[users@httpd] https

[Andy Canfield]

I have been using apache for maybe ten years now, and maintain two
servers in addition to the apache on my notebook computer for testing.
All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
from http to https.

But the documentation is insane. A piece here, a piece there, have to do
X (but first? and afterwards?). Assuming everything is else is OK, this
is way you edit this line in VirtualHost file (there is no
"/etc/apache2/.../VirtualHost" file!)

I figure that I need to do it in two steps:
[1] Get the https version up and running, and
[2] Make the http version automatically switch to https.

But I can't get https working at all, for anything. There's a "Listen
443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
closed port.

Has anybody else ever converted a hosted site from http to https? What
did you have to do to get the secure one working?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] https

[Oren]

Hi Andy.
Process basically include getting/creating a certificate, define it on 
your site and reload apache.
here is a centos manual which is not exactly the same on ubuntu but 
pretty much explains the order of things

http://wiki.centos.org/HowTos/Https

on ubuntu you will have to open the 443 port

Listen 443


once the https is ready, you can do a redirect to the https site from 
http. (with mod_rewrite)


do you have logs or any information on what is not working?

Oren

On 04/03/2014 11:39 AM, Andy Canfield wrote:

I have been using apache for maybe ten years now, and maintain two
servers in addition to the apache on my notebook computer for testing.
All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
from http to https.

But the documentation is insane. A piece here, a piece there, have to do
X (but first? and afterwards?). Assuming everything is else is OK, this
is way you edit this line in VirtualHost file (there is no
"/etc/apache2/.../VirtualHost" file!)

I figure that I need to do it in two steps:
[1] Get the https version up and running, and
[2] Make the http version automatically switch to https.

But I can't get https working at all, for anything. There's a "Listen
443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
closed port.

Has anybody else ever converted a hosted site from http to https? What
did you have to do to get the secure one working?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] https

[Andy Canfield]

Files:

-rw-r--r-- 1 root 859 Apr  3 11:45 /etc/apache2/ssl/crt/vhost1.crt

-rw-r--r-- 1 root 916 Apr  3 11:45 /etc/apache2/ssl/key/vhost1.key

So AFAIK I've got a certificate I've generated myself. Nobody vouches
for me but it shoud enable encryption and make my TCP/IP packets hard to
read.

Contents of /etc/apache2/ports.conf:
NameVirtualHost *:80
Listen 80

Listen 443


Listen 443


Files:

-rw-r--r-- 1 andy 1439 Apr  3 14:48 /etc/apache2/sites-available/default
-rw-r--r-- 1 andy 7485 Jun 16  2011 /etc/apache2/sites-available/default-ssl
-rw-r--r-- 1 root 7469 Feb  7  2012
/etc/apache2/sites-available/default-ssl.original
-rw-r--r-- 1 root  950 Feb  7  2012
/etc/apache2/sites-available/default.original

I see here that /etc/apache2/sites-available has one symbolic link to
/etc/apache2/sites-available/default, and no symbolic links to any of
the other entries in the sites-available directory. Also all the other
entries in /etc/apache2/sites-available are symbolic links to
configuration files such as

lrwxrwxrwx 1 root 21 May  6  2012 /etc/apache2/sites-enabled/opal.conf -> 
/www/opal/apache.conf

These links have been working fine for years as links into the site
control directory and not into 'sites-available'. But perhaps that is wrong.

Maybe what I need is a symbolic link from sites-enabled to
../sites-available/default-ssl ? Nope, tested, did not solve the problem

When I give this command (as root) -

/etc/init.d/apache2 restart

I see only this output:

apache2: Could not reliably determine the server's fully qualified
domain name, using 192.168.1.112 for ServerName
 ... waiting apache2: Could not reliably determine the server's fully
qualified domain name, using 192.168.1.112 for ServerName
   
[ OK ]

But nmap still says that nothing is listening to port 443.

Thank you Oren.

On 04/03/2014 04:04 PM, Oren wrote:
> Hi Andy.
> Process basically include getting/creating a certificate, define it on
> your site and reload apache.
> here is a centos manual which is not exactly the same on ubuntu but
> pretty much explains the order of things
> http://wiki.centos.org/HowTos/Https
>
> on ubuntu you will have to open the 443 port
> 
> Listen 443
> 
>
> once the https is ready, you can do a redirect to the https site from
> http. (with mod_rewrite)
>
> do you have logs or any information on what is not working?
>
> Oren
>
> On 04/03/2014 11:39 AM, Andy Canfield wrote:
>> I have been using apache for maybe ten years now, and maintain two
>> servers in addition to the apache on my notebook computer for testing.
>> All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
>> from http to https.
>>
>> But the documentation is insane. A piece here, a piece there, have to do
>> X (but first? and afterwards?). Assuming everything is else is OK, this
>> is way you edit this line in VirtualHost file (there is no
>> "/etc/apache2/.../VirtualHost" file!)
>>
>> I figure that I need to do it in two steps:
>> [1] Get the https version up and running, and
>> [2] Make the http version automatically switch to https.
>>
>> But I can't get https working at all, for anything. There's a "Listen
>> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
>> closed port.
>>
>> Has anybody else ever converted a hosted site from http to https? What
>> did you have to do to get the secure one working?
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
> .
>

