welcome hpws docs hp-ux webservers home contact hp support
hp logo - invent  hp-ux web server suite

Admin Guide for HP-UX Apache-based Web Server

TABLE OF CONTENTS

Important Changes - Increasing the Number of Available File Descriptors - HP-UX Apache-based Web Server Restructuring - Apache API Changes from Previous Releases - Changed behavior of Scriptsock directive for mod_cgid - Added mod_jk2 support - mod_jk moved from Tomcat Product to Apache Product Setup - Prerequisites - Installation - Starting and Stopping HP-UX Apache-based Web Server Configuration - Configuration Files - Admin Guides - Moving the Root Directory - Automatic Restart of Apache - Enabling more file descriptors - Configuring mod_jk and mod_jk2 - Running Multiple instances of Apache - Running 11.00 depot on 11.11 Troubleshooting Known Bugs Tuning - Using Directives - Using Modules - Configuring HP-UX Environment - Other Configuration Legal Notices

IMPORTANT CHANGES

This feature release of HP-UX Apache-based Web Server contains support for Microsoft(R) FrontPage Server Extensions, more PHP extensions, different cryptography libraries used for SSL transactions and version upgrades.

Increasing the Number of Available File Descriptors

HP-UX Apache-based Web Server version A.2.0.48.00 and later are compiled with _USE_BIG_FDS to raise the maximum allowed number of simultaneous open files, or maximum number of file descriptors, from 2048 to 60000 per process (depending on the system configuration). This value is specified by the constant MAXFUPLIM (and the equivalents _MAXFUPLIM and FD_SETSIZE). To enable this feature requires changes to the HP-UX environment as specified in, Enabling more file descriptors

HP-UX Apache-based Web Server Restructuring

Starting with the HP-UX Web Server Suite, HP-UX Apache-based Web Server, HP-UX Webmin-based Admin, and HP-UX Tomcat-based Servlet Engine are separate installable components and now reside under their own directory structure. Each component has its own root directory under /opt/hpws. The new directories are: /opt/hpws/apache/ /opt/hpws/tomcat/ /opt/hpws/webmin/ /opt/hpws/xmltools/ /opt/hpws/apache/ includes the Apache binary (httpd) as well as HP add-on features such as mod_auth_ldap, mod_perl, mod_php, etc. This structure reflects HP-UX Web Server Suite's flexibility for installing and running Apache, Webmin, Tomcat and XML Tools either separately or in combination. Documentation common to all products (Migration Guides, FAQ) is delivered with the HP-UX Webmin-based Admin product. To access these documents, it must be installed. Uninstalling HP-UX Webmin-based Admin may lead to inaccessibility of HP-UX Web Server Suite documentation by other components of the suite that may still be installed. For more information on resolving this condition, please refer to /opt/hpws/apache/hpws_docs/.hp_docs/README IMPORTANT NOTE: HP-UX Apache-based Web Server will no longer automatically start after installation, you will have to start it manually.

Apache API Changes from Previous Releases

The following has changed between this release and earlier releases of Apache 2.x. - Changes between Apache 2.0.49 and Apache 2.0.50 This version of Apache is principally a bug fix release. Of particular note is that 2.0.50 addresses two security vulnerabilities: A remotely triggered memory leak in http header parsing can allow a denial of service attack due to excessive memory consumption. Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a (trusted) client certificate subject DN which exceeds 6K in length. - Changes between Apache 2.0.48 and Apache 2.0.49 This version of Apache is principally a bug fix release. Of particular note is that 2.0.49 addresses three security vulnerabilities: Apache does not filter terminal escape sequences from error logs, which could make it easier for attackers to insert those sequences into terminal emulators. Starvation issue on listening sockets occurs when a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections. Memory leak in mod_ssl allows a remote denial of service attack against a SSL-enabled server by sending plain HTTP requests to the SSL port. - Changes between Apache 2.0.47 and Apache 2.0.48 This version of Apache is principally a bug fix release. Of particular note is that 2.0.48 addresses two security vulnerabilities: mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured. This release is compatible with modules compiled for 2.0.42 and later versions. - Changes between Apache 2.0.43 and Apache 2.0.45/2.0.46 This release is binary-compatible with Apache 2.0.42 and greater. All the modules compiled with Apache 2.0.42 or greater will continue to work with this version. - Changes between Apache 2.0.39 and Apache 2.0.43 This release is binary-compatible only with 2.0.42, and no other previous releases. All modules must be recompiled in order to work with this version. For example, a module compiled to work with 2.0.39 will not work with 2.0.43. The definitions of the following functions have changed to include an additional parameter, ap_init_filter_func: ap_register_input_filter ( ... ) ap_register_output_filter ( ... ) More information can be found in /opt/hpws/apache/include/util_filter.h. - Changes between Apache 2.0.32 and Apache 2.0.39 Apart from the following API changes, 2.0.32-based modules may have to be recompiled for 2.0.39, due to redefinition of some data structures. If a module is based on the 2.0.32 or earlier API, it may be affected by name changes for apr_lock-related functions. Make sure to verify that the module is using the correct name and rebuild if needed. The following table lists the name changes for the apr_lock-related functions. More information can be found in /opt/hpws/apache/include/apr_thread_mutex.h. v.2.0.32 (or earlier): corresponding function in v.2.0.39: -------------------------- ------------------------------------ apr_lock_create ( ... ); apr_thread_mutex_create ( ... ); apr_lock_acquire ( ... ); apr_thread_mutex_lock ( ... ); apr_lock_release ( ... ); apr_thread_mutex_unlock ( ... ); apr_lock_destroy ( ... ); apr_thread_mutex_destroy ( ... );

