|
|
Admin Guide for HP-UX Apache-based Web Server
TABLE OF CONTENTS
Important Changes
- Increasing the Number of Available File Descriptors
- HP-UX Apache-based Web Server Restructuring
- Apache API Changes from Previous Releases
- Changed behavior of Scriptsock directive for mod_cgid
- Added mod_jk2 support
- mod_jk moved from Tomcat Product to Apache Product
Setup
- Prerequisites
- Installation
- Starting and Stopping HP-UX Apache-based Web Server
Configuration
- Configuration Files
- Admin Guides
- Moving the Root Directory
- Automatic Restart of Apache
- Enabling more file descriptors
- Configuring mod_jk and mod_jk2
- Running Multiple instances of Apache
- Running 11.00 depot on 11.11
Troubleshooting
Known Bugs
Tuning
- Using Directives
- Using Modules
- Configuring HP-UX Environment
- Other Configuration
Legal Notices
IMPORTANT CHANGES
This feature release of HP-UX Apache-based Web Server contains support for
Microsoft(R) FrontPage Server Extensions, more PHP extensions, different
cryptography libraries used for SSL transactions and version upgrades.
Increasing the Number of Available File Descriptors
HP-UX Apache-based Web Server version A.2.0.48.00 and later are compiled with
_USE_BIG_FDS to raise the maximum allowed number of simultaneous open files,
or maximum number of file descriptors, from 2048 to 60000 per process
(depending on the system configuration). This value is specified by the
constant MAXFUPLIM (and the equivalents _MAXFUPLIM and FD_SETSIZE). To enable
this feature requires changes to the HP-UX environment as specified in,
Enabling more file descriptors
HP-UX Apache-based Web Server Restructuring
Starting with the HP-UX Web Server Suite, HP-UX Apache-based Web
Server, HP-UX Webmin-based Admin, and HP-UX Tomcat-based Servlet Engine are
separate installable components and now reside under their own directory
structure. Each component has its own root directory under /opt/hpws.
The new directories are:
/opt/hpws/apache/
/opt/hpws/tomcat/
/opt/hpws/webmin/
/opt/hpws/xmltools/
/opt/hpws/apache/ includes the Apache binary (httpd) as well as HP add-on
features such as mod_auth_ldap, mod_perl, mod_php, etc.
This structure reflects HP-UX Web Server Suite's flexibility for
installing and running Apache, Webmin, Tomcat and XML Tools either separately
or in combination.
Documentation common to all products (Migration Guides, FAQ) is delivered
with the HP-UX Webmin-based Admin product. To access these documents, it
must be installed. Uninstalling HP-UX Webmin-based Admin may lead to
inaccessibility of HP-UX Web Server Suite documentation by other components
of the suite that may still be installed. For more information on resolving
this condition, please refer to /opt/hpws/apache/hpws_docs/.hp_docs/README
IMPORTANT NOTE:
HP-UX Apache-based Web Server will no longer automatically start after
installation, you will have to start it manually.
Apache API Changes from Previous Releases
The following has changed between this release and earlier releases of
Apache 2.x.
- Changes between Apache 2.0.49 and Apache 2.0.50
This version of Apache is principally a bug fix release. Of particular note is
that 2.0.50 addresses two security vulnerabilities:
A remotely triggered memory leak in http header parsing can allow a denial of service
attack due to excessive memory consumption.
Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a (trusted) client
certificate subject DN which exceeds 6K in length.
- Changes between Apache 2.0.48 and Apache 2.0.49
This version of Apache is principally a bug fix release. Of particular note is
that 2.0.49 addresses three security vulnerabilities:
Apache does not filter terminal escape sequences from error logs,
which could make it easier for attackers to insert those sequences into
terminal emulators.
Starvation issue on listening sockets occurs when a short-lived connection
on a rarely-accessed listening socket will cause a child to hold the accept
mutex and block out new connections.
Memory leak in mod_ssl allows a remote denial of service attack against a
SSL-enabled server by sending plain HTTP requests to the SSL port.
- Changes between Apache 2.0.47 and Apache 2.0.48
This version of Apache is principally a bug fix release. Of particular note is
that 2.0.48 addresses two security vulnerabilities:
mod_cgid mishandling of CGI redirect paths could result in CGI output going to
the wrong client when a threaded MPM is used.
