From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wolfgang Apolinarski To: development@lists.ipfire.org Subject: AW: Development Digest, Vol 63, Issue 39 Date: Mon, 24 Apr 2017 19:40:27 +0200 Message-ID: <004c01d2bd21$dc6da7b0$9548f710$@apolinarski.de> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7833533918472280719==" List-Id: --===============7833533918472280719== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, (...) >> --- a/config/httpd/server-tuning.conf >> +++ b/config/httpd/server-tuning.conf >> @@ -17,10 +17,12 @@ MaxKeepAliveRequests 100 >> ?# >> ?KeepAliveTimeout 15 >> ? >> -MinSpareServers 1 >> -MaxSpareServers 10 >> -StartServers 2 >> -MaxClients 1000 >> +MinSpareThreads 1 >> +MaxSpareThreads 10 >> +StartServers 1 >> +MaxRequestWorkers 10 >> +MaxConnectionsPerChild 100 >> +ThreadsPerChild 10 > What made you pick these values? > StartServers used to be 2 before and is 1 now for example. Yes, in the previous version, the server was using fork, now it is using thre= ads, so one process (for startup) should be enough. We now have up to 10 threads (11, if you also count the server thread itself)= , which results in a total maximum of 10 simultaneous connections. After 100 connections, a thread is recycled. For the web configuration interface, this should be enough, although one coul= d increase the values, if necessary, allowing more MaxRequestWorkers, for example. Also, the maximum number of server processes is not restricted any more, alth= ough the strict limit on MaxRequestWorkers should limit these automatically (to 1). So, in total this should allow one apache child process that spawns up to 10 = (spare) threads that may handle connections. After 100 connections, this child process is recycled (to avoid accidental memory leaka= ge). I also just saw that MaxSpareThreads should be set to 11 in this case (1 spar= e thread and up to 10 threads handling the connection), I would correct this then. There is always some reasoning involved in choosing the right values. If you = think that running own-/nextcloud or other web server intensive tasks is one of the main selling points of IPFire, increasing these= values might be necessary. I was only thinking about the web configuration interface when choosing these values. Nevertheless, I a= lso tested some addons (without any issues), but I did not perform a load simulation. >> ? >> ?# >> ?# The following directives modify normal HTTP response behavior to >> diff --git a/config/httpd/ssl-global.conf b/config/httpd/ssl-global.conf >> index 9cf4f81..a767c10 100644 >> --- a/config/httpd/ssl-global.conf >> +++ b/config/httpd/ssl-global.conf >> @@ -42,7 +42,7 @@ >> ? #???Semaphore: >> ? #???Configure the path to the mutual exclusion semaphore the >> ? #???SSL engine uses internally for inter-process synchronization.? >> - SSLMutex??file:/var/log/httpd/ssl_mutex >> +# SSLMutex??file:/var/log/httpd/ssl_mutex >Instead of commenting out some deprecated directives, you should just remove >these lines. If we need them back, Git will remember them :) Will do. The original idea was to ask if there was any reason for this value = to be set. I don't think that setting this directive is necessary. (...) > diff --git a/src/setup/passwords.c b/src/setup/passwords.c > index e7b4b52..6242577 100644 > --- a/src/setup/passwords.c > +++ b/src/setup/passwords.c > @@ -56,7 +56,7 @@ int handleadminpassword(void) > ? return 0; > ?=09 > ? snprintf(commandstring, STRING_SIZE, > - "/usr/sbin/htpasswd -c -m -b " CONFIG_ROOT "/auth/users admin > '%s'", password); > + "/usr/bin/htpasswd -c -B -C 7 -b " CONFIG_ROOT "/auth/users > admin '%s'", password); > ? sprintf(message, _("Setting %s 'admin' user password..."), NAME); > ? if (runhiddencommandwithstatus(commandstring, _("Setting password"), > message, NULL)) { > ? sprintf(message, _("Problem setting %s 'admin' user > password."), NAME); > This would make it impossible to restore backups to an older version of IPF= ire. > However, for the security, I would certainly vote for making this change any > way. >=20 > Patch looks good so far. Did you test this with the current version of PHP = that > is currently packaged? This probably needs an update as well soon, but firs= t I > would just like to stick to Apache and do one step after the other. I will rebase and re-run a test with the current next version. >=20 > Anything else you might expect to break or cause complications? Addon packages need to make sure they adapt their configuration. I think I fo= und all apache configuration files in the next branch, but if there are external addon-repositories, they might need to be adapted a= s well. Apache will not start, if the directives are not updated. I intentionally did= not enable mod_access_compat, because the migration is not complicated and the new directives are (usually) a lot easier to use and = understand. Also, this would allow to mix old and new directives... Note that some files changed their directory, so htpasswd now resides in /usr= /bin instead of /usr/sbin. If there are more hardcoded system calls like in passwords.c, they need to be adapted. I snipped the original text to make it easier to answer. Best regards, Wolfgang --===============7833533918472280719==--