(I sent this to freebsd-questions, but I didn't receive any replies, thought I would try my luck here) I setup the http accept filter with apache and I was having a hard time understanding this, maybe you guys could help out. I've tested this among various version of freebsd, primarily FreeBSD 6.3-RELEASE, and with various apache configs, and it appears to behave the same across the board. So why is it that it "appears" that the TCP connections never terminate, just stay in a state of ESTABLISHED, and why doesn't this queue ever flush itself, is it normal, if it is, what happens exactly when the queue fills up to maxqlen. From the netstat output below, you can see that the incqlen is maxed out. I've done quite a bit of searching regarding this queue but haven't found any real solid information which describes what happens when it fills up, and at the same time this is going on, I have 517 established connections to port 80. ]# netstat -an|grep "\.80"|grep ESTAB|wc -l 519 ---- ]# netstat -Lan Current listen queue sizes (qlen/incqlen/maxqlen) Proto Listen Local Address tcp4 0/0/5 *.8080 tcp4 0/510/511 *.80 tcp4 0/0/10 *.587 tcp4 0/0/10 *.25 tcp4 0/0/128 *.22 tcp4 0/0/100 *.3306 tcp4 0/0/9 *.21 tcp4 0/0/128 127.0.0.1.953 tcp4 0/0/3 127.0.0.1.53 -Scott Oertel _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Scott Oertel wrote:> (I sent this to freebsd-questions, but I didn't receive any replies, > thought I would try my luck here) > > I setup the http accept filter with apache and I was having a hard time > understanding this, maybe you guys could help out. > > I've tested this among various version of freebsd, primarily FreeBSD > 6.3-RELEASE, and with various > apache configs, and it appears to behave the same across the board. > > So why is it that it "appears" that the TCP connections never terminate, > just stay in a state of ESTABLISHED, and why doesn't this queue ever > flush itself, is it normal, if it is, what happens exactly when the > queue fills up to maxqlen. From the netstat output below, you can see > that the incqlen is maxed out. I've done quite a bit of searching > regarding this queue but haven't found any real solid information which > describes what happens when it fills up, and at the same time this is > going on, I have 517 established connections to port 80. > > ]# netstat -an|grep "\.80"|grep ESTAB|wc -l > 519 > [...]Last time I looked (in FreeBSD 4.x) these were connections that got stuck in an early stage, that is, before the HTTP request had been received. The 'accf_http' filter which wants to parse said request waits forever in this situation because there is no timeout implemented, as far as I recall. So these would-be HTTP connections pile up over time. The actual cause are quite likely port scans and such from the Internet. I don't know whether one would eventually run out of resources, but so many stuck connections certainly look sick, and you can't see the wood for the trees if you need to debug something under these circumstances. What I did instead was compile Apache 1.3 with the flag -DACCEPT_FILTER_NAME=\\\\\"dataready\\\\\" added to CFLAGS in the ports repository's Makefile. This way Apache uses the 'dataready' filter instead of 'httpready'. This doesn't cause any stuck connections, and it improves the performance as well because most modern browsers and proxies send the HTTP request plus the whole set of headers in a single data packet anyway, which means that unconditionally returning from accept(2) on the first data packet received is sufficient. Under these circumstances the overhead of parsing the HTTP request in the kernel, like the 'httpready' filter does, no longer makes much sense. I haven't looked at Apache 2.x so far in this regard. Perhaps there is a similar compile time option. In any case, maybe this tweak helps in your case, too. Regards, Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net
At 12:02 PM 3/7/2008, Darran wrote:>Hello all, > >I want to run a (FreeBSD 7) server facing the internet and running Apache and >wondered if its safe out of the box .. so to speak ?Yes, today it is. But that does not necessarily mean you will not need to do updates, apply patches, perhaps change your configuration to deal with new threats. In my experience, FreeBSD makes the later part easier than Windows or Linux (IMHO and experience)>Do i have to do a degree in configuration to allow it to face the wild west >(internet) ? >I also want to use it for storage of media and serving of media .. >using windows >and freebsd clients .. is it possible .. again .. out of the box ?If you mean turn it on, click a few buttons and "it works" ? no. You will need to install and configure samba and apache. e.g. cd /usr/ports/net/samba3;make install will get the application installed, but you still need to configure it and later maintain it. With Windows, I find you can initially get things working without understanding how it works. But when you run into problems, you wont understand how to fix them. In general I find with FreeBSD, you are expected to understand some basics, but you are then better prepared to understand the problems you will face in running a server.... That being said, the defaults FreeBSD 7.0 it comes with are pretty sane and you should be able to get going quickly to the point where you are doing "stuff" ---Mike
Mike Tancsa <mike@sentex.net> wrote:> At 12:02 PM 3/7/2008, Darran wrote: > >Hello all, > > > >I want to run a (FreeBSD 7) server facing the internet and running Apache and > >wondered if its safe out of the box .. so to speak ? > Yes, today it is. But that does not necessarily mean you will not > need to do updates, apply patches, perhaps change your configuration > to deal with new threats. In my experience, FreeBSD makes the later > part easier than Windows or Linux (IMHO and experience) > > > >Do i have to do a degree in configuration to allow it to face the wild west > >(internet) ? > >I also want to use it for storage of media and serving of media .. > >using windows > >and freebsd clients .. is it possible .. again .. out of the box ? > > > If you mean turn it on, click a few buttons and "it works" ? no. You > will need to install and configure samba and apache. > e.g. > cd /usr/ports/net/samba3;make install > > will get the application installed, but you still need to configure > it and later maintain it. With Windows, I find you can initially get > things working without understanding how it works. But when you run > into problems, you wont understand how to fix them. In general I find > with FreeBSD, you are expected to understand some basics, but you are > then better prepared to understand the problems you will face in > running a server.... > > That being said, the defaults FreeBSD 7.0 it comes with are pretty > sane and you should be able to get going quickly to the point where > you are doing "stuff" > > ---Mike > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >Thanks for the reply Mike, I currently use FreeBSD on my laptop so i have some experience of running it and building the world etc etc, i think the question really boiled down to is it safe to run it after an install and minor configuration and i believe that at this point it is .. Thanks Darran http://www.deejc.net
At 01:43 PM 3/7/2008, Darran wrote:>building the world etc etc, i think the question really boiled down to is it >safe to run it after an install and minor configuration and i believe that at >this point it is ..We have a number of busy production boxes running 7.0 (spam/virus scanning of email and a very busy AMD64 postgresql box, 8 gig RAM serving up about 30Mb/s of db results to 3 webservers on an Areca controller in RAID10). Hardware choices matter. But if it runs well under 6.x most things should run equally well under 7.x ---Mike