httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [users@httpd] FreebSD jailed Apache 2.4 rewrite/proxy module errors
Date Wed, 13 Aug 2014 18:30:14 GMT
On Wed, Aug 13, 2014 at 8:05 AM, Goran Tepshic <purpleritza@gmail.com>
wrote:

> Hmm, interesting tip Jedd.
>
> I now tried changing mutex (*commended by default*) to *sem *and those
> error logs stopped.
> Now, reading this page
> http://httpd.apache.org/docs/current/mod/core.html#mutex i see that there
> are couple of mutexes available (*i still don't know what that is and why
> do I need one*) and couple of them seems to remedy this issue.
> Not sure which one should i choose, which is stable and most performant.
>
> I'm by no means an expert, just a unix fan trying to set up a simple,
> secure VPS.
> Could you please shed some light on choosing the best solution?
>

Safe:

Follow the "strength in numbers" path.  Use flock since that is the default
for FreeBSD and presumably most httpd configurations there are still using
it.  But as you noticed originally the default path is not in a place where
the child has permission to write to it, so see about that.  (The path
should default to ServerRoot / logs / )  dtruss/truss/whatever should be
able to show what path can't be accessed in the jail.


Fastest:

Unless you want to benchmark your environment, I wouldn't worry about it.
 Some that may be theoretically faster have caveats listed in the
documentation.

Posixsem (which you might get with "sem") is the one that most recently was
found to have code bugs exposed in some httpd configurations (fixed in
future releases of apr).



>
> ALso, HUGE thanks for your help!
>
>
> On Wed, Aug 13, 2014 at 1:10 PM, Jeff Trawick <trawick@gmail.com> wrote:
>
>> On Wed, Aug 13, 2014 at 6:40 AM, Goran Tepshic <purpleritza@gmail.com>
>> wrote:
>>
>>> Just set up a FreeBSD jail to run httpd in it and all works good except
>>> these two, rewrite/proxy modules.
>>>
>>> *These are error logs excerpts:*
>>>
>>>
>>> *mod_rewrite* error:
>>>
>>> [rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite:
>>> could not init rewrite_mapr_lock_acquire in child
>>>
>>> *mod_proxy* error:
>>>
>>> [proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init
>>> proxy_mutex in child
>>>
>>>
>>> Not sure permissions of *what* are being denied as html in document
>>> root is being served just fine when these modules are disabled.
>>>
>>> I tried googling but found nothing but rubbish.
>>>
>>>
>>> Please help, this thing is making me crazy.
>>>
>> httpd/APR on FreeBSD uses a file-based mutex ("flock") by default.  It
>> looks like the mutex files are placed in a location where the httpd child
>> processes don't have permission.
>>
>> You should be able to use 2.4's Mutex directive (
>> http://httpd.apache.org/docs/current/mod/core.html#mutex) to resolve the
>> issue.
>>
>> Perhaps the necessary magic is
>>
>> Mutex file:/some/path/ default
>>
>> where /some/path is writable by httpd parent and child.  I don't *think*
>> this is some jail-specific issue, other than that child-writable paths in
>> the jail may be different/more limited due to the way it is set up.
>>
>>
>> --
>> Born in Roswell... married an alien...
>> http://emptyhammock.com/
>>
>>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Mime
View raw message