Re: [users@httpd] mod_md and DNS challenge

[Clausen , Jörn]

Hi!

The problem is, that the script "mod_md_worker.sh" does not seem to get executed at all 
(I have debug code in the script, and I checked using "strace"). I see no indication in 
any log, that httpd has trouble executing the file, it seems to ignore it completely.

I am using httpd 2.4.37 and mod_md 1.15.7.


1.15.7 looks more like a mod_http2 version. Could you check again which mod_md 
version you have?


Yes, indeed, that was the version for mod_http2. The mod_md package is 
"1:2.0.8-8.module+el8.3.0+6814+67d1e611" (from RHEL8 appstream).



In a "new enough" version, there will be a file `job.json` in the domain and/or 
staging folder where you can see details of the renewal attempts for that specific 
MDomain. Do you see anything there?


Yes, that file is populated. I see (in chronological order, and the two 
hostnames replaced by "foo" and "bar"):


"detail": "Checking staging area"
"detail": "Resetting staging area"
"detail": "Assessing current status"
"detail": "Contacting ACME server for foo at 
https://acme-v02.api.letsencrypt.org/directory";

"detail": "Resetting staging for foo"
"detail": "Driving ACME protocol for renewal of foo"
"detail": "Selecting account to use for foo"
"detail": "Creating new ACME account for foo"
"detail": "Creating new order"
"detail": "Starting challenges for domains"
"detail": "Setting up challenge 'dns-01' for domain foo"
"detail": "Setting up challenge 'dns-01' for domain bar"
"detail": "Monitoring challenge status for foo"
"detail": "Monitoring challenge status for foo: domain 
authorization for foo is valid"
"detail": "Monitoring challenge status for foo: domain 
authorization for bar failed with state 3"

"detail": "domain authorization for bar failed with state 3"
"detail": "Monitoring challenge status for foo"
"detail": "Checking staging area"
"detail": "Assessing current status"
"detail": "Contacting ACME server for foo at 
https://acme-v02.api.letsencrypt.org/directory";

"detail": "Driving ACME protocol for renewal of foo"
"detail": "Selecting account to use for foo"
"detail": "Loaded order from staging"
"detail": "Starting challenges for domains"
"detail": "Starting challenges for domains: unexpected AUTHZ 
state 3 for domain bar"

"detail": "unexpected AUTHZ state 3 for domain bar"
"detail": "Starting challenges for domains"
"detail": "Checking staging area"
"detail": "Assessing current status"
"detail": "Contacting ACME server for foo at 
https://acme-v02.api.letsencrypt.org/directory";

"detail": "Driving ACME protocol for renewal of foo"
"detail": "Selecting account to use for foo"
"detail": "Loaded order from staging"
"detail": "Starting challenges for domains"
"detail": "Starting challenges for domains: unexpected AUTHZ 
state 3 for domain bar"

"detail": "unexpected AUTHZ state 3 for domain bar"

I guess "Setting up challenge 'dns-01' for ..." is the part where the 
configured script should be executed.


I checked that user "apache" can access and run this script (using "sudo 
-u apache ...", this will create the expected debug output from the 
script), so I think I can rule out any permission problems.


--
Jörn Clausen
BITS - Bielefelder IT-Servicezentrum
https://www.uni-bielefeld.de/bits

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_md and DNS challenge

[Stefan Eissing]

> Am 11.03.2021 um 09:41 schrieb Clausen, Jörn :
> 
>"detail": "Starting challenges for domains"
>"detail": "Setting up challenge 'dns-01' for domain foo"
>"detail": "Setting up challenge 'dns-01' for domain bar"
>"detail": "Monitoring challenge status for foo"
>"detail": "Monitoring challenge status for foo: domain authorization 
> for foo is valid"
>"detail": "Monitoring challenge status for foo: domain authorization 
> for bar failed with state 3"
>"detail": "domain authorization for bar failed with state 3"

This says that the dns-01 setup worked for domain 'foo', but Let's Encrypt 
could not verify the dns challenge for 'bar'. This tells me:
a) your script was run for domain 'foo' and did the right thing, LE saw the DNS 
entry and was satisfied.
b) your script, when called immediately afterwards 'foo' for 'bar', did not 
achieve the same

In mod_md, when executing the MDChallengeDns01 command, two things will be 
logged at level
ERROR: when the script was unable to be executed, which will probably not be 
resolved by retrying
INFO: when the script returned != 0 and the setup failed, which is retried as a 
failure might depend on external services that can be unavailable temporarily

That nothing was logged indicates to me that the script run and returned exit 
code 0.

I would advise the following:
- configure 'LogLevel md:trace2' to see all the details the module does until 
you have analyzed it
- remove the "staging/foo+bar" folder with the failed attempt
- reload your server

mod_md will pick up that foo+bar needs renewal and you will see in the log when 
your script is called and what it returned.