A buffer overflow could occur in mod_alias and mod_rewrite when a regular
expression with more than 9 captures is configured.
This release is compatible with modules compiled for 2.0.42 and later versions.
- Changes between Apache 2.0.43 and Apache 2.0.45/2.0.46
This release is binary-compatible with Apache 2.0.42 and greater. All the
modules compiled with Apache 2.0.42 or greater will continue to work with
this version.
- Changes between Apache 2.0.39 and Apache 2.0.43
This release is binary-compatible only with 2.0.42, and no other previous
releases. All modules must be recompiled in order to work with this version.
For example, a module compiled to work with 2.0.39 will not work with 2.0.43.
The definitions of the following functions have changed to include an
additional parameter, ap_init_filter_func:
ap_register_input_filter ( ... )
ap_register_output_filter ( ... )
More information can be found in /opt/hpws/apache/include/util_filter.h.
- Changes between Apache 2.0.32 and Apache 2.0.39
Apart from the following API changes, 2.0.32-based modules may have to
be recompiled for 2.0.39, due to redefinition of some data structures.
If a module is based on the 2.0.32 or earlier API, it may be affected by
name changes for apr_lock-related functions. Make sure to verify that the
module is using the correct name and rebuild if needed. The following table
lists the name changes for the apr_lock-related functions. More information
can be found in /opt/hpws/apache/include/apr_thread_mutex.h.
v.2.0.32 (or earlier): corresponding function in v.2.0.39:
-------------------------- ------------------------------------
apr_lock_create ( ... ); apr_thread_mutex_create ( ... );
apr_lock_acquire ( ... ); apr_thread_mutex_lock ( ... );
apr_lock_release ( ... ); apr_thread_mutex_unlock ( ... );
apr_lock_destroy ( ... ); apr_thread_mutex_destroy ( ... );
Changed behavior of Scriptsock directive for mod_cgid
The behavior of 'Scriptsock' directive has been changed to fix multiple bugs
in mod_cgid, including:
- httpd hangs if 'read' is used in the CGI script
- the POST operation to a CGI script fails to complete
Old Behavior: The httpd daemon opens a AF_UNIX socket (based on the value
given by Scriptsock directive) to connect to the CGI daemon.
New Behavior:
option 1: Using AF_INET socket by specifying a port number in Scriptsock directive.
The httpd daemon opens a AF_INET socket to the CGI daemon.
The CGI daemon will listen on the localhost (127.0.0.1), using the port
specified by the Scriptsock directive. By default, the CGI daemon will listen
on default port 127.0.0.1:5080
NOTE: HP has found that binding to the localhost address (127.0.0.1), provides
the same level of security as offered by the AF_UNIX socket.
option 2: Continue to use the old behavior. This will not have the fix for the above problems.
If Scriptsock directive is not specified, by default, the httpd daemon opens a AF_INET socket
to the CGI daemon. The CGI daemon will listen on default port 127.0.0.1:5080
Examples of using the Scriptsock directive:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Scriptsock 8000
the CGID will listen on 127.0.0.1:8000
2. Scriptsock logs/cgisock
The httpd daemon opens a AF_UNIX socket (based on the value given by Scriptsock directive)
to connect to the CGI daemon.
3. Scriptsock 8000logs/cgisock
the CGID will listen on 127.0.0.1:8000, the string logs/cgisock is discarded.
4. NO Scriptsock is defined in httpd.conf
the CGI daemon will listen on the default port: 127.0.0.1:5080
Added mod_jk2 support
For more information on mod_jk2 please visit:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/jk2/jk2/confighowto.html
mod_jk moved from Tomcat Product to Apache Product
mod_jk is moved to /opt/hpws/apache/modules.
If HP-UX Tomcat-based Servlet Engine is used with HP-UX Apache-based Web
Server via the mod_jk connector, then the ld version on the system needs
to be atleast B.11.37 or later. The patch numbers corresponding to B.11.37
are:
PHSS_28869 for HP-UX 11.00 or
PHSS_28871 for HP-UX 11i (11.11)
You may need different patches, if the above-mentioned patches have been
superseded.