Re: [users@httpd] DirectoryIndex

[Eric Covener]

On Wed, Apr 2, 2014 at 10:52 PM, Tony Kwan  wrote:

> Hi,
>
> I have tried "DirectoryIndex index.html index.php" but it still recognized
> the index.html only (first one). Any other suggestions?
>

if index.php requires authentication, and you strip out the Authorization
header, it makes sense that mod_dir won't choose to serve it.

mod_dir sends an internal subrequest to see if the resource is useable, it
doesn't just check the filesystem.

If you want it to work, stop stripping the header or punch a hole for
index.php.

[users@httpd] High CPU Usage in Amazon EC2

[Christopher Schultz]

All,

I'm having a problem in production I've never seem before. We are
running a pair of AWS EC2 m1.micro web servers where only one of them in
really in service at any given time. The httpd instance serves some
static content and forwards a great deal of traffic via stunnel to a
single back-end Tomcat server using mod_jk 1.2.37. We have been running
under this configuration for several years with no problems.

Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
Amazon's previous version (I can't remember which one), including the
package-refresh that comes with it for httpd. The current kernel version
is 3.10.34. The current httpd version is 2.2.26. The package name is
"httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
prefork MPM with the following (default) settings:

StartServers   8
MinSpareServers5
MaxSpareServers   20
ServerLimit  256
MaxClients   256
MaxRequestsPerChild  4000

What I can observe is that the CPU load average is rising from the usual
sub-2.0 value to sometimes as high as 70. That's seventy, not
seven-point-oh.

I see no errors in the log, and httpd doesn't seem to be dropping any
requests... just running very very slowly.

It seems to come in waves: the load will go up, and everything will slow
down, and then we'll get a reprieve.

I can see 22 server processes running right this moment, but the load
average has dropped back to 0.05.

I've enabled ExtendedStatus and it really doesn't look like there is a
huge number of requests being served. Less than 1 req/sec. This is *not*
a high-load server. I can see some of the httpd child processes using
20% or more of the CPU as reported by 'top'.

Is there a good way for me to determine what those processes are doing?
As this is a modestly-used server, I can probably enable additional
logging without too much trouble.

Any help anyone can provide would be very much appreciated.

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] High CPU Usage in Amazon EC2

[Christopher Schultz]

All,

I forgot to mention that most of our traffic is over SSL. OpenSSL
version is OpenSSL 1.0.1e-fips 11 Feb 2013.

Thanks,
-chris

On 4/3/14, 10:04 AM, Christopher Schultz wrote:
> All,
> 
> I'm having a problem in production I've never seem before. We are
> running a pair of AWS EC2 m1.micro web servers where only one of them in
> really in service at any given time. The httpd instance serves some
> static content and forwards a great deal of traffic via stunnel to a
> single back-end Tomcat server using mod_jk 1.2.37. We have been running
> under this configuration for several years with no problems.
> 
> Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
> Amazon's previous version (I can't remember which one), including the
> package-refresh that comes with it for httpd. The current kernel version
> is 3.10.34. The current httpd version is 2.2.26. The package name is
> "httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
> prefork MPM with the following (default) settings:
> 
> StartServers   8
> MinSpareServers5
> MaxSpareServers   20
> ServerLimit  256
> MaxClients   256
> MaxRequestsPerChild  4000
> 
> What I can observe is that the CPU load average is rising from the usual
> sub-2.0 value to sometimes as high as 70. That's seventy, not
> seven-point-oh.
> 
> I see no errors in the log, and httpd doesn't seem to be dropping any
> requests... just running very very slowly.
> 
> It seems to come in waves: the load will go up, and everything will slow
> down, and then we'll get a reprieve.
> 
> I can see 22 server processes running right this moment, but the load
> average has dropped back to 0.05.
> 
> I've enabled ExtendedStatus and it really doesn't look like there is a
> huge number of requests being served. Less than 1 req/sec. This is *not*
> a high-load server. I can see some of the httpd child processes using
> 20% or more of the CPU as reported by 'top'.
> 
> Is there a good way for me to determine what those processes are doing?
> As this is a modestly-used server, I can probably enable additional
> logging without too much trouble.
> 
> Any help anyone can provide would be very much appreciated.
> 
> Thanks,
> -chris
> 



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] High CPU Usage in Amazon EC2

[Oscar Knorn]

Sounds like apache is waiting for a response or a means to forward the
request via stunnel.
Is /dev/random or /dev/urandom providing sufficient random to the process?