Hope this helps,

Stefan



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[Jason Long]

Hello,
Can anyone answer to my questions?
1- What does "handle backend server down" mean?
2- Can I launch a Reverse Proxy without Apache Web Server?
3- In general, an Apache Reverse Proxy Server is just some lines to forward the 
requests?







On Wednesday, March 10, 2021, 09:47:03 AM GMT+3:30, Jason Long 
 wrote: 





Thank you so much.
Thus, The Front end and Back end servers are same about the security.
What does "handle backend server down" mean?






On Tuesday, March 9, 2021, 04:30:01 PM GMT+3:30, James Smith 
 wrote: 





Yes - you should harden the front-end as this is what is likely to be 
compromised by general attacking.

Run SSL, run a static server & proxy server,  set security headers, handle 
backend server down, handle http -> https redirects, handle basic auth (you can 
have a general rule for wordpress admin URLs as a 2FA)

Drop certain requests by:
* connection types if you don't want them trace/track/options etc, 
* IP address if you can't get to firewall settings,
* suspicious/malfunctioning useragents,
* particular paths that are general attack vectors, hide URLs that are likely 
to be tmp files (.files,.bak,.swp etc)




-Original Message-
From: Dino Ciuffetti  
Sent: 08 March 2021 22:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

> 
> ProxyPreserveHost On
> ProxyPass / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF
> aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM
> 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo&e= ProxyPassReverse / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF
> aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM
> 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo&e=
> 
> I have some questions:
> 
> 1- the real work of a proxy server is just that lines?


It's OK if you only have one backend HTTP worker without load balancing and no 
HTTPS.
If you need load balancing (advised!) and HTTPS on the reverse proxy (much 
advised!) you'll need to configure your reverse proxy virtualhosts with mod_ssl 
and mod_proxy_balancer. I also recommend you to enable some logging (error_log 
and access_log) on your virtualhost.


> 2- The real configuration of the web server must be done on the 
> another server? Consider below
> figure:
> 
> The Internet --> Reverse Proxy Server --> Apache Web Server
> 
> The SSL configuration and other Apache hardening and configuration 
> must be done on the Apache Web Server and not the Reverse Proxy Server?

Don't know what you mean for "the real configuration". You'll need to configure 
the apache reverse proxy node as a reverse proxy, and the backend HTTP worker 
as a backend HTTP worker.
Please remember that a apache httpd reverse proxy node works at Layer 7 
(Application -> HTTP/HTTPS) and not a Layer 4 (eg TCP). Your HTTP contents (eg 
wordpress, static pages, js, css, etc) must be implemented on your backend 
workers and the reverse proxy will publish those contents to your clients.

BTW HTTPS must be terminated on the reverse proxy. The security hardening must 
be enforced on both nodes. Rreverse proxy is generally directly exposed on 
outside, so it obviously needs more attentions.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[Antony Stone]

On Thursday 11 March 2021 at 13:20:32, Jason Long wrote:

> Hello,
> Can anyone answer to my questions?
>
> 1- What does "handle backend server down" mean?

You have to decide what the proxy is supposed to do if the back-end server 
which it would normally pass requests on to is unable to handle those 
requests.

> 2- Can I launch a Reverse Proxy without Apache Web Server?

Yes.  You install what most people would call the "Apache web server" but you 
configure it in such as way that it is a reverse proxy and not an origin server 
(technical term for something that provides its own content in response to 
requests).

> 3- In general, an Apache Reverse Proxy Server is just some lines to forward
> the requests?

Yes, that and a few modules which need to be loaded.  It's all in the 
configuration files.


Antony.

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[James Smith]

1> If the server you are proxying to is unavailable - due to a server error or 
reconfiguration - the front end should display a custom error page - rather 
than display the error page generated by the backend server
2> There are other reverse proxies out there - there is the community version 
of the Pulse Secure vADC, and also nginx etc
3> Yes to do the proxying - but it is often easier to put a first level of 
security on the frontend (reduces risk/increases performance) especially if the 
backend server is a heavier dynamic server.
3> And another if you are proxying multiple backend servers then you can put 
the security settings on the frontend - no need to duplicate across all 
servers. You can also add/remove headers on the way in/out.



-Original Message-
From: Jason Long  
Sent: 11 March 2021 12:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Hello,
Can anyone answer to my questions?
1- What does "handle backend server down" mean?
2- Can I launch a Reverse Proxy without Apache Web Server?
3- In general, an Apache Reverse Proxy Server is just some lines to forward the 
requests?







On Wednesday, March 10, 2021, 09:47:03 AM GMT+3:30, Jason Long 
 wrote: 





Thank you so much.
Thus, The Front end and Back end servers are same about the security.
What does "handle backend server down" mean?






On Tuesday, March 9, 2021, 04:30:01 PM GMT+3:30, James Smith 
 wrote: 





Yes - you should harden the front-end as this is what is likely to be 
compromised by general attacking.