SETUP
Prerequisites
1. See individual Admin Guides for each component to determine patch
requirements.
LDAP Admin Guide
PHP Admin Guide
SSL Admin Guide
suEXEC Admin Guide
Frontpage Admin Guide
Webproxy Admin Guide
HP-UX Apache-based Web Server binaries are dependent on the B.11.37 or later
versions of ld and libdld. To determine the version on your machine,
- Type 'ld -V'
- Type 'what /usr/lib/libdld.sl'
- Install either
PHSS_28869 for HP-UX 11.00 or
PHSS_28871 for HP-UX 11i (11.11)
or later to solve this problem.
To download, go to the IT Resource Center for Americas and Asia Pacific
(http://us-support.external.hp.com/) or Europe (http://europe-support.external.hp.com/).
Under Maintenance/Support click on "Individual Patches".
Scroll down to "retrieve a specific patch by entering the patch name"
and enter the patch number in the input field.
Note that on any given system, the versions of ld and libdld should be the same.
mod_deflate requires zlib 1.1.4 library, which is available from the
HP-UX Porting Archive Center (http://hpux.cs.utah.edu) which provides
this library in source form and also HP-UX binaries.
2. Building Apache modules in C and C++ requires gcc (version 3.0 or later).
To download, go to the "Developer & Solution Partner Portal" at
http://www.hp.com/go/dspp and search for gcc. Alternatively,
http://h21007.www2.hp.com/dspp/tech/tech_TechSoftwareDetailPage_IDX/1,1703,547,00.html
C++ plug-in modules should be built with the Classic C++ runtimes libraries,
-lCsup, -lstd, and -lstream. Classic C++ runtime libraries are the default
on PA so plug-ins can be compiled using the default or by explicitly
selecting the Classic C++ runtime libraries with the -AP compile option:
Using the default,
g++ -shared -o mod_hello.so -I/opt/hpws/apache/include -Wno-deprecated \
-fPIC mod_hello.cpp
To specify the -AP option,
g++ -shared -AP -o mod_hello.so -I/opt/hpws/apache/include -Wno-deprecated \
-fPIC mod_hello.cpp
For more information about C++ libraries, please see http://www.hp.comd/go/C++.
To specify the -AA option,
aCC -b +DD64 -AA -mt +z -I/opt/hpws/apache/include -o mod_hello.so \
mod_hello.cpp
For more information about C++ libraries, please see http://www.hp.comd/go/C++.
#endif
3. Building DSOs using /opt/hpws/apache/bin/apxs depends on Perl. The
expected location for Perl is /opt/perl/bin/perl. Either download and
install Perl, or change the path in the apxs script to the Perl location
installed on your machine.
Download and install Perl 5.8.7 for HP-UX 11.0 and 11i (PA-RISC)
from HP Software Depot:
http://software.hp.com/
Search for: Perl 5.8.7
4. HP-UX Apache-based Web Server binary is perl-enabled. That is, mod_perl is
built as a DSO module and is distributed as part of the HP-UX Apache-based
Web Server release bundle.
However, mod_perl has not been enabled in the default installation.
Follow these steps to configure and enable mod_perl:
a. Download and install Perl 5.8.7 for HP-UX 11.0/11i (PA-RISC)
from HP Software Depot:
http://software.hp.com/
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL
Search for: Perl 5.8.7
b. Edit /opt/hpws/apache/conf/httpd.conf and uncomment the line
(i.e. remove the beginning '#' character).
LoadModule perl_module modules/mod_perl.so
To have mod_perl handle all scripts ending in *.pl, make sure that
the section enclosed in <IfModule mod_perl.c> ...
is uncommented.
This step will make HP-UX Apache-based Web Server perl-ready.
c. Restart the HP-UX Apache-based Web Server
/opt/hpws/apache/bin/apachectl stop
/opt/hpws/apache/bin/apachectl start
Installation
Information on installing all products of HP-UX Web Server Suite can be found in
Getting Started
The user configurable files of HP-UX Apache-based Web Server will be saved
as per the standard HP-UX newconfig methodology. More information can be
found in the newconfig section of Getting Started.