Cheers Oscar

On 4/3/14, 40:23 PM, Christopher Schultz wrote:
> All,
>
> I forgot to mention that most of our traffic is over SSL. OpenSSL
> version is OpenSSL 1.0.1e-fips 11 Feb 2013.
>
> Thanks,
> -chris
>
> On 4/3/14, 10:04 AM, Christopher Schultz wrote:
>> All,
>>
>> I'm having a problem in production I've never seem before. We are
>> running a pair of AWS EC2 m1.micro web servers where only one of them in
>> really in service at any given time. The httpd instance serves some
>> static content and forwards a great deal of traffic via stunnel to a
>> single back-end Tomcat server using mod_jk 1.2.37. We have been running
>> under this configuration for several years with no problems.
>>
>> Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
>> Amazon's previous version (I can't remember which one), including the
>> package-refresh that comes with it for httpd. The current kernel version
>> is 3.10.34. The current httpd version is 2.2.26. The package name is
>> "httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
>> prefork MPM with the following (default) settings:
>>
>> StartServers   8
>> MinSpareServers5
>> MaxSpareServers   20
>> ServerLimit  256
>> MaxClients   256
>> MaxRequestsPerChild  4000
>>
>> What I can observe is that the CPU load average is rising from the usual
>> sub-2.0 value to sometimes as high as 70. That's seventy, not
>> seven-point-oh.
>>
>> I see no errors in the log, and httpd doesn't seem to be dropping any
>> requests... just running very very slowly.
>>
>> It seems to come in waves: the load will go up, and everything will slow
>> down, and then we'll get a reprieve.
>>
>> I can see 22 server processes running right this moment, but the load
>> average has dropped back to 0.05.
>>
>> I've enabled ExtendedStatus and it really doesn't look like there is a
>> huge number of requests being served. Less than 1 req/sec. This is *not*
>> a high-load server. I can see some of the httpd child processes using
>> 20% or more of the CPU as reported by 'top'.
>>
>> Is there a good way for me to determine what those processes are doing?
>> As this is a modestly-used server, I can probably enable additional
>> logging without too much trouble.
>>
>> Any help anyone can provide would be very much appreciated.
>>
>> Thanks,
>> -chris
>>
>



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] High CPU Usage in Amazon EC2

[Christopher Schultz]

Oscar,

On 4/3/14, 10:33 AM, Oscar Knorn wrote:
> Sounds like apache is waiting for a response or a means to forward the
> request via stunnel.
> Is /dev/random or /dev/urandom providing sufficient random to the process?

I'm not sure how to check that. Any ideas?

In either case above, wouldn't the processes be sitting idle waiting for
blocking IO to return? I'm not surprised that the bytes are moving
slowly, actually. I'm surprised that I'm pegging my CPU waiting for
bytes to move...

Thanks,
-chris

> On 4/3/14, 40:23 PM, Christopher Schultz wrote:
>> All,
>>
>> I forgot to mention that most of our traffic is over SSL. OpenSSL
>> version is OpenSSL 1.0.1e-fips 11 Feb 2013.
>>
>> Thanks,
>> -chris
>>
>> On 4/3/14, 10:04 AM, Christopher Schultz wrote:
>>> All,
>>>
>>> I'm having a problem in production I've never seem before. We are
>>> running a pair of AWS EC2 m1.micro web servers where only one of them in
>>> really in service at any given time. The httpd instance serves some
>>> static content and forwards a great deal of traffic via stunnel to a
>>> single back-end Tomcat server using mod_jk 1.2.37. We have been running
>>> under this configuration for several years with no problems.
>>>
>>> Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
>>> Amazon's previous version (I can't remember which one), including the
>>> package-refresh that comes with it for httpd. The current kernel version
>>> is 3.10.34. The current httpd version is 2.2.26. The package name is
>>> "httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
>>> prefork MPM with the following (default) settings:
>>>
>>> StartServers   8
>>> MinSpareServers5
>>> MaxSpareServers   20
>>> ServerLimit  256
>>> MaxClients   256
>>> MaxRequestsPerChild  4000
>>>
>>> What I can observe is that the CPU load average is rising from the usual
>>> sub-2.0 value to sometimes as high as 70. That's seventy, not
>>> seven-point-oh.
>>>
>>> I see no errors in the log, and httpd doesn't seem to be dropping any
>>> requests... just running very very slowly.
>>>
>>> It seems to come in waves: the load will go up, and everything will slow
>>> down, and then we'll get a reprieve.
>>>
>>> I can see 22 server processes running right this moment, but the load
>>> average has dropped back to 0.05.
>>>
>>> I've enabled ExtendedStatus and it really doesn't look like there is a
>>> huge number of requests being served. Less than 1 req/sec. This is *not*
>>> a high-load server. I can see some of the httpd child processes using
>>> 20% or more of the CPU as reported by 'top'.
>>>
>>> Is there a good way for me to determine what those processes are doing?
>>> As this is a modestly-used server, I can probably enable additional
>>> logging without too much trouble.
>>>
>>> Any help anyone can provide would be very much appreciated.
>>>
>>> Thanks,
>>> -chris
>>>
>>
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] https

[Yehuda Katz]

Debian/Ubuntu have a slightly different default layout and include some
tools to help you work with it. The tools just create the symlinks for you,
but the major benefit is that all of them support tab-completion, so you
know what is available.

a2enmod / a2dismod: enable or disable apache modules
a2ensite / a2dissite: enable or disable apache vhosts
a2enconf / a2disconf: enable or disable apache configuration files (added
in Ubuntu 13.10)

The first this to check is that you have loaded mod_ssl, either by running
`a2enmod ssl` or looking at the modules-enabled directory.
You are probably not listening on 443 since it is inside the  and
the module is not loaded.