Changed behavior of Scriptsock directive for mod_cgid

The behavior of 'Scriptsock' directive has been changed to fix multiple bugs in mod_cgid, including: - httpd hangs if 'read' is used in the CGI script - the POST operation to a CGI script fails to complete Old Behavior: The httpd daemon opens a AF_UNIX socket (based on the value given by Scriptsock directive) to connect to the CGI daemon. New Behavior: option 1: Using AF_INET socket by specifying a port number in Scriptsock directive. The httpd daemon opens a AF_INET socket to the CGI daemon. The CGI daemon will listen on the localhost (127.0.0.1), using the port specified by the Scriptsock directive. By default, the CGI daemon will listen on default port 127.0.0.1:5080 NOTE: HP has found that binding to the localhost address (127.0.0.1), provides the same level of security as offered by the AF_UNIX socket. option 2: Continue to use the old behavior. This will not have the fix for the above problems. If Scriptsock directive is not specified, by default, the httpd daemon opens a AF_INET socket to the CGI daemon. The CGI daemon will listen on default port 127.0.0.1:5080 Examples of using the Scriptsock directive: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Scriptsock 8000 the CGID will listen on 127.0.0.1:8000 2. Scriptsock logs/cgisock The httpd daemon opens a AF_UNIX socket (based on the value given by Scriptsock directive) to connect to the CGI daemon. 3. Scriptsock 8000logs/cgisock the CGID will listen on 127.0.0.1:8000, the string logs/cgisock is discarded. 4. NO Scriptsock is defined in httpd.conf the CGI daemon will listen on the default port: 127.0.0.1:5080

Added mod_jk2 support

For more information on mod_jk2 please visit: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/jk2/jk2/confighowto.html

mod_jk moved from Tomcat Product to Apache Product

mod_jk is moved to /opt/hpws/apache/modules. If HP-UX Tomcat-based Servlet Engine is used with HP-UX Apache-based Web Server via the mod_jk connector, then the ld version on the system needs to be atleast B.11.37 or later. The patch numbers corresponding to B.11.37 are: PHSS_28869 for HP-UX 11.00 or PHSS_28871 for HP-UX 11i (11.11) You may need different patches, if the above-mentioned patches have been superseded.