Starting and Stopping HP-UX Apache-based Web Server
Note: In the default installation you must be root to start/stop
the HP-UX Apache-based Web Server.
Apache
To start the HP-UX Apache-based Web Server:
$/opt/hpws/apache/bin/apachectl start
To stop the HP-UX Apache-based Web Server:
$/opt/hpws/apache/bin/apachectl stop
To start the HP-UX Apache-based Web Server with SSL capability:
$/opt/hpws/apache/bin/apachectl startssl
IF YOU HAVE ADDED A NEW SERVER KEY (CERTIFICATE) WHICH
HAS A PEM ENCODED PASS PHRASE, YOU WILL BE PROMPTED TO
ENTER IT HERE
To stop the HP-UX Apache-based Web Server with SSL capability:
$/opt/hpws/apache/bin/apachectl stop
For server startup with PHP, suexec and ldap authentication, see the
corresponding Admin guides located in /opt/hpws/hp_docs/apache/.
For server startup with WebDAV, when your server is running, see the FAQ
located at http://yourserver.com/hp_docs/faq/, or use Webmin and access
http://yourserver.com:10000/hp_docs/faq/.
CONFIGURATION
Configuration Files
The HP-UX Apache-based Web Server 2.x has additional configuration files
beyond the /opt/hpws/apache/conf/httpd.conf file. These configuration files
are specific to a major component and are found in the following locations
by default:
Apache: /opt/hpws/apache/conf/httpd.conf
Apache (SSL): /opt/hpws/apache/conf/ssl.conf
Apache (caching): /opt/hpws/apache/conf/cache.conf
PHP: /opt/hpws/apache/conf/php.ini
auth_ldap: /opt/hpws/apache/conf/ldap.conf
mod_auth_ldap/mod_ldap (caching): /opt/hpws/apache/conf/ldap.conf
mod_jk: /opt/hpws/apache/conf/mod_jk.conf
/opt/hpws/apache/conf/workers.properties
mod_jk2: /opt/hpws/apache/conf/mod_jk2.conf
/opt/hpws/apache/conf/workers2.properties
Admin Guides
Refer to the following documents included with the software located
in the /opt/hpws/hp_docs/ directory. If HP-UX Apache-based Web Server
has been started with the default configuration, these documents
can be viewed at http://yourserver.com/hp_docs. These are also viewable
via Webmin at http://yourserver.com:10000/hp_docs/.
Apache Admin Guide
LDAP Admin Guide
PHP Admin Guide
SSL Admin Guide
suEXEC Admin Guide
Frontpage Admin Guide
Webproxy Admin Guide
Moving the Root Directory
The altroot.sh script has been provided to easily move the entire /opt/hpws/
directory, including HP-UX Apache-based Web Server, HP-UX Tomcat-based
Servlet Engine, HP-UX Webmin-based Admin and HP-UX XML Web Server Tools.
The script is located in the /opt/hpws/util/ directory. Detailed information
is located in the General Utilities User Guide.
Automatic Restart of Apache
If you would like to automatically restart HP-UX Apache-based Web Server at
boot-up time, you will have to modify the specific components configuration
file:
/etc/rc.config.d/hpws_apacheconf for HP-UX Apache-based Web Server
If you do not set the HPWS_APACHE_START or HPWS_APACHE_START_SSL to 1,
then you will need to manually start HP-UX Apache-based Web Server when the
system comes online after a system reboot. These values are set to '0'
(no reboot) by default.
NOTE:
(1) If you intend to start HP-UX Apache-based Web Server in SSL-mode,
ensure that the Certificate key file is not encrypted with a password.
In the case that the key file requires a password, the system bootup
will hang.
(2) With their default configurations, the startup of HP Apache-based Web
Server 1.3 has higher precedence over HP-UX Apache-based Web Server A.2.x
at reboot time. Therefore, if both 1.3 and A.2.x are configured to use
the same port number and set to be restarted at boot time, only 1.3
would come up. Therefore, it is recommended that the user set the
config files (/etc/rc.config.d/apacheconf for 1.3 and
/etc/rc.config.d/hpws_apacheconf for A.2.x) to start either HP
Apache-based Web Server 1.3 or HP-UX Apache-based Web Server A.2.x.