You should have Ubuntu's default SSL vhost in
sites-available/default-ssl.conf and you can enable it using the tool (or
manual symlink).

You can enable any vhost for SSL by adding a few directives to it (it will
stop listening on non-ssl):
- Change the vritualhost port to 443
- SSLEngine on
- SSLCertificateFile  /etc/apache2/ssl/example.com.crt
- (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key is not
in the same file)

There are a few other default things in the default-ssl vhost to fix buggy
browsers and provide more info to cgi-scripts.

- Y



On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield wrote:

>
> Files:
>
> -rw-r--r-- 1 root 859 Apr  3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>
> -rw-r--r-- 1 root 916 Apr  3 11:45 /etc/apache2/ssl/key/vhost1.key
>
> So AFAIK I've got a certificate I've generated myself. Nobody vouches for
> me but it shoud enable encryption and make my TCP/IP packets hard to read.
>
> Contents of /etc/apache2/ports.conf:
> NameVirtualHost *:80
> Listen 80
>
> 
> Listen 443
> 
> 
> Listen 443
> 
>
> Files:
>
> -rw-r--r-- 1 andy 1439 Apr  3 14:48 /etc/apache2/sites-available/default
> -rw-r--r-- 1 andy 7485 Jun 16  2011
> /etc/apache2/sites-available/default-ssl
> -rw-r--r-- 1 root 7469 Feb  7  2012
> /etc/apache2/sites-available/default-ssl.original
> -rw-r--r-- 1 root  950 Feb  7  2012
> /etc/apache2/sites-available/default.original
>
> I see here that /etc/apache2/sites-available has one symbolic link to
> /etc/apache2/sites-available/default, and no symbolic links to any of the
> other entries in the sites-available directory. Also all the other entries
> in /etc/apache2/sites-available are symbolic links to configuration files
> such as
>
> lrwxrwxrwx 1 root 21 May  6  2012 /etc/apache2/sites-enabled/opal.conf -> 
> /www/opal/apache.conf
>
> These links have been working fine for years as links into the site
> control directory and not into 'sites-available'. But perhaps that is wrong.
>
> Maybe what I need is a symbolic link from sites-enabled to
> ../sites-available/default-ssl ? Nope, tested, did not solve the problem
>
> When I give this command (as root) -
>
> /etc/init.d/apache2 restart
>
> I see only this output:
>
> apache2: Could not reliably determine the server's fully qualified domain
> name, using 192.168.1.112 for ServerName
>  ... waiting apache2: Could not reliably determine the server's fully
> qualified domain name, using 192.168.1.112 for ServerName
>
> [ OK ]
>
> But nmap still says that nothing is listening to port 443.
>
> Thank you Oren.
>
>
> On 04/03/2014 04:04 PM, Oren wrote:
>
> Hi Andy.
> Process basically include getting/creating a certificate, define it on
> your site and reload apache.
> here is a centos manual which is not exactly the same on ubuntu but pretty
> much explains the order of things
> http://wiki.centos.org/HowTos/Https
>
> on ubuntu you will have to open the 443 port
> 
> Listen 443
> 
>
> once the https is ready, you can do a redirect to the https site from
> http. (with mod_rewrite)
>
> do you have logs or any information on what is not working?
>
> Oren
>
> On 04/03/2014 11:39 AM, Andy Canfield wrote:
>
> I have been using apache for maybe ten years now, and maintain two
> servers in addition to the apache on my notebook computer for testing.
> All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
> from http to https.
>
> But the documentation is insane. A piece here, a piece there, have to do
> X (but first? and afterwards?). Assuming everything is else is OK, this
> is way you edit this line in VirtualHost file (there is no
> "/etc/apache2/.../VirtualHost" file!)
>
> I figure that I need to do it in two steps:
> [1] Get the https version up and running, and
> [2] Make the http version automatically switch to https.
>
> But I can't get https working at all, for anything. There's a "Listen
> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
> closed port.
>
> Has anybody else ever converted a hosted site from http to https? What
> did you have to do to get the secure one working?
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
> ---

Re: [users@httpd] High CPU Usage in Amazon EC2

[Jason Cillo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Have you looked at OpenSSL Cookbook? It's free. I find it very useful. (I even 
bought the larger book of which it is a chapter.)