Run SSL, run a static server & proxy server,  set security headers, handle 
backend server down, handle http -> https redirects, handle basic auth (you can 
have a general rule for wordpress admin URLs as a 2FA)

Drop certain requests by:
* connection types if you don't want them trace/track/options etc, 
* IP address if you can't get to firewall settings,
* suspicious/malfunctioning useragents,
* particular paths that are general attack vectors, hide URLs that are likely 
to be tmp files (.files,.bak,.swp etc)




-Original Message-
From: Dino Ciuffetti  
Sent: 08 March 2021 22:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

> 
> ProxyPreserveHost On
> ProxyPass / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF
> aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM
> 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo&e= ProxyPassReverse / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF
> aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM
> 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo&e=
> 
> I have some questions:
> 
> 1- the real work of a proxy server is just that lines?


It's OK if you only have one backend HTTP worker without load balancing and no 
HTTPS.
If you need load balancing (advised!) and HTTPS on the reverse proxy (much 
advised!) you'll need to configure your reverse proxy virtualhosts with mod_ssl 
and mod_proxy_balancer. I also recommend you to enable some logging (error_log 
and access_log) on your virtualhost.


> 2- The real configuration of the web server must be done on the 
> another server? Consider below
> figure:
> 
> The Internet --> Reverse Proxy Server --> Apache Web Server
> 
> The SSL configuration and other Apache hardening and configuration 
> must be done on the Apache Web Server and not the Reverse Proxy Server?

Don't know what you mean for "the real configuration". You'll need to configure 
the apache reverse proxy node as a reverse proxy, and the backend HTTP worker 
as a backend HTTP worker.
Please remember that a apache httpd reverse proxy node works at Layer 7 
(Application -> HTTP/HTTPS) and not a Layer 4 (eg TCP). Your HTTP contents (eg 
wordpress, static pages, js, css, etc) must be implemented on your backend 
workers and the reverse proxy will publish those contents to your clients.

BTW HTTPS must be terminated on the reverse proxy. The security hardening must 
be enforced on both nodes. Rreverse proxy is generally directly exposed on 
outside, so it obviously needs more attentions.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[Jason Long]

Thank you for all replies.
How to handle back-end server down? Is it kind of load balancing or CDN?






On Thursday, March 11, 2021, 04:45:35 PM GMT+3:30, James Smith 
 wrote: 





1> If the server you are proxying to is unavailable - due to a server error or 
reconfiguration - the front end should display a custom error page - rather 
than display the error page generated by the backend server
2> There are other reverse proxies out there - there is the community version 
of the Pulse Secure vADC, and also nginx etc
3> Yes to do the proxying - but it is often easier to put a first level of 
security on the frontend (reduces risk/increases performance) especially if the 
backend server is a heavier dynamic server.
3> And another if you are proxying multiple backend servers then you can put 
the security settings on the frontend - no need to duplicate across all 
servers. You can also add/remove headers on the way in/out.



-Original Message-
From: Jason Long  
Sent: 11 March 2021 12:21
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Hello,
Can anyone answer to my questions?
1- What does "handle backend server down" mean?
2- Can I launch a Reverse Proxy without Apache Web Server?
3- In general, an Apache Reverse Proxy Server is just some lines to forward the 
requests?







On Wednesday, March 10, 2021, 09:47:03 AM GMT+3:30, Jason Long 
 wrote: 





Thank you so much.
Thus, The Front end and Back end servers are same about the security.
What does "handle backend server down" mean?






On Tuesday, March 9, 2021, 04:30:01 PM GMT+3:30, James Smith 
 wrote: 





Yes - you should harden the front-end as this is what is likely to be 
compromised by general attacking.

Run SSL, run a static server & proxy server,  set security headers, handle 
backend server down, handle http -> https redirects, handle basic auth (you can 
have a general rule for wordpress admin URLs as a 2FA)

Drop certain requests by:
* connection types if you don't want them trace/track/options etc, 
* IP address if you can't get to firewall settings,
* suspicious/malfunctioning useragents,
* particular paths that are general attack vectors, hide URLs that are likely 
to be tmp files (.files,.bak,.swp etc)




-Original Message-
From: Dino Ciuffetti  
Sent: 08 March 2021 22:33
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

> 
> ProxyPreserveHost On
> ProxyPass / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF
> aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM
> 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo&e= ProxyPassReverse / 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF
> aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM
> 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp
> VMdJLGMUlwvi1kmWkjEy3I8Lo&e=
> 
> I have some questions:
> 
> 1- the real work of a proxy server is just that lines?


It's OK if you only have one backend HTTP worker without load balancing and no 
HTTPS.
If you need load balancing (advised!) and HTTPS on the reverse proxy (much 
advised!) you'll need to configure your reverse proxy virtualhosts with mod_ssl 
and mod_proxy_balancer. I also recommend you to enable some logging (error_log 
and access_log) on your virtualhost.