Starting both HP Apache-based Web Server 1.3 and HP-UX Apache-based
Web Server A.2.x at reboot time is currently not supported.
- To automatically start HP-UX Apache-based Web Server at boot-up time.
Set the HPWS_APACHE_START variable to 1. If you do not desire this
feature, set the HPWS_APACHE_START variable to 0. The line below
shows how to turn it on.
HPWS_APACHE_START=1
The startup scripts have a direct dependency on the HPWS_APACHE_HOME
variable, and expects HP-UX Apache-based Web Server to be located in the
<HPWS_APACHE_HOME> directory.
Enabling more file descriptors
HP-UX Apache-based Web Server is now compiled with _USE_BIG_FDS to raise the
maximum allowed number of simultaneous open files, or maximum number of file
descriptors, from 2048 to 60000 (depending on the system configuration) per
process. This value is specified by the constant MAXFUPLIM (and the equivalents
_MAXFUPLIM and FD_SETSIZE). To enable this feature requires the following
changes:
To enable HP-UX Apache-based Web Server for handling a large amount of file
descriptors, your need to change the system-wide RLIMIT_NOFILE defaults by
modifying the kernel tunables maxfiles and maxfiles_lim; see the SAM on-line
kernel configuration help for more information.
You might also need to reconfigure the machine with a larger value for the
kernel tunable nfile. This tunable specifies the per-machine (as opposed to
per-process) maximum number of simultaneous open files and the default value
is much less than 60000. See the SAM online kernel configuration help for more
information.
Configuring mod_jk and mod_jk2
To use HP-UX Apache-based Web Server with HP-UX Tomcat-based Servlet Engine
Modify /opt/hpws/apache/conf/httpd.conf:
In this file enable mod_jk or mod_jk2 connector by uncommenting one of the following lines:
Include /opt/hpws/apache/conf/mod_jk.conf -OR-
Include /opt/hpws/apache/conf/mod_jk2.conf
Modify /opt/hpws/apache/conf/mod_jk.conf (if necessary):
You can add here additional mount points if you want HP-UX Apache-based
Web Server to forward requests to HP-UX Tomcat-based Servlet Engine.
Add lines similar to the following:
JkMount /mywebapp ajp13
JkMount /mywebapp/* ajp13
In the case of /opt/hpws/apache/conf/mod_jk2.conf:
<Location "/mywebapp/*">
JkUriSet worker ajp13:localhost:8009
</Location>
Start HP-UX Tomcat-based Servlet Engine
$ cd /opt/hpws/tomcat
$ bin/startup.sh
Start HP-UX Apache-based Web Server
$ /opt/hpws/apache/bin/apachectl start
To enable logging in mod_jk
If we suspect problems in communication between the web server and HP-UX
Tomcat-based Servlet Engine we can turn on logging inside mod_jk. To do that edit
/opt/hpws/apache/conf/mod_jk.conf file and set
JkLogFile /opt/hpws/apache/logs/jk.log
JkLogLevel debug
Available logging levels are: debug, info, error, emerg.
To enable logging in mod_jk2
There is no special directive to enable error logging in mod_jk2 specifically
mod_jk2 error log is integrated into Apache web server's error log.
<h3>Running Multiple instances of Apache
1)Install Apache and Webmin on your machine. It is mandatory to install Webmin.
Webmin contains the file, altroot.sh, that is used to change the apache install directory.
Note: If Apache and Webmin are already installed, ensure that they are are not running.
2)Enter the following command at the HP-UX prompt:
#/opt/hpws/util/altroot.sh --apache /opt/hpws/apache <New_location_for_Apache>
Eg: #/opt/hpws/util/altroot.sh --apache /opt/hpws/apache /usr/local/hpws/apache
The /opt/hpws/apache directory will be moved to the specified location after this.
For more information about Altroot, visit:
http://servername.com/hp_docs/utilities.user.guide
3)Open the <New_location_for_Apache>/conf/httpd.conf file. Change the Listen directive
option to a value, other than the default 80, so that Apache can listen on a different port.