...Jason


On Apr 3, 2014, at 10:23 AM, Christopher Schultz wrote:

> All,
> 
> I forgot to mention that most of our traffic is over SSL. OpenSSL
> version is OpenSSL 1.0.1e-fips 11 Feb 2013.
> 
> Thanks,
> -chris
> 
> On 4/3/14, 10:04 AM, Christopher Schultz wrote:
>> All,
>> 
>> I'm having a problem in production I've never seem before. We are
>> running a pair of AWS EC2 m1.micro web servers where only one of them in
>> really in service at any given time. The httpd instance serves some
>> static content and forwards a great deal of traffic via stunnel to a
>> single back-end Tomcat server using mod_jk 1.2.37. We have been running
>> under this configuration for several years with no problems.
>> 
>> Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
>> Amazon's previous version (I can't remember which one), including the
>> package-refresh that comes with it for httpd. The current kernel version
>> is 3.10.34. The current httpd version is 2.2.26. The package name is
>> "httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
>> prefork MPM with the following (default) settings:
>> 
>> StartServers   8
>> MinSpareServers5
>> MaxSpareServers   20
>> ServerLimit  256
>> MaxClients   256
>> MaxRequestsPerChild  4000
>> 
>> What I can observe is that the CPU load average is rising from the usual
>> sub-2.0 value to sometimes as high as 70. That's seventy, not
>> seven-point-oh.
>> 
>> I see no errors in the log, and httpd doesn't seem to be dropping any
>> requests... just running very very slowly.
>> 
>> It seems to come in waves: the load will go up, and everything will slow
>> down, and then we'll get a reprieve.
>> 
>> I can see 22 server processes running right this moment, but the load
>> average has dropped back to 0.05.
>> 
>> I've enabled ExtendedStatus and it really doesn't look like there is a
>> huge number of requests being served. Less than 1 req/sec. This is *not*
>> a high-load server. I can see some of the httpd child processes using
>> 20% or more of the CPU as reported by 'top'.
>> 
>> Is there a good way for me to determine what those processes are doing?
>> As this is a modestly-used server, I can probably enable additional
>> logging without too much trouble.
>> 
>> Any help anyone can provide would be very much appreciated.
>> 
>> Thanks,
>> -chris
>> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJTPX/AAAoJECXq3rM/ywR3K1sH/iKkmuUY4fmpKSgnWA9+ISwF
QEnp4wO7TCVfAILuG9AgHzTftDsSW0Q8KqqTXgJRR3tIiF40yuDDjpG6wK+/L26g
Yi/kWsXZemvJoDHFRX4n3O02YMw4Z+chmSsz+6YNM9uQ6xOObYOxYFCEmHFgRfDH
adg0O4+5LtT3GzqtNflIoXWI42sMPlHi+BXQqrNgWnNBD7OIFew1jbc7CCDXkfhU
ZnDrogv7T0/nJG8cyRH3PdfiQUisQT5wuWEU532Ud0gdN/rvn9UDcjun4VhyEqD0
uVsmrSOH91S5ugLXXBu1QbKqJRl5jbzGrWYHvEhPgXqWwcoRUN399+vG68MvplM=
=lAyz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] High CPU Usage in Amazon EC2

[Christopher Schultz]

All,

This is the current status map on me server:

Total accesses: 14118 - Total Traffic: 3.9 GB
CPU Usage: u404.04 s9.82 cu0 cs0 - .956% CPU load
.326 requests/sec - 94.4 kB/second - 289.5 kB/request
6 requests currently being processed, 15 idle workers

.__..._.._.R_R_.._...__.._._R_.R...R..W_..__




top reports CPU load average "4.71, 10.49, 10.43" so things are settling
down a bit right now. Here's what top shows for the httpd processes (at
the top of the report, so these are the highest-CPU processes this
particular moment):

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND

23225 apache20   0 27772 6860 2444 R  8.6  1.1   0:02.94 httpd

23337 apache20   0 27764 6724 2324 R  6.3  1.1   0:00.80 httpd

23224 apache20   0 27820 7112 2624 R  4.6  1.2   0:03.02 httpd

23023 apache20   0 27824 7204 2692 R  4.3  1.2   0:12.15 httpd

21815 apache20   0 27820 7420 2916 R  4.0  1.2   0:58.10 httpd

22478 apache20   0 27992 8412 3856 R  4.0  1.4   0:28.18 httpd


I wasn't able to copy/paste all of that stuff at exactly the same time,
so the numbers are a bit off from each other.

But the server is simply not handling very much traffic. I don't
understand the spikes in CPU load -- which is what lows everything down.
Even doing something like attaching strace to a running process took
something like 30 seconds before it started actually logging anything to
the terminal.

I checked the status of entropy availability using this command:

$ cat /proc/sys/kernel/random/entropy_avail

I did this a few tens of times and the lowest number I ever got was 133.
On systems that have truly run out of randomness, I have seen this
number drop to zero (it usually happens during OpenSSL server key
generation :).

I'm at a loss for what to check next. Any suggestions?