SETUP

Prerequisites

1. See individual Admin Guides for each component to determine patch requirements. LDAP Admin Guide PHP Admin Guide SSL Admin Guide suEXEC Admin Guide Frontpage Admin Guide Webproxy Admin Guide HP-UX Apache-based Web Server binaries are dependent on the B.11.37 or later versions of ld and libdld. To determine the version on your machine, - Type 'ld -V' - Type 'what /usr/lib/libdld.sl' - Install either PHSS_28869 for HP-UX 11.00 or PHSS_28871 for HP-UX 11i (11.11) or later to solve this problem. To download, go to the IT Resource Center for Americas and Asia Pacific (http://us-support.external.hp.com/) or Europe (http://europe-support.external.hp.com/). Under Maintenance/Support click on "Individual Patches". Scroll down to "retrieve a specific patch by entering the patch name" and enter the patch number in the input field. Note that on any given system, the versions of ld and libdld should be the same. mod_deflate requires zlib 1.1.4 library, which is available from the HP-UX Porting Archive Center (http://hpux.cs.utah.edu) which provides this library in source form and also HP-UX binaries. 2. Building Apache modules in C and C++ requires gcc (version 3.0 or later). To download, go to the "Developer & Solution Partner Portal" at http://www.hp.com/go/dspp and search for gcc. Alternatively, http://h21007.www2.hp.com/dspp/tech/tech_TechSoftwareDetailPage_IDX/1,1703,547,00.html C++ plug-in modules should be built with the Classic C++ runtimes libraries, -lCsup, -lstd, and -lstream. Classic C++ runtime libraries are the default on PA so plug-ins can be compiled using the default or by explicitly selecting the Classic C++ runtime libraries with the -AP compile option: Using the default, g++ -shared -o mod_hello.so -I/opt/hpws/apache/include -Wno-deprecated \ -fPIC mod_hello.cpp To specify the -AP option, g++ -shared -AP -o mod_hello.so -I/opt/hpws/apache/include -Wno-deprecated \ -fPIC mod_hello.cpp For more information about C++ libraries, please see http://www.hp.comd/go/C++. To specify the -AA option, aCC -b +DD64 -AA -mt +z -I/opt/hpws/apache/include -o mod_hello.so \ mod_hello.cpp For more information about C++ libraries, please see http://www.hp.comd/go/C++. #endif 3. Building DSOs using /opt/hpws/apache/bin/apxs depends on Perl. The expected location for Perl is /opt/perl/bin/perl. Either download and install Perl, or change the path in the apxs script to the Perl location installed on your machine. Download and install Perl 5.8.7 for HP-UX 11.0 and 11i (PA-RISC) from HP Software Depot: http://software.hp.com/ Search for: Perl 5.8.7 4. HP-UX Apache-based Web Server binary is perl-enabled. That is, mod_perl is built as a DSO module and is distributed as part of the HP-UX Apache-based Web Server release bundle. However, mod_perl has not been enabled in the default installation. Follow these steps to configure and enable mod_perl: a. Download and install Perl 5.8.7 for HP-UX 11.0/11i (PA-RISC) from HP Software Depot: http://software.hp.com/ http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL Search for: Perl 5.8.7 b. Edit /opt/hpws/apache/conf/httpd.conf and uncomment the line (i.e. remove the beginning '#' character). LoadModule perl_module modules/mod_perl.so To have mod_perl handle all scripts ending in *.pl, make sure that the section enclosed in <IfModule mod_perl.c> ... is uncommented. This step will make HP-UX Apache-based Web Server perl-ready. c. Restart the HP-UX Apache-based Web Server /opt/hpws/apache/bin/apachectl stop /opt/hpws/apache/bin/apachectl start

Installation

Information on installing all products of HP-UX Web Server Suite can be found in Getting Started The user configurable files of HP-UX Apache-based Web Server will be saved as per the standard HP-UX newconfig methodology. More information can be found in the newconfig section of Getting Started.

Starting and Stopping HP-UX Apache-based Web Server

Note: In the default installation you must be root to start/stop the HP-UX Apache-based Web Server. Apache To start the HP-UX Apache-based Web Server: $/opt/hpws/apache/bin/apachectl start To stop the HP-UX Apache-based Web Server: $/opt/hpws/apache/bin/apachectl stop To start the HP-UX Apache-based Web Server with SSL capability: $/opt/hpws/apache/bin/apachectl startssl IF YOU HAVE ADDED A NEW SERVER KEY (CERTIFICATE) WHICH HAS A PEM ENCODED PASS PHRASE, YOU WILL BE PROMPTED TO ENTER IT HERE To stop the HP-UX Apache-based Web Server with SSL capability: $/opt/hpws/apache/bin/apachectl stop For server startup with PHP, suexec and ldap authentication, see the corresponding Admin guides located in /opt/hpws/hp_docs/apache/. For server startup with WebDAV, when your server is running, see the FAQ located at http://yourserver.com/hp_docs/faq/, or use Webmin and access http://yourserver.com:10000/hp_docs/faq/.

