On Wed, Aug 13, 2014 at 8:05 AM, Goran Tepshic <purpleritza@gmail.com> wrote:
Hmm, interesting tip Jedd.

I now tried changing mutex (commended by default) to sem and those error logs stopped.
Now, reading this page http://httpd.apache.org/docs/current/mod/core.html#mutex i see that there are couple of mutexes available (i still don't know what that is and why do I need one) and couple of them seems to remedy this issue.
Not sure which one should i choose, which is stable and most performant.

I'm by no means an expert, just a unix fan trying to set up a simple, secure VPS.
Could you please shed some light on choosing the best solution?

Safe:

Follow the "strength in numbers" path.  Use flock since that is the default for FreeBSD and presumably most httpd configurations there are still using it.  But as you noticed originally the default path is not in a place where the child has permission to write to it, so see about that.  (The path should default to ServerRoot / logs / )  dtruss/truss/whatever should be able to show what path can't be accessed in the jail.


Fastest:

Unless you want to benchmark your environment, I wouldn't worry about it.  Some that may be theoretically faster have caveats listed in the documentation.

Posixsem (which you might get with "sem") is the one that most recently was found to have code bugs exposed in some httpd configurations (fixed in future releases of apr).




ALso, HUGE thanks for your help!


On Wed, Aug 13, 2014 at 1:10 PM, Jeff Trawick <trawick@gmail.com> wrote:
On Wed, Aug 13, 2014 at 6:40 AM, Goran Tepshic <purpleritza@gmail.com> wrote:

Just set up a FreeBSD jail to run httpd in it and all works good except these two, rewrite/proxy modules.

These are error logs excerpts:


mod_rewrite error:

[rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite: could not init rewrite_mapr_lock_acquire in child

mod_proxy error:

[proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init proxy_mutex in child


Not sure permissions of what are being denied as html in document root is being served just fine when these modules are disabled.

I tried googling but found nothing but rubbish.


Please help, this thing is making me crazy.

httpd/APR on FreeBSD uses a file-based mutex ("flock") by default.  It looks like the mutex files are placed in a location where the httpd child processes don't have permission.

You should be able to use 2.4's Mutex directive (http://httpd.apache.org/docs/current/mod/core.html#mutex) to resolve the issue.

Perhaps the necessary magic is

Mutex file:/some/path/ default

where /some/path is writable by httpd parent and child.  I don't *think* this is some jail-specific issue, other than that child-writable paths in the jail may be different/more limited due to the way it is set up.


--
Born in Roswell... married an alien...
http://emptyhammock.com/





--
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/