> 2- The real configuration of the web server must be done on the 
> another server? Consider below
> figure:
> 
> The Internet --> Reverse Proxy Server --> Apache Web Server
> 
> The SSL configuration and other Apache hardening and configuration 
> must be done on the Apache Web Server and not the Reverse Proxy Server?

Don't know what you mean for "the real configuration". You'll need to configure 
the apache reverse proxy node as a reverse proxy, and the backend HTTP worker 
as a backend HTTP worker.
Please remember that a apache httpd reverse proxy node works at Layer 7 
(Application -> HTTP/HTTPS) and not a Layer 4 (eg TCP). Your HTTP contents (eg 
wordpress, static pages, js, css, etc) must be implemented on your backend 
workers and the reverse proxy will publish those contents to your clients.

BTW HTTPS must be terminated on the reverse proxy. The security hardening must 
be enforced on both nodes. Rreverse proxy is generally directly exposed on 
outside, so it obviously needs more attentions.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.


---

Re: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[Antony Stone]

On Thursday 11 March 2021 at 15:35:17, Jason Long wrote:

> Thank you for all replies.
> How to handle back-end server down? Is it kind of load balancing or CDN?

No.

Whether you have one back-end server or a hundred, you have to allow for the 
fact that under certain circumstances the reverse proxy may not be able to 
contact any of them, and therefore has to return some response to the 
requesting client.


Antony.

-- 
I think broken pencils are pointless.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[Jason Long]

Thank you.
I have other questions:

1- When I configured a Reverse Proxy and want to use "ModSecurity", then I just 
need to install the ModSecurity on Reverse Proxy server or I must install 
ModSecurity on both of the Front-End and Back-End servers?

2- With ATS (Apache Traffic Server), need I to install Apache Web Server on the 
Front-End server?

3- Can anyone tell me what is the main difference between the Forward Proxy and 
Reverse Proxy?






On Thursday, March 11, 2021, 07:14:29 PM GMT+3:30, Antony Stone 
 wrote: 





On Thursday 11 March 2021 at 15:35:17, Jason Long wrote:

> Thank you for all replies.
> How to handle back-end server down? Is it kind of load balancing or CDN?

No.

Whether you have one back-end server or a hundred, you have to allow for the 
fact that under certain circumstances the reverse proxy may not be able to 
contact any of them, and therefore has to return some response to the 
requesting client.


Antony.

-- 
I think broken pencils are pointless.

                                                  Please reply to the list;
                                                        please *don't* CC me.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Is NGINX faster than Apache?

[Jason Long]

Hello,
Is it true that NGINX is faster than Apache? 

https://www.hostingadvice.com/how-to/nginx-vs-apache/

In which environment, Apache must use?

Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[James Smith]

A forward proxy is what you put between your web browser and the internet 
(often called a proxy by browsers) often this happens on corporate networks) - 
the reverse proxy is between the internet and the webserver

There are some issues with mod_security and e.g. wordpress sites - so you have 
to take care to tune it - we often just use a set of general rules to act as a 
first level of security


-Original Message-
From: Jason Long  
Sent: 11 March 2021 17:28
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Thank you.
I have other questions:

1- When I configured a Reverse Proxy and want to use "ModSecurity", then I just 
need to install the ModSecurity on Reverse Proxy server or I must install 
ModSecurity on both of the Front-End and Back-End servers?

2- With ATS (Apache Traffic Server), need I to install Apache Web Server on the 
Front-End server?

3- Can anyone tell me what is the main difference between the Forward Proxy and 
Reverse Proxy?







On Thursday, March 11, 2021, 07:14:29 PM GMT+3:30, Antony Stone 
 wrote: 





On Thursday 11 March 2021 at 15:35:17, Jason Long wrote:

> Thank you for all replies.
> How to handle back-end server down? Is it kind of load balancing or CDN?

No.

Whether you have one back-end server or a hundred, you have to allow for the 
fact that under certain circumstances the reverse proxy may not be able to 
contact any of them, and therefore has to return some response to the 
requesting client.


Antony.

--
I think broken pencils are pointless.

                                                  Please reply to the list;
                                                        please *don't* CC me.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] Is NGINX faster than Apache? [EXT]

[James Smith]

mod_event is comparable to NGINX I believe speed wise - but from experience 
Apache is more stable!

-Original Message-
From: Jason Long  
Sent: 11 March 2021 17:34
To: Users Maillingsliste Apache 
Subject: [users@httpd] Is NGINX faster than Apache? [EXT]

Hello,
Is it true that NGINX is faster than Apache? 

https://urldefense.proofpoint.com/v2/url?u=https-3A__www.hostingadvice.com_how-2Dto_nginx-2Dvs-2Dapache_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=zwEHkwAqMaJ19z5gP8PxzZ1szu3KVuB4eBmHcy2uk_w&s=UjsBK_ecK6grm3rgwFuriCGnC8fyiAIW8QVVv9oslIg&e=
 

In which environment, Apache must use?

Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

Re: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[Jason Long]

Thank you.
How about questions number 2 and 3?






On Thursday, March 11, 2021, 09:46:03 PM GMT+3:30, James Smith 
 wrote: 





A forward proxy is what you put between your web browser and the internet 
(often called a proxy by browsers) often this happens on corporate networks) - 
the reverse proxy is between the internet and the webserver

There are some issues with mod_security and e.g. wordpress sites - so you have 
to take care to tune it - we often just use a set of general rules to act as a 
first level of security


-Original Message-
From: Jason Long  
Sent: 11 March 2021 17:28
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Thank you.
I have other questions:

1- When I configured a Reverse Proxy and want to use "ModSecurity", then I just 
need to install the ModSecurity on Reverse Proxy server or I must install 
ModSecurity on both of the Front-End and Back-End servers?

2- With ATS (Apache Traffic Server), need I to install Apache Web Server on the 
Front-End server?

3- Can anyone tell me what is the main difference between the Forward Proxy and 
Reverse Proxy?







On Thursday, March 11, 2021, 07:14:29 PM GMT+3:30, Antony Stone 
 wrote: 





On Thursday 11 March 2021 at 15:35:17, Jason Long wrote:

> Thank you for all replies.
> How to handle back-end server down? Is it kind of load balancing or CDN?

No.

Whether you have one back-end server or a hundred, you have to allow for the 
fact that under certain circumstances the reverse proxy may not be able to 
contact any of them, and therefore has to return some response to the 
requesting client.


Antony.

--
I think broken pencils are pointless.

                                                  Please reply to the list;
                                                        please *don't* CC me.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[James Smith]

Never used ATS to be honest - just use the standard apache web server - looking 
at the ATS I don't think it is as easy to configure {and tbh - I place static 
sites/content on the frontend Apache for faster serving - so it's dual purpose}

The answer was to Q3...

Q1 - we tried mod_security - but out of the box it is to restrictive (it breaks 
wordpress admin ) so we don't actually use it

-Original Message-
From: Jason Long  
Sent: 11 March 2021 18:47
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Thank you.
How about questions number 2 and 3?






On Thursday, March 11, 2021, 09:46:03 PM GMT+3:30, James Smith 
 wrote: 





A forward proxy is what you put between your web browser and the internet 
(often called a proxy by browsers) often this happens on corporate networks) - 
the reverse proxy is between the internet and the webserver

There are some issues with mod_security and e.g. wordpress sites - so you have 
to take care to tune it - we often just use a set of general rules to act as a 
first level of security


-Original Message-
From: Jason Long 
Sent: 11 March 2021 17:28
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Thank you.
I have other questions:

1- When I configured a Reverse Proxy and want to use "ModSecurity", then I just 
need to install the ModSecurity on Reverse Proxy server or I must install 
ModSecurity on both of the Front-End and Back-End servers?

2- With ATS (Apache Traffic Server), need I to install Apache Web Server on the 
Front-End server?

3- Can anyone tell me what is the main difference between the Forward Proxy and 
Reverse Proxy?







On Thursday, March 11, 2021, 07:14:29 PM GMT+3:30, Antony Stone 
 wrote: 





On Thursday 11 March 2021 at 15:35:17, Jason Long wrote:

> Thank you for all replies.
> How to handle back-end server down? Is it kind of load balancing or CDN?

No.

Whether you have one back-end server or a hundred, you have to allow for the 
fact that under certain circumstances the reverse proxy may not be able to 
contact any of them, and therefore has to return some response to the 
requesting client.


Antony.

--
I think broken pencils are pointless.

                                                  Please reply to the list;
                                                        please *don't* CC me.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity 
registered in England with number 1021457 and a company registered in England 
with number 2742969, whose registered office is 215 Euston Road, London, NW1 
2BE.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

[users@httpd] Error in Apache Documentation

[John]

On the Apache documentation page: 

https://httpd.apache.org/docs/2.4/misc/security_tips.html

Under Denial of Service Attacks, the link:

http://modules.apache.org/

leads to a 404 Not Found result.  It probably requires updating.

Regards,

John



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] What should be considered about the reverse proxy server? [EXT]

[Jason Long]

Thank you.
ATS is not more secure? 
Why ModSecurity breaks many things? I installed it and some features of my web 
site stop working. For example, I can't upload large files or...






On Thursday, March 11, 2021, 10:25:59 PM GMT+3:30, James Smith 
 wrote: 





Never used ATS to be honest - just use the standard apache web server - looking 
at the ATS I don't think it is as easy to configure {and tbh - I place static 
sites/content on the frontend Apache for faster serving - so it's dual purpose}

The answer was to Q3...

Q1 - we tried mod_security - but out of the box it is to restrictive (it breaks 
wordpress admin ) so we don't actually use it

-Original Message-
From: Jason Long  
Sent: 11 March 2021 18:47
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Thank you.
How about questions number 2 and 3?