Thanks,
-chris

On 4/3/14, 10:38 AM, Christopher Schultz wrote:
> Oscar,
> 
> On 4/3/14, 10:33 AM, Oscar Knorn wrote:
>> Sounds like apache is waiting for a response or a means to forward the
>> request via stunnel.
>> Is /dev/random or /dev/urandom providing sufficient random to the process?
> 
> I'm not sure how to check that. Any ideas?
> 
> In either case above, wouldn't the processes be sitting idle waiting for
> blocking IO to return? I'm not surprised that the bytes are moving
> slowly, actually. I'm surprised that I'm pegging my CPU waiting for
> bytes to move...
> 
> Thanks,
> -chris
> 
>> On 4/3/14, 40:23 PM, Christopher Schultz wrote:
>>> All,
>>>
>>> I forgot to mention that most of our traffic is over SSL. OpenSSL
>>> version is OpenSSL 1.0.1e-fips 11 Feb 2013.
>>>
>>> Thanks,
>>> -chris
>>>
>>> On 4/3/14, 10:04 AM, Christopher Schultz wrote:
 All,

 I'm having a problem in production I've never seem before. We are
 running a pair of AWS EC2 m1.micro web servers where only one of them in
 really in service at any given time. The httpd instance serves some
 static content and forwards a great deal of traffic via stunnel to a
 single back-end Tomcat server using mod_jk 1.2.37. We have been running
 under this configuration for several years with no problems.

 Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
 Amazon's previous version (I can't remember which one), including the
 package-refresh that comes with it for httpd. The current kernel version
 is 3.10.34. The current httpd version is 2.2.26. The package name is
 "httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
 prefork MPM with the following (default) settings:

 StartServers   8
 MinSpareServers5
 MaxSpareServers   20
 ServerLimit  256
 MaxClients   256
 MaxRequestsPerChild  4000

 What I can observe is that the CPU load average is rising from the usual
 sub-2.0 value to sometimes as high as 70. That's seventy, not
 seven-point-oh.

 I see no errors in the log, and httpd doesn't seem to be dropping any
 requests... just running very very slowly.

 It seems to come in waves: the load will go up, and everything will slow
 down, and then we'll get a reprieve.

 I can see 22 server processes running right this moment, but the load
 average has dropped back to 0.05.

 I've enabled ExtendedStatus and it really doesn't look like there is a
 huge number of requests being served. Less than 1 req/sec. This is *not*
 a high-load server. I can see some of the httpd child processes using
 20% or more of the CPU as reported by 'top'.

 Is there a good way for me to determine what those processes are doing?
 As this is a modestly-used server, I can probably enable additional
 logging without too much trouble.

 Any help

Re: [users@httpd] High CPU Usage in Amazon EC2

[Christopher Schultz]

Jason,

On 4/3/14, 11:35 AM, Jason Cillo wrote:
> Have you looked at OpenSSL Cookbook? It's free. I find it very
> useful. (I even bought the larger book of which it is a chapter.)

Did you have something in particular that you thought would be relevant
from that book?

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] High CPU Usage in Amazon EC2

[Jason Cillo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hmmm. Sorry, I think I typed a reply on the wrong post. Someone had posted a 
question about setting up https from http, that is what I meant to reply to, 
since I had just that same problem and find this guide useful. I've already 
deleted that person's message.

...Jason


On Apr 3, 2014, at 11:41 AM, Christopher Schultz wrote:

> Jason,
> 
> On 4/3/14, 11:35 AM, Jason Cillo wrote:
>> Have you looked at OpenSSL Cookbook? It's free. I find it very
>> useful. (I even bought the larger book of which it is a chapter.)
> 
> Did you have something in particular that you thought would be relevant
> from that book?
> 
> -chris
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJTPYMgAAoJECXq3rM/ywR38V0H/iUZqI16Ii0GXiXrb5VcFG1L
F+xjFeHk2JVKwWgQ34uqoQxqEbxoSSqyfXLgqLzX81ar2taM2wLZkXzQxkYM2p6Y
uRN0jrlKH0pm8gV6Etr7WVcKFTbQIzDze2hocAMh0nP6zQiFBljLPshW5MwAHCX4
Y3F4yo6LAzCUz9srFYXeDY/2SsoLx5pMEAXkK66ee5UYkHio1VUhuksr/blpXsot
zDEEYscHw3K73IZ0Q0madfH8NPHpjKpzRXGxs2AG+TLo6dsrK36ZQ+Hg/8z/ECC3
jIJ6dd86Qk0Khhi5aPHP2gjuA+mSxhXpUkzgnApG2p0BDymhQsg5WDI0meM5C4Y=
=ptGf
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache HTTPD SHA256

[Jerry Blasdel]

We have built the following:

httpd-2.4.6
openssl-1.0.1.e
openssl-fips-2.05

for both Windows and Solaris so we can leverage SHA256.

For both environments I have Apache configured with the following:

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

On Windows, this works.  I can use a Browser to hit the server and it will 
bring back a response.

On Solaris, I get so response back and no errors that I can see in any 
logs.