CONFIGURATION

Configuration Files

The HP-UX Apache-based Web Server 2.x has additional configuration files beyond the /opt/hpws/apache/conf/httpd.conf file. These configuration files are specific to a major component and are found in the following locations by default: Apache: /opt/hpws/apache/conf/httpd.conf Apache (SSL): /opt/hpws/apache/conf/ssl.conf Apache (caching): /opt/hpws/apache/conf/cache.conf PHP: /opt/hpws/apache/conf/php.ini auth_ldap: /opt/hpws/apache/conf/ldap.conf mod_auth_ldap/mod_ldap (caching): /opt/hpws/apache/conf/ldap.conf mod_jk: /opt/hpws/apache/conf/mod_jk.conf /opt/hpws/apache/conf/workers.properties mod_jk2: /opt/hpws/apache/conf/mod_jk2.conf /opt/hpws/apache/conf/workers2.properties

Admin Guides

Refer to the following documents included with the software located in the /opt/hpws/hp_docs/ directory. If HP-UX Apache-based Web Server has been started with the default configuration, these documents can be viewed at http://yourserver.com/hp_docs. These are also viewable via Webmin at http://yourserver.com:10000/hp_docs/. Apache Admin Guide LDAP Admin Guide PHP Admin Guide SSL Admin Guide suEXEC Admin Guide Frontpage Admin Guide Webproxy Admin Guide

Moving the Root Directory

The altroot.sh script has been provided to easily move the entire /opt/hpws/ directory, including HP-UX Apache-based Web Server, HP-UX Tomcat-based Servlet Engine, HP-UX Webmin-based Admin and HP-UX XML Web Server Tools. The script is located in the /opt/hpws/util/ directory. Detailed information is located in the General Utilities User Guide.

Automatic Restart of Apache

If you would like to automatically restart HP-UX Apache-based Web Server at boot-up time, you will have to modify the specific components configuration file: /etc/rc.config.d/hpws_apacheconf for HP-UX Apache-based Web Server If you do not set the HPWS_APACHE_START or HPWS_APACHE_START_SSL to 1, then you will need to manually start HP-UX Apache-based Web Server when the system comes online after a system reboot. These values are set to '0' (no reboot) by default. NOTE: (1) If you intend to start HP-UX Apache-based Web Server in SSL-mode, ensure that the Certificate key file is not encrypted with a password. In the case that the key file requires a password, the system bootup will hang. (2) With their default configurations, the startup of HP Apache-based Web Server 1.3 has higher precedence over HP-UX Apache-based Web Server A.2.x at reboot time. Therefore, if both 1.3 and A.2.x are configured to use the same port number and set to be restarted at boot time, only 1.3 would come up. Therefore, it is recommended that the user set the config files (/etc/rc.config.d/apacheconf for 1.3 and /etc/rc.config.d/hpws_apacheconf for A.2.x) to start either HP Apache-based Web Server 1.3 or HP-UX Apache-based Web Server A.2.x. Starting both HP Apache-based Web Server 1.3 and HP-UX Apache-based Web Server A.2.x at reboot time is currently not supported. - To automatically start HP-UX Apache-based Web Server at boot-up time. Set the HPWS_APACHE_START variable to 1. If you do not desire this feature, set the HPWS_APACHE_START variable to 0. The line below shows how to turn it on. HPWS_APACHE_START=1 The startup scripts have a direct dependency on the HPWS_APACHE_HOME variable, and expects HP-UX Apache-based Web Server to be located in the <HPWS_APACHE_HOME> directory.

Enabling more file descriptors

HP-UX Apache-based Web Server is now compiled with _USE_BIG_FDS to raise the maximum allowed number of simultaneous open files, or maximum number of file descriptors, from 2048 to 60000 (depending on the system configuration) per process. This value is specified by the constant MAXFUPLIM (and the equivalents _MAXFUPLIM and FD_SETSIZE). To enable this feature requires the following changes: To enable HP-UX Apache-based Web Server for handling a large amount of file descriptors, your need to change the system-wide RLIMIT_NOFILE defaults by modifying the kernel tunables maxfiles and maxfiles_lim; see the SAM on-line kernel configuration help for more information. You might also need to reconfigure the machine with a larger value for the kernel tunable nfile. This tunable specifies the per-machine (as opposed to per-process) maximum number of simultaneous open files and the default value is much less than 60000. See the SAM online kernel configuration help for more information.

