I have enabled the peruser mpm for apache2 and now whenever someone hits an ssl webpage, it takes a long time (about 5 to 10 seconds) before apache starts answering normal requests again. Everything just seems to hang there. If I put the ServerEnvironment apache apache either globally or just in the ssl virtual will only send 512 bytes and no error is show in Firefox or the error log. As this is a mission critical production server I didn't have much time to do any real debugging. A working workaround is to install both prefork and peruser and have the ssl run under another apache process with prefork as the mpm. Reproducible: Always Steps to Reproduce: 1. Install and configure with peruser as the mpm and a SSL virtual host 2. Connect to the https website in a browser window 3. Connect to a normal site in another window 4. Play around on the sites a bit if needed, it seems to get worse after each ssl request. Actual Results: It would take a long time before apache2 starts answering the request, however connections are accepted. After a few hours it actually seems like apache gets hung to the point of having to restart it. Expected Results: Answer withing expected timings (almost instant). Apache is also running with PHP. keywordexposure init.d # emerge --info Portage 2.0.51.19 (default-linux/x86/2004.3, gcc-3.4.3-20050110, glibc-2.3.4.20050125-r0, 2.6.10-gentoo-r1 i686) ================================================================= System uname: 2.6.10-gentoo-r1 i686 Intel(R) Xeon(TM) CPU 2.80GHz Gentoo Base System version 1.6.9 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Feb 27 2005, 11:50:20)] dev-lang/python: 2.3.5 sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r4 sys-devel/libtool: 1.5.10-r5 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/bind /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mcpu=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="ftp://gentoo.risq.qc.ca/ http://gentoo.mirrors.pair.com/ http://mirror.tucdemonic.org/gentoo/" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X apache2 apm arts avi bcmath berkdb bitmap-fonts bzlib calendar cpdflib crypt cups curl curlwrappers dba dbase dbs emboss encode exif fam font-server foomaticdb fortran ftp gd-external gdbm gif gmp gpm gtk2 imap imlib innodb jpeg kde libg++ libwww mad mhash mikmod mime ming mmx motif mp3 mpeg mysql ncurses nls oggvorbis opengl oss pam pcntl pcre pdflib perl png posix python qt quicktime readline samba sdl session sharedmem simplexml slang sockets spell sse ssl svga sysvipc tcltk tcpd tiff tokenizer truetype truetype-fonts type1-fonts xml2 xmlrpc xmms xpm xv zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY
The peruser mpm is experimental; it is of course your choice to run experimental software on a 'mission critical production server', however we do not support nor recommend it.
we should add a `ewarn mpm-peruser is considered being EXPERIMENTIAL etc pp` if useq mpm-peruser; + - ?
erm. sorry, one note left: when you can provide use with a backtrace, we can sent it to upstream (the peruser mpm devs) or you'll just do so ;) Because: finding a problem is one thing, but getting it fixed requires such problems *to be reported* (with detailed infos).
There was already a notice that metux/peruser was experimental; that was displayed in src_compile, so I've moved that into pkg_setup and made the warning more verbose. :)
Yes I do know that the mpm is experimental. However after the Santy worm, the tons of poorly programmed cgi and php script that require lots of files to be 777, users that don't or won't understand Linux's permission system, the unviability of having an apache process and an ip per user for individuals chroot, peruser's chroot and execution as a specific user should help limit security problems, barring any problems in peruser. How can I get a backtrace of a process while it is running ?
does your default vhost have the ServerEnvironment directive? it is very important to give _EVERY_ vhost a ServerEnvironment, and you shouldn't put it in global scope
Yes it has, however I'm also using vhost_mod_alias
I'm trying to get peruser to work on a server of mine, but I cannot find *any* documentation for it. If you could at least post or point me to some where where I could see a simple example ala <IfModule peruser.c> ... Multiplexer ... </IfModule> and then what each vhost needs and where proccessor goes (I'm assuming in the vhost config Also, I'm confused by the ServerEnvironment directive and you mentioned it also. I cannot find any reference to it anywhere. Thanks.
Due to a design flaw in peruser, it will not work for SSL connections. This is an UPSTREAM issue. Please report it to them.
Sure, thanks