On Thursday, March 11, 2021, 09:46:03 PM GMT+3:30, James Smith 
 wrote: 





A forward proxy is what you put between your web browser and the internet 
(often called a proxy by browsers) often this happens on corporate networks) - 
the reverse proxy is between the internet and the webserver

There are some issues with mod_security and e.g. wordpress sites - so you have 
to take care to tune it - we often just use a set of general rules to act as a 
first level of security


-Original Message-
From: Jason Long 
Sent: 11 March 2021 17:28
To: users@httpd.apache.org
Subject: Re: [users@httpd] What should be considered about the reverse proxy 
server? [EXT]

Thank you.
I have other questions:

1- When I configured a Reverse Proxy and want to use "ModSecurity", then I just 
need to install the ModSecurity on Reverse Proxy server or I must install 
ModSecurity on both of the Front-End and Back-End servers?

2- With ATS (Apache Traffic Server), need I to install Apache Web Server on the 
Front-End server?

3- Can anyone tell me what is the main difference between the Forward Proxy and 
Reverse Proxy?







On Thursday, March 11, 2021, 07:14:29 PM GMT+3:30, Antony Stone 
 wrote: 





On Thursday 11 March 2021 at 15:35:17, Jason Long wrote:

> Thank you for all replies.
> How to handle back-end server down? Is it kind of load balancing or CDN?

No.

Whether you have one back-end server or a hundred, you have to allow for the 
fact that under certain circumstances the reverse proxy may not be able to 
contact any of them, and therefore has to return some response to the 
requesting client.


Antony.

--
I think broken pencils are pointless.

                                                  Please reply to the list;
                                                        please *don't* CC me.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity 
registered in England with number 1021457 and a company registered in England 
with number 2742969, whose registered office is 215 Euston Road, London, NW1 
2BE.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache Reverse Proxy and Load Balancer.

[Jason Long]

Hello,
I configured my Apache Reverse Proxy as a Load Balancer to handle Back-End 
servers. When a Back-End server stopped, then another one provide service.
How can I do it with Reverse Proxy server itself? When a Reverse Proxy stopped, 
then another Reverse Proxy provides services?

Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache Tomcat and Load Balancing.

[Jason Long]

Hello,
Is Apache Tomcat needed to launch a Load Balancer?

Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Tomcat and Load Balancing.

[Eric Covener]

On Thu, Mar 11, 2021 at 2:33 PM Jason Long  wrote:
>
> Hello,
> Is Apache Tomcat needed to launch a Load Balancer?

No, the question is preposterous. This mailing list shouldn't be your
first stop, but your last.  Do your homework.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Tomcat and Load Balancing.

[Jason Long]

Sorry. I asked it because in a tutorial, the author talked about configuring 
Apache Tomcat on the Back-End servers first.






On Thursday, March 11, 2021, 11:06:18 PM GMT+3:30, Eric Covener 
 wrote: 





On Thu, Mar 11, 2021 at 2:33 PM Jason Long  wrote:
>
> Hello,
> Is Apache Tomcat needed to launch a Load Balancer?

No, the question is preposterous. This mailing list shouldn't be your
first stop, but your last.  Do your homework.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD Proxy Errors

[Daniel Ferradal]

Hello,

It may also help to know the entry from access.log, to know exactly
when it was timed out and to see the method of the request, (GET,
POST?).