I have turned on debug on mod_ssl.  Would anyone have any ideas on how to 
track down this issue?

Any help would be appreciated. 

Thanks,

JB

Re: [users@httpd] https

[Andy Canfield]

There are several lines in places that read

There is no file on my hard disk named "mod_ssl.c". There is, however, a
file named
/usr/lib/apache2/modules/mod_ssl.so
Is there some magic connection between "mod_ssl.c" and "mod_ssl.so"?
Like was the ssl module written in C?

On 04/03/2014 09:46 PM, Yehuda Katz wrote:
> Debian/Ubuntu have a slightly different default layout and include
> some tools to help you work with it. The tools just create the
> symlinks for you, but the major benefit is that all of them support
> tab-completion, so you know what is available.
>
> a2enmod / a2dismod: enable or disable apache modules
> a2ensite / a2dissite: enable or disable apache vhosts
> a2enconf / a2disconf: enable or disable apache configuration files
> (added in Ubuntu 13.10)
>
> The first this to check is that you have loaded mod_ssl, either by
> running `a2enmod ssl` or looking at the modules-enabled directory.
> You are probably not listening on 443 since it is inside the
>  and the module is not loaded.

Then as instructed by a2enmod I ran the command
  service apache2 restart
I normally use '/etc/init.d/apache2 restart' but I did it with 'service'
this time.

After some editing for fixing up things like DocumentRoot (changed to my
own) I got it to restart with no errors.

>
> You should have Ubuntu's default SSL vhost in
> sites-available/default-ssl.conf and you can enable it using the tool
> (or manual symlink).
There is no file extension on
"/etc/apache2/sites-available/default-ssl", I assume that file is
correct. It starts with these two lines:



The above has they keyword "_default_" in the VirtualHost line. All of
my existing http config files read like this:

There is no Virtual Host name in that line, so presumably they all share
the same virtual host, yes? Do I need multiple virtual hosts for https,
or will one virtual host be OK for all the sites?

Wonderful! I rebooted the computer just to make 100% sure of my
restarting EVERYTHING, and then ran 'nmap localhost' and it finally
showed me this line:
443/tcp  open  https
Great! Now somebody is listening.

I sent Firefox to "https://localhost/"; and after a bunch of crabbing
about the certificate I got to see the same site. So now I have to
figure out how to make a certificate (FYI I am an anarchist).

I went to one of my sites and followed a link and discovered that it
switched back to "http://"; because that is what is in the HTML. Gotta
fix that.

> You can enable any vhost for SSL by adding a few directives to it (it
> will stop listening on non-ssl):
> - Change the vritualhost port to 443
> - SSLEngine on
> - SSLCertificateFile  /etc/apache2/ssl/example.com.crt
> - (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key
> is not in the same file)
>
> There are a few other default things in the default-ssl vhost to fix
> buggy browsers and provide more info to cgi-scripts.
"buggy browsers" as in Internet Explorer, right? These are intra-company
web sites, and we simply tell people not to use IE.
>
> - Y
Thank you very much Yehuda. I think I am launched and can follow on for
a while by myself.

>
>
> On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield  > wrote:
>
>
> Files:
>
> -rw-r--r-- 1 root 859 Apr  3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>
> -rw-r--r-- 1 root 916 Apr  3 11:45 /etc/apache2/ssl/key/vhost1.key
>
> So AFAIK I've got a certificate I've generated myself. Nobody
> vouches for me but it shoud enable encryption and make my TCP/IP
> packets hard to read.
>
> Contents of /etc/apache2/ports.conf:
> NameVirtualHost *:80
> Listen 80
>
> 
> Listen 443
> 
> 
> Listen 443
> 
>
> Files:
>
> -rw-r--r-- 1 andy 1439 Apr  3 14:48
> /etc/apache2/sites-available/default
> -rw-r--r-- 1 andy 7485 Jun 16  2011
> /etc/apache2/sites-available/default-ssl
> -rw-r--r-- 1 root 7469 Feb  7  2012
> /etc/apache2/sites-available/default-ssl.original
> -rw-r--r-- 1 root  950 Feb  7  2012
> /etc/apache2/sites-available/default.original
>
> I see here that /etc/apache2/sites-available has one symbolic link
> to /etc/apache2/sites-available/default, and no symbolic links to
> any of the other entries in the sites-available directory. Also
> all the other entries in /etc/apache2/sites-available are symbolic
> links to configuration files such as
>
> lrwxrwxrwx 1 root 21 May  6  2012 /etc/apache2/sites-enabled/opal.conf -> 
> /www/opal/apache.conf
>
> These links have been working fine for years as links into the
> site control directory and not into 'sites-available'. But perhaps
> that is wrong.
>
> Maybe what I need is a symbolic link from sites-enabled to
> ../sites-available/default-ssl ? Nope, tested, did not solve the
> problem
>
> When I give this command (as root) -
>
> /etc/init.d/apache2 restart
>
> I see only this output:
>
> ap

Re: [users@httpd] https

[Yehuda Katz]

On Fri, Apr 4, 2014 at 12:55 AM, Andy Canfield wrote:

>  There are several lines in places that read
> 
> There is no file on my hard disk named "mod_ssl.c". There is, however, a
> file named
> /usr/lib/apache2/modules/mod_ssl.so
> Is there some magic connection between "mod_ssl.c" and "mod_ssl.so"? Like
> was the ssl module written in C?
>

http://httpd.apache.org/docs/2.2/mod/core.html#ifmodule
:
The module argument can be either the module identifier or the file name of
the module, at the time it was compiled. For example, rewrite_module is the
identifier and mod_rewrite.c is the file name.