Configuring mod_jk and mod_jk2

To use HP-UX Apache-based Web Server with HP-UX Tomcat-based Servlet Engine Modify /opt/hpws/apache/conf/httpd.conf: In this file enable mod_jk or mod_jk2 connector by uncommenting one of the following lines: Include /opt/hpws/apache/conf/mod_jk.conf -OR- Include /opt/hpws/apache/conf/mod_jk2.conf Modify /opt/hpws/apache/conf/mod_jk.conf (if necessary): You can add here additional mount points if you want HP-UX Apache-based Web Server to forward requests to HP-UX Tomcat-based Servlet Engine. Add lines similar to the following: JkMount /mywebapp ajp13 JkMount /mywebapp/* ajp13 In the case of /opt/hpws/apache/conf/mod_jk2.conf: <Location "/mywebapp/*"> JkUriSet worker ajp13:localhost:8009 </Location> Start HP-UX Tomcat-based Servlet Engine $ cd /opt/hpws/tomcat $ bin/startup.sh Start HP-UX Apache-based Web Server $ /opt/hpws/apache/bin/apachectl start To enable logging in mod_jk If we suspect problems in communication between the web server and HP-UX Tomcat-based Servlet Engine we can turn on logging inside mod_jk. To do that edit /opt/hpws/apache/conf/mod_jk.conf file and set JkLogFile /opt/hpws/apache/logs/jk.log JkLogLevel debug Available logging levels are: debug, info, error, emerg. To enable logging in mod_jk2 There is no special directive to enable error logging in mod_jk2 specifically mod_jk2 error log is integrated into Apache web server's error log. <h3>Running Multiple instances of Apache 1)Install Apache and Webmin on your machine. It is mandatory to install Webmin. Webmin contains the file, altroot.sh, that is used to change the apache install directory. Note: If Apache and Webmin are already installed, ensure that they are are not running. 2)Enter the following command at the HP-UX prompt: #/opt/hpws/util/altroot.sh --apache /opt/hpws/apache &ltNew_location_for_Apache> Eg: #/opt/hpws/util/altroot.sh --apache /opt/hpws/apache /usr/local/hpws/apache The /opt/hpws/apache directory will be moved to the specified location after this. For more information about Altroot, visit: http://servername.com/hp_docs/utilities.user.guide 3)Open the &ltNew_location_for_Apache>/conf/httpd.conf file. Change the Listen directive option to a value, other than the default 80, so that Apache can listen on a different port. Note: If you are installing a lower version of Apache, you must remove the current installation of Apache using the swremove command. Removing the current installation will not delete any files from the altrooted apache installation. However, it will only remove the IPD entries from the previous installation. 4)Install another instance of Apache. The default location of the installation files is /opt/hpws 5)To run this newly installed Apache in a location other than the default location, repeat steps 1-3. <h3>Running 11.00 depot on 11.11 Patch PHSS_33263 needs to be installed to run a 11.00 depot on a 11.11 system.