El mar, 5 ene 2021 a las 23:28, Herb Burnswell
() escribió:
>
> All,
>
> We are running HTTPD as a proxy to a backend Tomcat application.
>
> OS = RHEL 7.7
>
> HTTPD:
> Server version: Apache/2.4.34 (Red Hat)
> Server built:   Apr  3 2019 12:07:34
> Server's Module Magic Number: 20120211:79
> Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
> Compiled using: APR 1.4.8, APR-UTIL 1.5.2
> Architecture:   64-bit
> Server MPM: event
>   threaded: yes (fixed thread count)
> forked: yes (variable process count)
> Server compiled with
>  -D APR_HAS_SENDFILE
>  -D APR_HAS_MMAP
>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>  -D APR_HAS_OTHER_CHILD
>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>  -D DYNAMIC_MODULE_LIMIT=256
>  -D HTTPD_ROOT="/opt/rh/httpd24/root/etc/httpd"
>  -D SUEXEC_BIN="/opt/rh/httpd24/root/usr/sbin/suexec"
>  -D DEFAULT_PIDLOG="/opt/rh/httpd24/root/var/run/httpd/httpd.pid"
>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>  -D DEFAULT_ERRORLOG="logs/error_log"
>  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
>  -D SERVER_CONFIG_FILE="conf/httpd.conf"
>
> Tomcat:
> Server version: Apache Tomcat/8.5.40
> Server built:   Apr 10 2019 14:31:19 UTC
> Server number:  8.5.40.0
> OS Name:Linux
> OS Version: 3.10.0-693.el7.x86_64
> Architecture:   amd64
> JVM Version:1.8.0_162-b12
> JVM Vendor: Oracle Corporation
>
> What we are seeing on the proxy side are 2 'proxy errors' (scrubbed):
>
> [Tue Jan 05 12:07:19.664861 2021] [proxy:error] [pid 74638:tid 
> 140600384845568] [client 10.10.100.10:64959] AH00898: Error reading from 
> remote server returned by /path/to/uri
>
> [Tue Jan 05 12:07:19.664745 2021] [proxy_http:error] [pid 74638:tid 
> 140600384845568] (70007)The timeout specified has expired: [client 
> 10.10.100.10:64959] AH01102: error reading status line from remote server 
> node1.example.com:8002
>
> The client listed in these (10.10.100.10) is actually an A10 that is handling 
> the VIP for the URL.
>
> The configurations we have set on the proxy are:
>
> 
>
> BalancerMember https://node1.example.com:8002 route=node1 
> keepalive=On ping=3 ttl=90 timeout=60
> BalancerMember https://node2.example.com:8002 route=node2 
> keepalive=On ping=3 ttl=90 timeout=60
> ProxySet lbmethod=bybusyness
>
> 
>
> On the Tomcat side we have:
>
> 
> keepAliveTimeout="9"
> connectionTimeout="6"
> 
>
> My understanding is that the "ttl" on the HTTPD side corresponds to the 
> "keepAliveTimeout" on the Tomcat side and the "timeout" on the HTTPD side 
> corresponds to the "connectionTimeout" on the Tomcat side.
>
> I am looking for some guidance into how we can successfully pinpoint where 
> the issue lies.  Is it the fact that the application is simply not responding 
> to the request in the allotted configured settings?  We can certainly test 
> that option but being a PRD environment we'll need to schedule the process.  
> Therefore, I'd like to get some thoughts on what we can do to pinpoint 
> exactly what is going on here.
>
> Thanks in advance,
>
> HB
>



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is NGINX faster than Apache?

[Rich Bowen]

On 3/11/21 12:33 PM, Jason Long wrote:

Hello,
Is it true that NGINX is faster than Apache?

https://www.hostingadvice.com/how-to/nginx-vs-apache/

In which environment, Apache must use?



No, it is not true.

However, it is also not false.

It depends on so many factors that it's disingenuous to answer your 
question either way. To simplify, it depends on what your content is, 
and how you've configured each server, but even that is too simplistic 
an answer.


The real answer, as we say on the #httpd IRC channel, is TIAS - Try It 
And See. Test them for your content and see which one is best.


It's also a good rule that any time you see an article that says X is 
faster/better/stronger than Y, you can rest assured that the person 
running it is an expert on X and not on Y, and that an expert on Y (and 
not X) could probably configure things such that the reverse was true.


Use the one you're more comfortable with, more experienced with. If you 
choose Apache httpd, we'll be here to help you configure it.


--
Rich Bowen - rbo...@rcbowen.com
@rbowen

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is NGINX faster than Apache?

[Jim Weill]

Speaking for myself, I've certainly gotten frustrated with the config
faster for nginx than apache.

jim


On Thu, Mar 11, 2021 at 9:34 AM Jason Long 
wrote:

> Hello,
> Is it true that NGINX is faster than Apache?
>
> https://www.hostingadvice.com/how-to/nginx-vs-apache/
>
> In which environment, Apache must use?
>
> Thank you.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Is NGINX faster than Apache?

[Jason Long]

Thank you.
When I'm here, then it mean that I'm a fan of Apache and not NGINX.






On Thursday, March 11, 2021, 11:31:26 PM GMT+3:30, Jim Weill 
 wrote: 





Speaking for myself, I've certainly gotten frustrated with the config faster 
for nginx than apache.

jim


On Thu, Mar 11, 2021 at 9:34 AM Jason Long  wrote:
> Hello,
> Is it true that NGINX is faster than Apache? 
> 
> https://www.hostingadvice.com/how-to/nginx-vs-apache/
> 
> In which environment, Apache must use?
> 
> Thank you.
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is NGINX faster than Apache?

[Rose, John B]

We did some testing of Apache and nGinx head to head for something a few years 
ago.

We also did a bit of testing of Apache, nGinx, haproxy and lighthttpd a couple 
years ago for something else, and ended up picking Apache after whittling it 
down to Apache and HAProxy.

Apache was as fast as nGinx once we configured it properly. In both instances.



From: Rich Bowen 
Sent: Thursday, March 11, 2021 2:57 PM
To: users@httpd.apache.org ; Jason Long 

Subject: Re: [users@httpd] Is NGINX faster than Apache?



