to form a "canonical" name.  With this setting off, Apache will
# use the hostname:port that the client supplied, when possible.  This
# also affects SERVER_NAME and SERVER_PORT in CGIs.

UseCanonicalName on

# CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each
# document that was negotiated on the basis of content. This asks proxy
# servers not to cache the document. Uncommenting the following line disables
# this behavior, and proxies will be allowed to cache the documents.

#CacheNegotiatedDocs

# Timeout: The number of seconds before receives and sends time out
#  n.b. the compiled default is 1200 (20 minutes !)

Timeout 180

# KeepAlive: The number of Keep-Alive persistent requests to accept
# per connection. Set to 0 to deactivate Keep-Alive support

KeepAlive 10

# KeepAliveTimeout: Number of seconds to wait for the next request

KeepAliveTimeout 5

# Server-pool size regulation.  Rather than making you guess how many
# server processes you need, Apache dynamically adapts to the load it
# sees --- that is, it tries to maintain enough server processes to
# handle the current load, plus a few spare servers to handle transient
# load spikes (e.g., multiple simultaneous requests from a single
# Netscape browser).

# It does this by periodically checking how many servers are waiting
# for a request.  If there are fewer than MinSpareServers, it creates
# a new spare.  If there are more than MaxSpareServers, some of the
# spares die off.  These values are probably OK for most sites ---

MinSpareServers 10
MaxSpareServers 20

# Number of servers to start --- should be a reasonable ballpark figure.

StartServers 20

# Limit on total number of servers running, i.e., limit on the number
# of clients who can simultaneously connect --- if this limit is ever
# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
# It is intended mainly as a brake to keep a runaway server from taking
# Unix with it as it spirals down...

MaxClients 160

# MaxRequestsPerChild: the number of requests each child process is
#  allowed to process before the child dies.
#  The child will exit so as to avoid problems after prolonged use when
#  Apache (and maybe the libraries it uses) leak.  On most systems, this
#  isn't really needed, but a few (such as Solaris) do have notable leaks
#  in the libraries.

MaxRequestsPerChild 200

# Proxy Server directives. Uncomment the following line to
# enable the proxy server:

#ProxyRequests On

# To enable the cache as well, edit and uncomment the following lines:

#CacheRoot /usr/local/etc/httpd/proxy
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache adomain.com anotherdomain.edu joes.garage.com

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the VirtualHost command

#Listen 3000
#Listen 192.168.255.100:80

# Bug im ZMOD-Log-Modul: Der Hauptserver will auch ein Logfile haben
# wir ignorieren dieses.

ZModLog   /dev/null

##
##  SSL Support
##
##  Note that all SSL options can apply to virtual hosts, which
##  is where we are going to put them now. We disable SSL globally
##  and enable only inside a virtual host only.
##

<IfModule mod_ssl.c>

#   we disable SSL globally
SSLDisable

#   configure the path/port for the SSL session cache server [RECOMMENDED].
#   Additionally sets the session cache timeout, in seconds (set to 15 for
#   testing, use a higher value in real life) [RECOMMENDED]
#SSLCacheServerPath /httpd/bin/ssl_gcache
#SSLCacheServerPort     12345
SSLSessionCache none
SSLSessionCacheTimeout 300

</IfModule>

# VirtualHost: Allows the daemon to respond to requests for more than one
# server address, if your server machine is configured to accept IP packets
# for multiple addresses. This can be accomplished with the ifconfig 
# alias flag, or through kernel patches like VIF.

# Any httpd.conf or srm.conf directive may go into a VirtualHost command.
# See alto the BindAddress entry.


#<VirtualHost www-2.bildschirmschoner.com>
#ServerName www-2.bildschirmschoner.com
#DocumentRoot /home/test-www
#</VirtualHost> 

<VirtualHost 195.88.90.66>
User ueltje
group www
ServerAdmin wwwadmin@as-informatik.de
DocumentRoot /home/ueltje/www
DirectoryIndex index.html
ServerName www.ueltje.de
#ScriptAlias /cgi-bin/ /httpd/cgi-bin/ueltje/
ScriptAlias /cgi-bin/ /home/ueltje/cgi-bin/
#AgentLog /home/ueltje/log/agent
#RefererLog /home/ueltje/log/referer
ScriptLog /home/ueltje/log/script
ErrorLog /home/ueltje/log/error
TransferLog /home/ueltje/log/transfer
AccessConfig /httpd/conf/ueltje.access
LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\""
</VirtualHost>