On 04/03/2014 09:46 PM, Yehuda Katz wrote:
>
> Debian/Ubuntu have a slightly different default layout and include some
> tools to help you work with it. The tools just create the symlinks for you,
> but the major benefit is that all of them support tab-completion, so you
> know what is available.
>
>  a2enmod / a2dismod: enable or disable apache modules
> a2ensite / a2dissite: enable or disable apache vhosts
>  a2enconf / a2disconf: enable or disable apache configuration files
> (added in Ubuntu 13.10)
>
>  The first this to check is that you have loaded mod_ssl, either by
> running `a2enmod ssl` or looking at the modules-enabled directory.
> You are probably not listening on 443 since it is inside the 
> and the module is not loaded.
>
>
> Then as instructed by a2enmod I ran the command
>   service apache2 restart
> I normally use '/etc/init.d/apache2 restart' but I did it with 'service'
> this time.
>

They do the same thing in this case.
I usually run apache2ctl configtest before I restart to make sure that I
will not discover a problem when the server is in the process of restarting.


> After some editing for fixing up things like DocumentRoot (changed to my
> own) I got it to restart with no errors.
>
>
>  You should have Ubuntu's default SSL vhost in
> sites-available/default-ssl.conf and you can enable it using the tool (or
> manual symlink).
>
> There is no file extension on "/etc/apache2/sites-available/default-ssl",
> I assume that file is correct. It starts with these two lines:
> 
> 
>
> The above has they keyword "_default_" in the VirtualHost line. All of my
> existing http config files read like this:
> 
> There is no Virtual Host name in that line, so presumably they all share
> the same virtual host, yes? Do I need multiple virtual hosts for https, or
> will one virtual host be OK for all the sites?
>

An HTTPS vhost is exactly the same as an HTTP vhost except for the
certificate configuration.
If you want multiple vhosts with HTTPS though, you either need an IP
address for each or all of your users need to support SNI in their browsers
(any modern browser should).
This wiki page is a bit old, but still looks correct:
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

Wonderful! I rebooted the computer just to make 100% sure of my restarting
> EVERYTHING, and then ran 'nmap localhost' and it finally showed me this
> line:
> 443/tcp  open  https
> Great! Now somebody is listening.
>
> I sent Firefox to "https://localhost/";  and after a
> bunch of crabbing about the certificate I got to see the same site. So now
> I have to figure out how to make a certificate (FYI I am an anarchist).
>
> I went to one of my sites and followed a link and discovered that it
> switched back to "http://"; because that is what is in the HTML. Gotta fix
> that.
>
>
>  You can enable any vhost for SSL by adding a few directives to it (it
> will stop listening on non-ssl):
> - Change the vritualhost port to 443
> - SSLEngine on
> - SSLCertificateFile  /etc/apache2/ssl/example.com.crt
> - (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key is
> not in the same file)
>
>  There are a few other default things in the default-ssl vhost to fix
> buggy browsers and provide more info to cgi-scripts.
>
> "buggy browsers" as in Internet Explorer, right? These are intra-company
> web sites, and we simply tell people not to use IE.
>
>
>  - Y
>
> Thank you very much Yehuda. I think I am launched and can follow on for a
> while by myself.
>
>
>
>
> On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield wrote:
>
>>
>> Files:
>>
>> -rw-r--r-- 1 root 859 Apr  3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>>
>> -rw-r--r-- 1 root 916 Apr  3 11:45 /etc/apache2/ssl/key/vhost1.key
>>
>> So AFAIK I've got a certificate I've generated myself. Nobody vouches for
>> me but it shoud enable encryption and make my TCP/IP packets hard to read.
>>
>> Contents of /etc/apache2/ports.conf:
>> NameVirtualHost *:80
>> Listen 80
>>
>> 
>> Listen 443
>> 
>>  
>> Listen 443
>> 
>>
>> Files:
>>
>> -rw-r--r-- 1 andy 1439 Apr  3 14:48 /etc/apache2/sites-available/default
>> -rw-r--r-- 1 andy 7485 Jun 16  2011
>> /etc/apache2/sites-available/default-ssl
>> -rw-r--r-- 1 root 7469 Feb  7  2012
>> /etc/apache2/sites-available/default-ssl.original
>> -rw-r--r-- 1 root  950 Feb  7  2012
>> /etc/apache2/sites-availa