Note: If you are installing a lower version of Apache, you must remove the current
installation of Apache using the swremove command. Removing the current installation will
not delete any files from the altrooted apache installation. However, it will only
remove the IPD entries from the previous installation.
4)Install another instance of Apache.
The default location of the installation files is /opt/hpws
5)To run this newly installed Apache in a location other than the default location,
repeat steps 1-3.
<h3>Running 11.00 depot on 11.11
Patch PHSS_33263 needs to be installed to run a 11.00 depot on a 11.11 system.
TROUBLESHOOTING
Please refer to a component's admin guide for log file locations and other
troubleshooting tips. Check the individual logs files for failures in the
components.
For information about HP-UX Apache-based Web Server failures, look in the log
files under /opt/hpws/apache/logs/
Note: The access_log is disabled by default. To enable it, make sure
that the following line is uncommented:
CustomLog logs/access_log common
By default the access_log is enabled for ssl connections in
ssl.conf.
- Starting HP-UX Apache-based Web Server with mod_jk complains of:
"/usr/lib/dld.sl: Unresolved symbol : dlsym (code) from mod_jk.so"
-------------------------------------------------
The version of ld is old and needs to be upgraded.
Verify the version of ld:
% ld -V
% what /usr/lib/libdld.sl
SOLUTION:
Upgrade to at least B.11.32 using patch:
PHSS_28869 for HP-UX 11.00 or
PHSS_28871 for HP-UX 11i (11.11)
or later to solve this problem.
To download, go to the IT Resource Center for Americas and Asia Pacific
(http://us-support.external.hp.com/) or Europe
(http://europe-support.external.hp.com/).
Under Maintenance/Support click on "Individual Patches".
Scroll down to "retrieve a specific patch by entering the patch name"
and enter the patch number in the input field.
Note that on any given system, the versions of ld and libdld should
be the same.
- 'apachectl start' OR 'apachectl stop' hangs on your system
----------------------------------------------------------------
One possible reason is that HP-UX needs a linker patch.
- PHSS_26559 for HP-UX 11.0.
- PHSS_26560 for HP-UX 11i.
SOLUTION:
Check for the patch on your system, and install it if you don't have it.
- When logging at debug level, /opt/hpws/apache/logs/error_log says:
"End of file found: read_request_line() failed"
----------------------------------------------------------------
This is a harmless error. Either ignore it or increase your LogLevel
setting. More details can be found at:
http://www.apache.org/dist/httpd/Announcement2.html
- /opt/hpws/apache/logs/error_log says : "Apache.pm" failed to load.
----------------------------------------------------------------
This is usually due to Perl binaries not being in the PATH.
or the PERL5LIB environment not being set correctly.
SOLUTION: Verify that Perl 5.8.7 is installed in /opt/perl/bin
and that/opt/perl/bin/perl and /opt/perl/lib/5.8.7 exist. Also
verify that /opt/perl/bin is in the PATH. If it isn't, make
sure to add it. After installing Perl, use the following command
to specify where the mod_perl libraries are:
export PERL5LIB=/opt/hpws/apache/lib/perl/lib/site_perl/5.8.7/PA-RISC1.1-thread-multi
The PERL5LIB environment variable is preset by apachectl (the
shell that runs the Apache executable). If you experience
problems, manually set this environment variable as shown above.
To test whether you have the correct Perl 5.8.7 on your system,
run the command:
/opt/perl/bin/perl -v | grep -i ActiveState
This version of Perl has been engineered by ActiveState for
HP-UX 11.0/11i environment. It can be downloaded from:
http://software.hp.com/
Search for: Perl 5.8.7
- New modules don't execute.
----------------------------------------------------------------
When adding new modules make sure that permissions are set to
-rwxr-xr-x. Match owner and group to existing modules.
KNOWN BUGS
Make sure to review other admin guides for known bugs.
- SSL Session Caching errors
----------------------------------------------------------------
Some times you may notice the following errors in the Apache error_log file:
[error] scach2_lookup_session_id internal error
[error] 'shmcb' code was unable to store a session in the cache.
This does not affect the functionality (the connections will not be dropped).
It may affect the performance of the server, but the impact is insignificant.