[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]

#
# Wird fuer das ivw-ZMOD-Log benoetigt: Die Dummy-Grafik
#

<Location /cgi-bin/ivw>
SetHandler     ZModBlanky
</Location>

AddHandler server-parsed .html

</VirtualHost>

<VirtualHost 195.88.90.75>
user objektf
group www
ScriptAlias /cgi-bin/ /home/objektf/cgi-bin/
ServerAdmin wwwadmin@as-informatik.de
DocumentRoot /home/objektf/www
DirectoryIndex index.html
ServerName www.objektform.de 
#ScriptAlias /cgi-bin/ /httpd/cgi-bin/schoner/
#RefererLog /home/schoner/log/referer
ErrorLog /home/objektf/log/error
TransferLog /home/objektf/log/transfer
ScriptLog /home/objektf/log/scripts
AccessConfig /httpd/conf/objektf.access
LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\""
</VirtualHost>


[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]

<IfModule mod_ssl.c>
<IfDefine SSL>
<VirtualHost www.butterfinger.de:443>
User butterf
Group www

#   setup the general virtual server configuration
DocumentRoot /home/butterf/www
ServerName www.butterfinger.de
ServerAdmin wwwadmin@as-informatik.de
DirectoryIndex index.html
ErrorLog /home/butterf/log/error 
TransferLog /home/butterf/log/transfer
ScriptAlias /cgi-bin/ /home/butterf/cgi-bin/
ScriptLog /home/butterf/log/scripts
AccessConfig /httpd/conf/butterf.access
LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\""

#   enable SSL for this virtual host
SSLEnable

#   this forbids access except when SSL is in use. Very handy for defending
#   against configuration errors that expose stuff that should be protected
# SSLRequireSSL

#   point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with ake certificate under
#   built time. [RECOMMENDED]
#SSLCertificateFile /home/homer/asinfo/apache_1.3.1/conf/sslcerts/server.pem
SSLCertificateFile /httpd/conf/butterf/sslcerts/cert.pem

#   if the key is not combined with the certificate, use this
#   directive to point at the key file. [OPTIONAL]
SSLCertificateKeyFile /httpd/conf/butterf/sslcerts/key.pem

#   set the CA certificate verification path where
#   to find CA certificates for client authentication or
#   alternatively one huge file containing all of them
#   (file must be PEM encoded) [OPTIONAL]
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath conf/sslcerts
#SSLCACertificateFile conf/sslcerts/ca.pem

#   set client verification level: [RECOMMENDED]
#   0|none:           no certificate is required
#   1|optional:       the client may  present a valid certificate
#   2|require:        the client must present a valid certificate
#   3|optional_no_ca: the client may  present a valid certificate
#                     but it is not required to have a valid CA
SSLVerifyClient none

#   set how deeply to verify the certificate issuer chain
#   before deciding the certificate is not valid. [OPTIONAL]
#SSLVerifyDepth 10

#   list the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list. [OPTIONAL]
#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA

#   these two can be used on a per-directory basis to require or
#   ban specific ciphers. Note that (at least in the current version)
#   SSL will not attempt to renegotiate if a cipher is banned
#   (or not required). [OPTIONAL]
#SSLRequireCipher RC4-MD5
#SSLBanCipher RC4-MD5
#   translate the client X.509 into a Basic Authorisation.
#   This means that the standard Auth/DBMAuth methods can be used for
#   access control. The user name is the e line' version of
#   the client's X.509 certificate. Note that no password is
#   obtained from the user. Every entry in the user file needs
#   this password: j31ZMTZzkVA'. [OPTIONAL]
#SSLFakeBasicAuth

#   a home for miscellaneous rubbish generated by SSL. Much of it
#   is duplicated in the error log file. Put this somewhere where
#   it cannot be used for symlink attacks on a real server (i.e.
#   somewhere where only root can write). [RECOMMENDED]
SSLLogFile /home/butterf/log/ssl_misc_log

#   define custom SSL logging [RECOMMENDED]
CustomLog /home/butterf/log/ssl_log "%t %h %{version}c %{cipher}c %{subjectdn}c %{issuerdn}c

