Docunext

Apache 2 Errors

Got this error:

configuration error:  couldn't check access.  No groups file?: /awstats/awstats.pl

Many things cause this error, but in my case, mod_auth was not enabled. Duh.

Apache2 Performance

Update

We've switched to Prefork MPM for stability and resource management. Since this server is also a high volume email server and stability is the most important aspect to its operations, we are scaling back on performance issues to increase stability. The other services also affect the values we use to setup preform mpm:

StartServers 5 - not starting and stopping the daemon too often, so this is somewhat moot.

MinSpareServers 5 - ready for more action

MaxSpareServers 25 - keeping this smaller so that unused Apache resources can be lent to email services when needed.

MaxClients 256 - I don't want to run out of RAM!

MaxRequestsPerChild - 250 - we have awesome processors so I don't mind restarting processes.

I also turned off KeepAlive.

The site is static so I'm mostly concerned with reliability, robustness, and uptime, rather than worrying about performance flexibility.

Old setup

I run a high volume server, 1,000,000 hits / day. Thats hits, not unique visitors. Approximately 10,000 visitors / day. Our site is mostly static. First off we have a huge server with 2GB of ram, then a RAID array with a good controller card, then these settings for Apache2:

• Use mpm_worker - this is a multi-threaded server, using less memory.
• Divide the ram by 5 for the max number of clients
• Turn down timeout to 30 seconds
• KeepAlive On
• Unlimited Keepalive requests - important!
• KeepAliveTimeout 2 - important!
• Our worker settings:

# worker MPM [DEFAULT IF USE=threads]# StartServers: initial number of server processes to start# MaxClients: maximum number of simultaneous client connections# MinSpareThreads: minimum number of worker threads which are kept spare# MaxSpareThreads: maximum number of worker threads which are kept spare# ThreadsPerChild: constant number of worker threads in each server process# MaxRequestsPerChild: maximum number of requests a server process serves<IfModule worker.c>    StartServers        25    MaxClients         400    MinSpareThreads     50     MaxSpareThreads     75    ThreadsPerChild     25       MaxRequestsPerChild  0</IfModule>

Mostly thanks to this post, and some trial and error:

http://virtualthreads.blogspot.com/2006/01/tuning-apache-part-1.html

Apache2 on Debian

Notes

• a2ensite and a2dissite are automated ways of enable and dissabling virtual hosts for Apache2 on Debian. Strange to me, but seems like it might come in handy at some point.
• To enable mod_auth_mysql, I a2enmod auth_mysql, but I'm getting an error:

Invalid command 'AuthMySQLEnable', perhaps mis-spelled or defined by a module not included in the server configuration

• The directives for mod_auth_mysql are totally different on Debian:

http://polestar.org/auth_mysql/USAGE.html

---

Setting up OpenSSL on Debian for Apache2

1. a2enmod ssl
2. cd /etc/apache2/ssl
3. cd /etc/ssl
4. nano openssl.cnf
5. edit your defaults to minimize typing later on
6. openssl req -new > new.cert.csr
7. openssl rsa -in privkey.pem -out new.cert.key
8. openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 1095
9. cp /usr/lib/ssl/misc/new.cert.cert /etc/apache2/ssl/
10. cp /usr/lib/ssl/misc/new.cert.key /etc/apache2/ssl/

Notes

• Debian complains if you mix non-port specified IP wildcards, so always use *:80, *:443, or whatever port you are using to specify NameVirtualHosts.

External Related Links:

http://www.gentoo.org/doc/en/virt-mail-howto.xml

Setting up mod_dav over SSL with MySQL authentication

1. On gentoo, edited /etc/conf.d/apache2 to include dav and dav_fs
2. On gentoo, emerge mod_auth_mysql
3. Getting annoying error from apache: End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
4. Boy the apache configuration was a pain, but I finally got it working.

Notes

• Mac OS X 10.3 doesn't support https webdav. Though you can use Goliath.
• mod_dav won't work with symlinks. Don't even try it.
• User's attached to a mod_dav file share access the share with the same userid that apache is running. This can be a security issue if you are publically serving the same files.

Questions

• Is it possible to "approximate" a virtual file system with
  • additional metadata from xml file
  • dynamic (possible?) Apache aliases and mod_rewrites - probably no easy way to automate this without automatically rewriting .htaccess files
  • user authentication and name service switch from a flexible data structure

External Links:

Mod Auth Mysql

mod_dav

Mod_dav provides file sharing not unlike Samba or AFP.

mod_auth_mysql

Mod_auth_mysql is an Apache module which provides for authentication via MySQL.

The combination of Apache, mod_dav, and ssl is an incredible alternative and in my humble opinion improvement to a setup with a VPN (openVPN, PPTP, or L2TP/IPSec) with a Samba or AFP share.

External Links

• http://modauthmysql.sourceforge.net/
• http://www.faqs.org/docs/Linux-HOWTO/Apache-WebDAV-LDAP-HOWTO.html