- /opt/hpws/apache/bin/apachectl restart does not work
----------------------------------------------------------------
When all or most of the modules are enabled, the restart may not
successfully restart Apache. To resolve this problem, please explicitly
stop and then start Apache.
- /opt/hpws/apache/bin/apachectl stop does not work
----------------------------------------------------------------
Sometimes after HP-UX Apache-based Web Server has been subject to a heavy
load (especially when SSL is enabled), the apachectl stop may not kill all
of the httpd processes. To resolve this problem, please kill the processes
using the following "kill -9" command:
% kill -9 `ps -ef |grep httpd |grep -v grep |awk '{print $2}'`
- Apache Bench (ab) with SSL does not work
----------------------------------------------------------------
In this release, ab with SSL capability is still experimental. The SSL
feature is enabled only for debugging purposes, and cannot be used for
stress/load testing. Not all command line options of ab are supported
when used with SSL.
- Apache restart does not work with Multiple Listen directives
----------------------------------------------------------------
Restarting Apache with multiple Listen directives results in increased
CPU usage. This is because Apache 2.0 does not have any way to remove
listerners on a restart. Therefore, for multiple Listen directives, you
must stop and start the server instead of a restart.
TUNING
This tuning information is based on
http://httpd.apache.org/docs-2.0/misc/perf-tuning.html#runtime,
other documents and in-house testing.
These notes provide tips on configuring your HP-UX Apache-based Web Server
through intelligent use of directives and modules, as well as tuning your
HP-UX environment.
Using Directives
1) Hostname Lookups
http://httpd.apache.org/docs-2.0/mod/core.html#hostnamelookups
If HostNameLookups is not turned off, each client request will result in
at least one lookup request to the name server.
Example:
HostNameLookups off ##Turning off DNS lookups
2) Logging
- Avoid using debug, info and notice level.
- Do a minimal amount of logging.
Disable referer_log and agent_log, if you don't need to keep track of
client information.
3) FollowSymLinks and SymLinksIfOwnerMatch
When you do NOT have an "Options FollowSymLinks" in your URL-space, or you
do have an "Options SymLinksIfOwnerMatch," HP-UX Apache-based Web Server
will issue extra system calls to check up on symlinks. One extra call per
filename component will be made. For example, if you had:
DocumentRoot /www/htdocs
<Directory />
Options SymLinksIfOwnerMatch
</Directory>
If a request is made for the URI /index.html, HP-UX Apache-based Web Server
will perform lstat(2) on /www, /www/htdocs, and /www/htdocs/index.html.
The results of these lstats are never cached, so they will occur on every
single request. If you really desire the symlinks security checking try
the following instead:
DocumentRoot /www/htdocs
<Directory />
Options FollowSymLinks
</Directory>
<Directory /www/htdocs>
Options -FollowSymLinks +SymLinksIfOwnerMatch
</Directory>
This at least avoids the extra checks for the DocumentRoot path. Note that
you'll need to add similar sections if you have any Alias or RewriteRule
paths outside of your document root. For highest performance, and no
symlink protection, set FollowSymLinks everywhere, and never set
SymLinksIfOwnerMatch.
4) AllowOverride
Wherever in your URL-space you allow overrides (typically .htaccess files)
HP-UX Apache-based Web Server will attempt to open .htaccess for each
filename component. For highest performance use "AllowOverride None"
everywhere in your filesystem.
5) Negotiation
Use a complete list of options for DirectoryIndex, listing the most common
choice first.
Example:
DirectoryIndex index.cgi index.pl index.shtml index.html
6) Tuning NumServers, StartThreads, MinSpareThreads, MaxSpareThreads,
MaxThreadsPerChild, MaxRequestsPerChild
HP-UX Apache-based Web Server tries to maintain a pool of spare or idle server threads,
which stand ready to serve incoming requests. In this way, clients do not need to
wait for new threads or processes to be created before their requests
can be served. HP-UX Apache-based Web Server assesses the total number of idle threads
in all processes, and forks or kills processes to keep this number within the
boundaries specified by MinSpareThreads and MaxSpareThreads. Since this
process is very self-regulating, it is rarely necessary to modify these
directives from their default values. The maximum number of clients that
may be served simultaneously is determined by multiplying the maximum
number of server processes that will be created (MaxClients) by the
number of threads created in each process (ThreadsPerChild).