On 3/11/21 12:33 PM, Jason Long wrote:
> Hello,
> Is it true that NGINX is faster than Apache?
>
> https://www.hostingadvice.com/how-to/nginx-vs-apache/
>
> In which environment, Apache must use?


No, it is not true.

However, it is also not false.

It depends on so many factors that it's disingenuous to answer your
question either way. To simplify, it depends on what your content is,
and how you've configured each server, but even that is too simplistic
an answer.

The real answer, as we say on the #httpd IRC channel, is TIAS - Try It
And See. Test them for your content and see which one is best.

It's also a good rule that any time you see an article that says X is
faster/better/stronger than Y, you can rest assured that the person
running it is an expert on X and not on Y, and that an expert on Y (and
not X) could probably configure things such that the reverse was true.

Use the one you're more comfortable with, more experienced with. If you
choose Apache httpd, we'll be here to help you configure it.

--
Rich Bowen - rbo...@rcbowen.com
@rbowen

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Is NGINX faster than Apache? [EXT]

[James Smith]

This is what we saw as well - simple things like disabling .htaccess files can 
make a huge difference in performance (I haven't set up a server with .htaccess 
files enabled for the best part of 20 years now because of the performance hit)

From: Rose, John B 
Sent: 11 March 2021 21:02
To: users@httpd.apache.org; Jason Long 
Subject: Re: [users@httpd] Is NGINX faster than Apache? [EXT]

We did some testing of Apache and nGinx head to head for something a few years 
ago.

We also did a bit of testing of Apache, nGinx, haproxy and lighthttpd a couple 
years ago for something else, and ended up picking Apache after whittling it 
down to Apache and HAProxy.

Apache was as fast as nGinx once we configured it properly. In both instances.



From: Rich Bowen mailto:rbo...@rcbowen.com>>
Sent: Thursday, March 11, 2021 2:57 PM
To: users@httpd.apache.org 
mailto:users@httpd.apache.org>>; Jason Long 
mailto:hack3r...@yahoo.com.INVALID>>
Subject: Re: [users@httpd] Is NGINX faster than Apache?



On 3/11/21 12:33 PM, Jason Long wrote:
> Hello,
> Is it true that NGINX is faster than Apache?
>
> https://www.hostingadvice.com/how-to/nginx-vs-apache/ 
> [hostingadvice.com]
>
> In which environment, Apache must use?


No, it is not true.

However, it is also not false.

It depends on so many factors that it's disingenuous to answer your
question either way. To simplify, it depends on what your content is,
and how you've configured each server, but even that is too simplistic
an answer.

The real answer, as we say on the #httpd IRC channel, is TIAS - Try It
And See. Test them for your content and see which one is best.

It's also a good rule that any time you see an article that says X is
faster/better/stronger than Y, you can rest assured that the person
running it is an expert on X and not on Y, and that an expert on Y (and
not X) could probably configure things such that the reverse was true.

Use the one you're more comfortable with, more experienced with. If you
choose Apache httpd, we'll be here to help you configure it.

--
Rich Bowen - rbo...@rcbowen.com
@rbowen

-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 

[users@httpd] The number of child processes is less than MinSpareThreads.

[motoda.hiron...@fujitsu.com]

In the following environment where multiple Listen directives are defined, the 
number of child processes may temporarily fall below MinSpareThreads after 6 
requests are received at the same time and HTTP request processing is completed.
Is this a bug or a specification?

OS : Red Hat Enterprise Linux Server
MPM: worker

httpd.conf:

Listen 80
Listen 8080

ServerLimit 50
StartServers 5
MinSpareThreads  5
MaxSpareThreads 10
ThreadsPerChild  1
MaxRequestWorkers   50
MaxConnectionsPerChild   0


compile settings:

# /opt/apache24/bin/httpd -V
Server version: Apache/2.4.46 (Unix)
Server built:   Jan 15 2021 15:05:18
Server's Module Magic Number: 20120211:93
Server loaded:  APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.7.0, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM: worker
  threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_PROC_PTHREAD_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/opt/apache24"
 -D SUEXEC_BIN="/opt/apache24/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] The number of child processes is less than MinSpareThreads.

[Eric Covener]

On Thu, Mar 11, 2021 at 9:29 PM motoda.hiron...@fujitsu.com
 wrote:
>
> In the following environment where multiple Listen directives are defined, 
> the number of child processes may temporarily fall below MinSpareThreads 
> after 6 requests are received at the same time and HTTP request processing is 
> completed.
> Is this a bug or a specification?
>
> OS : Red Hat Enterprise Linux Server
> MPM: worker
>
> httpd.conf:
> 
> Listen 80
> Listen 8080
>
> ServerLimit 50
> StartServers 5
> MinSpareThreads  5
> MaxSpareThreads 10
> ThreadsPerChild  1
> MaxRequestWorkers   50
> MaxConnectionsPerChild   0
> 

This is working as designed, the server checks only once per second to
see if processes need to be started or killed based on the current
idle threads.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org