"Notable" does bring much more information for me. I even had a look at the code, and it's as simple as that: if you're browsing status page with ?notable, then if request is in "reading" state, you will get the client IP, vhost and URL. If not, you'll just have "reading". Is it related to 2.2? (I'm running 2.0)
My opinion is, if you don't get more information then the information doesn't exist. If the information doesn't exist, then you're probably having an attack. The status page example you provide points me to this direction too because all slots are in the same state, with no exception. Now, how to prevent such attack... I don't know. I see you're using a recent version of Apache. At some point I did make an upgrade (from 2.0.49 to 2.0.57) because there was a fix related to such attacks. Is 2.2.4 at the same level of patches as 2.0.57? Olivier Olivier CHIROUZE I&0 Infrastructure Volvo Information Technology > -----Original Message----- > From: Reif Peter [mailto:[EMAIL PROTECTED] > Sent: 28 March 2007 16:01 > To: users@httpd.apache.org > Subject: Re: [EMAIL PROTECTED] ..reading.. in mod_status > > Chirouze Olivier wrote: > > > > Thanks to Georgi Chorbadzhiyski [EMAIL PROTECTED] for pointing > > me to this > > amazing "feature" of Apache. > > Try the status page with the undocumented "?notable" at the end. > > (http://myserver/status?notable) > > > Thanks, interresting output, but it doesn't bring any new information. > > > Also, have a look at the long thread I once started on this > > list called > > Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state > > "FIN_WAIT_2" > > I had some interesting answers... > > > Yes, I read it. > > > To my opinion the "reading" state is normal if you're using proxy or > > reverse proxy. It might be malicious if you're running a simple HTTP > > server... > > > Well, the server setup ist not so simple. Id does reverse > proxying, but > with mod_perl and not with mod_proxy. The problem is, that the server > hangs sometimes under heavy load. The output of server-status is > something like: > > ---------%<--------------- > > Apache Server Status for ... > > Server Version: Apache/2.2.4 (Unix) ... mod_ssl/2.2.4 OpenSSL/0.9.7a > mod_perl/2.0.3 Perl/v5.8.8 > Server Built: Feb 21 2007 16:33:33 > > Current Time: Tuesday, 27-Mar-2007 11:47:42 CEST > Restart Time: Tuesday, 27-Mar-2007 10:33:37 CEST > Parent Server Generation: 2 > Server uptime: 1 hour 14 minutes 5 seconds > Total accesses: 150545 - Total Traffic: 617.6 MB > CPU Usage: u412.8 s1302.01 cu7.12 cs0 - 38.7% CPU load > 33.9 requests/sec - 142.3 kB/second - 4301 B/request > 300 requests currently being processed, 0 idle workers > > RKRRRRRRRRRRRRRRRRRRRRRKRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR > RRRRRRRRRWRRRRKRRRRRRRRRRRRRRRRKRRRRRKRRRRRRRRRRRRRRRRRRRRKRRRRR > RRRRRRRRRRRRRKRRRRRRRRRRRRRRRRRRKRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR > RRRRRRRRRKRRRRRRRRRRRRRRRRRRRRRRWRRRRRRRRRRRRRRRRRRRRRRRRRRRRKRR > RRRRRRRRWRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR > > Scoreboard Key: > "_" Waiting for Connection, "S" Starting up, "R" Reading Request, > "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup, > "C" Closing connection, "L" Logging, "G" Gracefully finishing, > "I" Idle cleanup of worker, "." Open slot with no current process > > Srv PID Acc M CPU SS Req Conn > Child Slot Client Vhost Request > 0-2 29017 0/131/863 R 2.35 1635 3 0.0 > 0.48 3.29 ? ? ..reading.. > 2-2 29270 0/195/1287 R 10.99 275 33 0.0 > 0.79 7.84 ? ? ..reading.. > 3-2 30118 0/42/1433 R 13.24 208 3 0.0 > 0.22 5.98 ? ? ..reading.. > 4-2 30366 0/37/1073 R 4.70 1073 3 0.0 > 0.14 3.88 ? ? ..reading.. > 5-2 30370 0/43/1371 R 0.99 1436 88 0.0 > 0.33 5.89 ? ? ..reading.. > 6-2 28866 0/81/1192 R 2.04 1296 5 0.0 > 0.31 4.05 ? ? ..reading.. > 7-2 28635 0/218/1247 R 3.72 1634 34 0.0 > 0.72 4.34 ? ? ..reading.. > 8-2 29598 0/89/1226 R 5.47 322 5 0.0 > 0.12 3.97 ? ? ..reading.. > 9-2 28444 0/250/1108 R 15.90 83 65 0.0 > 1.00 4.70 ? ? ..reading.. > 10-2 29018 0/224/1370 R 8.00 399 85 0.0 > 0.71 5.21 ? ? ..reading.. > 11-2 28662 0/145/1118 R 6.99 1329 106 0.0 > 0.63 3.99 ? ? ..reading.. > 12-2 28446 0/205/1087 R 12.13 822 4574 0.0 > 0.81 3.15 ? ? ..reading.. > 13-2 30412 0/39/1169 R 8.95 149 2 0.0 > 0.13 6.21 ? ? ..reading.. > 14-2 28448 0/225/1133 R 4.19 1595 14 0.0 > 0.74 5.49 ? ? ..reading.. > 15-2 29562 0/121/1164 R 5.83 987 23 0.0 > 0.27 4.52 ? ? ..reading.. > 16-2 27598 0/336/1267 R 11.07 612 40 0.0 > 0.92 3.78 ? ? ..reading.. > 17-2 29019 0/178/1571 R 10.80 661 28 0.0 > 0.57 7.05 ? ? ..reading.. > 18-2 28715 0/151/1063 R 11.23 246 29 0.0 > 0.75 3.75 ? ? ..reading.. > 19-2 30513 0/8/1122 R 12.78 132 2 0.0 > 0.03 3.61 ? ? ..reading.. > 20-2 30174 0/72/1120 R 5.22 687 4 0.0 > 0.30 6.12 ? ? ..reading.. > 21-2 28885 0/165/956 R 7.63 1547 5 0.0 > 0.87 5.02 ? ? ..reading.. > 22-2 28452 0/282/1160 R 17.86 614 3 0.0 > 1.05 3.75 ? ? ..reading.. > > [lines deleted] > > Srv Child Server number - generation > PID OS process ID > Acc Number of accesses this connection / this child / this slot > M Mode of operation > CPU CPU usage, number of seconds > SS Seconds since beginning of most recent request > Req Milliseconds required to process most recent request > Conn Kilobytes transferred this connection > Child Megabytes transferred this child > Slot Total megabytes transferred this slot > > ---------%<--------------- > > As you see, the values of SS are very big, that usually appears on an > idle child. > I wonder if the server is reading from a new connection or waiting for > the previous connection to finish. > The server is reading data, but from whom? And why does this not time > out. I changed the value of the Apache Timeout directive from > 300 to 30, > but it didn't help. Why is the connection not closed after > some timeout? > Is this an Apache bug? mod_status says, that some slots > didn't serve any > requests since over 1000 seconds, as can be seen in the column "SS". > > I have the same configuration with Apache 1.3, and there it > works. I had > to rewrite the mod_perl code becouse of the incompatibility with > mod_perl 2. > > Peter > > > > -----Original Message----- > > > From: Reif Peter [mailto:[EMAIL PROTECTED] > > > Sent: 27 March 2007 15:36 > > > To: users@httpd.apache.org > > > Subject: [EMAIL PROTECTED] ..reading.. in mod_status > > > > > > My server hangs sometimes. When I call the server-status in > > > mod_status, > > > all my children are in status "R", "..reading..". To trace my > > > problem I > > > have to know what this exactly means. > > > > > > What means "..reading.."? > > > > > > In which state of the Apache live cicle does this appear? > > > > > > Does it correspond with entries in the output of "netstat" ? > > > > > > My environment: > > > Apache 2.2.4 with mod_perl 2.0.3 > > > RedHat Enterprise 3 > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