Using Modules
1) Disable unused modules
Enable only the modules you need. Pre-processing and post-processing modules
like mod_speling, mod_include and mod_log_config add a lot of overhead.
Use http://httpd.apache.org/docs-2.0/mod/index.html to determine
which modules are used with your configuration, and which you can remove.
2) mod_vhost_alias
This module uses less memory than VirtualHost directive, when it is
used for a huge number of virtual hosts with similar configurations.
3) mod_perl
Using mod_perl for CGI scripts is considerably faster than using mod_cgi.
Configuring HP-UX Environment
1) Tuning the OS
Tune kernel parameters maxproc, shmem, maxfd, etc.
See FAQ: "performance/sizing" for suggested kernel parameters.
The FAQ is included in the bundle: http://yourserver.com/hp_docs/faq
or online: http://www.hp.com/products1/unix/webservers/apache/faqs/index.html
2) Monitor the memory
Make sure the web server has enough memory.
3) Renice
Increase the priority of HP-UX Apache-based Web Server process.
4) TCP/IP parameters tuning
On HP-UX 11.x the system listen queue parameter is called
tcp_conn_request_max. The utility for listing/modifying network settings
is called "ndd".
The following are equivalent commands to use on HP-UX 11.x:
- To check the current setting of the system listen queue:
ndd -get /dev/tcp tcp_conn_request_max
- To adjust the system listen queue size to 256, for example:
ndd -set /dev/tcp tcp_conn_request_max 256
Example:
Parameter Scope Default Value Tuned Value
--------- ----- ------------- -----------
maxfiles /stand/system 2048 4096 *
maxfiles_lim /stand/system 2048 4096 *
tcp_time_wait_interval ndd/dev/tcp 60000 60000
tcp_conn_request_max ndd/dev/tcp 20 1024 --> 4096
tcp_ip_abort_interval ndd/dev/tcp 600000 60000
tcp_keepalive_interval ndd/dev/tcp 72000000 900000
tcp_rexmit_interval_initial ndd/dev/tc 1500 1500
tcp_rexmit_interval_max ndd/dev/tcp 60000 60000
tcp_rexmit_interval_min ndd/dev/tcp 500 500
tcp_xmit_hiwater_def ndd/dev/tcp 32768 32768
tcp_recv_hiwater_def ndd/dev/tcp 32768 32768
5) Avoid using NFS
Don't use files on NFS for "LockFile" or "Scriptsock" directives.
This will cause the system to hang.
Examples:
LockFile NON_NFS_PATH/lockfile.lock
Scriptsock NON_NFS_PATH/logs/cgisock
Other Configuration
1) Use a cache proxy
Use cache proxy to cache the web pages.
***************************************************************************
LEGAL NOTICES
The information in this document is subject to change without notice.
WARRANTY DISCLAIMER
HEWLETT-PACKARD MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
INFORMATION, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard
shall not be liable for errors contained herein or for direct, indirect,
special, incidental or consequential damages in connection with the
furnishing, performance or use of this material.
RESTRICTED RIGHTS LEGEND
Use, duplication or disclosure by the U.S. Government is subject to
restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in
Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD
agencies. Rights for non-DOD U.S. Government Department and Agencies are
as set forth in FAR 52.227-19 (c)(1,2).
COPYRIGHT NOTICES
Copyright 2002-2006 Hewlett-Packard Development Company, L.P.
This document contains information which is protected by copyright.
All Rights Reserved. Reproduction, adaptation, or translation without
prior written permission is prohibited, except as allowed under the
copyright laws.
TRADEMARK NOTICES
UNIX is a registered trademark in the United States and other countries,
licensed exclusively through X/Open Company Limited.
Java and all Java-based trademarks and logos are trademarks or
registered trademarks of Sun Microsystems, Inc. in the U.S. and
other countries.
ACKNOWLEDGEMENTS
This product includes software developed by the Apache Software Foundation.
This documentation is based on information from the Apache Software Foundation
(http://www.apache.org).
|