TROUBLESHOOTING

Please refer to a component's admin guide for log file locations and other troubleshooting tips. Check the individual logs files for failures in the components. For information about HP-UX Apache-based Web Server failures, look in the log files under /opt/hpws/apache/logs/ Note: The access_log is disabled by default. To enable it, make sure that the following line is uncommented: CustomLog logs/access_log common By default the access_log is enabled for ssl connections in ssl.conf. - Starting HP-UX Apache-based Web Server with mod_jk complains of: "/usr/lib/dld.sl: Unresolved symbol : dlsym (code) from mod_jk.so" ------------------------------------------------- The version of ld is old and needs to be upgraded. Verify the version of ld: % ld -V % what /usr/lib/libdld.sl SOLUTION: Upgrade to at least B.11.32 using patch: PHSS_28869 for HP-UX 11.00 or PHSS_28871 for HP-UX 11i (11.11) or later to solve this problem. To download, go to the IT Resource Center for Americas and Asia Pacific (http://us-support.external.hp.com/) or Europe (http://europe-support.external.hp.com/). Under Maintenance/Support click on "Individual Patches". Scroll down to "retrieve a specific patch by entering the patch name" and enter the patch number in the input field. Note that on any given system, the versions of ld and libdld should be the same. - 'apachectl start' OR 'apachectl stop' hangs on your system ---------------------------------------------------------------- One possible reason is that HP-UX needs a linker patch. - PHSS_26559 for HP-UX 11.0. - PHSS_26560 for HP-UX 11i. SOLUTION: Check for the patch on your system, and install it if you don't have it. - When logging at debug level, /opt/hpws/apache/logs/error_log says: "End of file found: read_request_line() failed" ---------------------------------------------------------------- This is a harmless error. Either ignore it or increase your LogLevel setting. More details can be found at: http://www.apache.org/dist/httpd/Announcement2.html - /opt/hpws/apache/logs/error_log says : "Apache.pm" failed to load. ---------------------------------------------------------------- This is usually due to Perl binaries not being in the PATH. or the PERL5LIB environment not being set correctly. SOLUTION: Verify that Perl 5.8.7 is installed in /opt/perl/bin and that/opt/perl/bin/perl and /opt/perl/lib/5.8.7 exist. Also verify that /opt/perl/bin is in the PATH. If it isn't, make sure to add it. After installing Perl, use the following command to specify where the mod_perl libraries are: export PERL5LIB=/opt/hpws/apache/lib/perl/lib/site_perl/5.8.7/PA-RISC1.1-thread-multi The PERL5LIB environment variable is preset by apachectl (the shell that runs the Apache executable). If you experience problems, manually set this environment variable as shown above. To test whether you have the correct Perl 5.8.7 on your system, run the command: /opt/perl/bin/perl -v | grep -i ActiveState This version of Perl has been engineered by ActiveState for HP-UX 11.0/11i environment. It can be downloaded from: http://software.hp.com/ Search for: Perl 5.8.7 - New modules don't execute. ---------------------------------------------------------------- When adding new modules make sure that permissions are set to -rwxr-xr-x. Match owner and group to existing modules.

KNOWN BUGS

Make sure to review other admin guides for known bugs. - SSL Session Caching errors ---------------------------------------------------------------- Some times you may notice the following errors in the Apache error_log file: [error] scach2_lookup_session_id internal error [error] 'shmcb' code was unable to store a session in the cache. This does not affect the functionality (the connections will not be dropped). It may affect the performance of the server, but the impact is insignificant. - /opt/hpws/apache/bin/apachectl restart does not work ---------------------------------------------------------------- When all or most of the modules are enabled, the restart may not successfully restart Apache. To resolve this problem, please explicitly stop and then start Apache. - /opt/hpws/apache/bin/apachectl stop does not work ---------------------------------------------------------------- Sometimes after HP-UX Apache-based Web Server has been subject to a heavy load (especially when SSL is enabled), the apachectl stop may not kill all of the httpd processes. To resolve this problem, please kill the processes using the following "kill -9" command: % kill -9 `ps -ef |grep httpd |grep -v grep |awk '{print $2}'` - Apache Bench (ab) with SSL does not work ---------------------------------------------------------------- In this release, ab with SSL capability is still experimental. The SSL feature is enabled only for debugging purposes, and cannot be used for stress/load testing. Not all command line options of ab are supported when used with SSL. - Apache restart does not work with Multiple Listen directives ---------------------------------------------------------------- Restarting Apache with multiple Listen directives results in increased CPU usage. This is because Apache 2.0 does not have any way to remove listerners on a restart. Therefore, for multiple Listen directives, you must stop and start the server instead of a restart.