</VirtualHost>
</IfDefine>

</IfModule>

[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]
[cut: an other virtual host]

# Bildschirmschoner.de Dummy-SSL

<IfModule mod_ssl.c>
<IfDefine SSL>
<VirtualHost www.bildschirmschoner.de:443>
User schoner
group www
ServerAdmin wwwadmin@bildschirmschoner.de
DocumentRoot /home/schoner/www
DirectoryIndex index.html
ServerName www.bildschirmschoner.de
#ScriptAlias /cgi-bin/ /httpd/cgi-bin/schoner/
ScriptAlias /cgi-bin/ /home/schoner/cgi-bin/
#RefererLog /home/schoner/log/referer
ErrorLog /home/schoner/log/error
TransferLog /home/schoner/log/transfer
ScriptLog /home/schoner/log/scripts
AccessConfig /httpd/conf/schoner.access
LogFormat "%h %l %u %t \"%r\" %s %b %{Referer}i \"%{User-Agent}i\""
ZModLog   /home/schoner/log/zmod.log
ZModSubPath /cgi-bin/ivw/
ZMODFormat ZMODS

#
# Wird fuer das ivw-ZMOD-Log benoetigt: Die Dummy-Grafik
#

<Location /cgi-bin/ivw>
SetHandler     ZModBlanky
</Location>

AddHandler server-parsed .html


#   enable SSL for this virtual host
SSLEnable

#   this forbids access except when SSL is in use. Very handy for defending
#   against configuration errors that expose stuff that should be protected
# SSLRequireSSL

#   point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with ake certificate under
#   built time. [RECOMMENDED]
#SSLCertificateFile /home/homer/asinfo/apache_1.3.1/conf/sslcerts/server.pem
SSLCertificateFile /httpd/conf/schoner/sslcerts/cert.pem

#   if the key is not combined with the certificate, use this
#   directive to point at the key file. [OPTIONAL]
SSLCertificateKeyFile /httpd/conf/schoner/sslcerts/key.pem

#   set the CA certificate verification path where
#   to find CA certificates for client authentication or
#   alternatively one huge file containing all of them
#   (file must be PEM encoded) [OPTIONAL]
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath conf/sslcerts
#SSLCACertificateFile conf/sslcerts/ca.pem

#   set client verification level: [RECOMMENDED]
#   0|none:           no certificate is required
#   1|optional:       the client may  present a valid certificate
#   2|require:        the client must present a valid certificate
#   3|optional_no_ca: the client may  present a valid certificate
#                     but it is not required to have a valid CA
SSLVerifyClient none

#   set how deeply to verify the certificate issuer chain
#   before deciding the certificate is not valid. [OPTIONAL]
#SSLVerifyDepth 10

#   list the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list. [OPTIONAL]
#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA

#   these two can be used on a per-directory basis to require or
#   ban specific ciphers. Note that (at least in the current version)
#   SSL will not attempt to renegotiate if a cipher is banned
#   (or not required). [OPTIONAL]
#SSLRequireCipher RC4-MD5
#SSLBanCipher RC4-MD5
#   translate the client X.509 into a Basic Authorisation.
#   This means that the standard Auth/DBMAuth methods can be used for
#   access control. The user name is the e line' version of
#   the client's X.509 certificate. Note that no password is
#   obtained from the user. Every entry in the user file needs
#   this password: j31ZMTZzkVA'. [OPTIONAL]
#SSLFakeBasicAuth

#   a home for miscellaneous rubbish generated by SSL. Much of it
#   is duplicated in the error log file. Put this somewhere where
#   it cannot be used for symlink attacks on a real server (i.e.
#   somewhere where only root can write). [RECOMMENDED]
SSLLogFile /home/schoner/log/ssl_misc_log

#   define custom SSL logging [RECOMMENDED]
CustomLog /home/schoner/log/ssl_log "%t %h %{version}c %{cipher}c %{subjectdn}c %{issuerdn}c

</VirtualHost>
</IfDefine>

</IfModule>


<VirtualHost _default_>
Redirect temp / http://www.as-informatik.de/
</VirtualHost>


[cut: an other virtual host]
[cut: an other virtual host]




>How-To-Repeat:

>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message