TUNING

This tuning information is based on http://httpd.apache.org/docs-2.0/misc/perf-tuning.html#runtime, other documents and in-house testing. These notes provide tips on configuring your HP-UX Apache-based Web Server through intelligent use of directives and modules, as well as tuning your HP-UX environment. Using Directives 1) Hostname Lookups http://httpd.apache.org/docs-2.0/mod/core.html#hostnamelookups If HostNameLookups is not turned off, each client request will result in at least one lookup request to the name server. Example: HostNameLookups off ##Turning off DNS lookups 2) Logging - Avoid using debug, info and notice level. - Do a minimal amount of logging. Disable referer_log and agent_log, if you don't need to keep track of client information. 3) FollowSymLinks and SymLinksIfOwnerMatch When you do NOT have an "Options FollowSymLinks" in your URL-space, or you do have an "Options SymLinksIfOwnerMatch," HP-UX Apache-based Web Server will issue extra system calls to check up on symlinks. One extra call per filename component will be made. For example, if you had: DocumentRoot /www/htdocs <Directory /> Options SymLinksIfOwnerMatch </Directory> If a request is made for the URI /index.html, HP-UX Apache-based Web Server will perform lstat(2) on /www, /www/htdocs, and /www/htdocs/index.html. The results of these lstats are never cached, so they will occur on every single request. If you really desire the symlinks security checking try the following instead: DocumentRoot /www/htdocs <Directory /> Options FollowSymLinks </Directory> <Directory /www/htdocs> Options -FollowSymLinks +SymLinksIfOwnerMatch </Directory> This at least avoids the extra checks for the DocumentRoot path. Note that you'll need to add similar sections if you have any Alias or RewriteRule paths outside of your document root. For highest performance, and no symlink protection, set FollowSymLinks everywhere, and never set SymLinksIfOwnerMatch. 4) AllowOverride Wherever in your URL-space you allow overrides (typically .htaccess files) HP-UX Apache-based Web Server will attempt to open .htaccess for each filename component. For highest performance use "AllowOverride None" everywhere in your filesystem. 5) Negotiation Use a complete list of options for DirectoryIndex, listing the most common choice first. Example: DirectoryIndex index.cgi index.pl index.shtml index.html 6) Tuning NumServers, StartThreads, MinSpareThreads, MaxSpareThreads, MaxThreadsPerChild, MaxRequestsPerChild HP-UX Apache-based Web Server tries to maintain a pool of spare or idle server threads, which stand ready to serve incoming requests. In this way, clients do not need to wait for new threads or processes to be created before their requests can be served. HP-UX Apache-based Web Server assesses the total number of idle threads in all processes, and forks or kills processes to keep this number within the boundaries specified by MinSpareThreads and MaxSpareThreads. Since this process is very self-regulating, it is rarely necessary to modify these directives from their default values. The maximum number of clients that may be served simultaneously is determined by multiplying the maximum number of server processes that will be created (MaxClients) by the number of threads created in each process (ThreadsPerChild). Using Modules 1) Disable unused modules Enable only the modules you need. Pre-processing and post-processing modules like mod_speling, mod_include and mod_log_config add a lot of overhead. Use http://httpd.apache.org/docs-2.0/mod/index.html to determine which modules are used with your configuration, and which you can remove. 2) mod_vhost_alias This module uses less memory than VirtualHost directive, when it is used for a huge number of virtual hosts with similar configurations. 3) mod_perl Using mod_perl for CGI scripts is considerably faster than using mod_cgi. Configuring HP-UX Environment 1) Tuning the OS Tune kernel parameters maxproc, shmem, maxfd, etc. See FAQ: "performance/sizing" for suggested kernel parameters. The FAQ is included in the bundle: http://yourserver.com/hp_docs/faq or online: http://www.hp.com/products1/unix/webservers/apache/faqs/index.html 2) Monitor the memory Make sure the web server has enough memory. 3) Renice Increase the priority of HP-UX Apache-based Web Server process. 4) TCP/IP parameters tuning On HP-UX 11.x the system listen queue parameter is called tcp_conn_request_max. The utility for listing/modifying network settings is called "ndd". The following are equivalent commands to use on HP-UX 11.x: - To check the current setting of the system listen queue: ndd -get /dev/tcp tcp_conn_request_max - To adjust the system listen queue size to 256, for example: ndd -set /dev/tcp tcp_conn_request_max 256 Example: Parameter Scope Default Value Tuned Value --------- ----- ------------- ----------- maxfiles /stand/system 2048 4096 * maxfiles_lim /stand/system 2048 4096 * tcp_time_wait_interval ndd/dev/tcp 60000 60000 tcp_conn_request_max ndd/dev/tcp 20 1024 --> 4096 tcp_ip_abort_interval ndd/dev/tcp 600000 60000 tcp_keepalive_interval ndd/dev/tcp 72000000 900000 tcp_rexmit_interval_initial ndd/dev/tc 1500 1500 tcp_rexmit_interval_max ndd/dev/tcp 60000 60000 tcp_rexmit_interval_min ndd/dev/tcp 500 500 tcp_xmit_hiwater_def ndd/dev/tcp 32768 32768 tcp_recv_hiwater_def ndd/dev/tcp 32768 32768 5) Avoid using NFS Don't use files on NFS for "LockFile" or "Scriptsock" directives. This will cause the system to hang. Examples: LockFile NON_NFS_PATH/lockfile.lock Scriptsock NON_NFS_PATH/logs/cgisock Other Configuration 1) Use a cache proxy Use cache proxy to cache the web pages. ***************************************************************************