滚圆滚圆

分类: web服务器

  • 查看Apache并发请求数及其TCP连接状态

    Apache优化
    # prefork MPM
    # StartServers: number of server processes to start
    # MinSpareServers: minimum number of server processes which are kept spare
    # MaxSpareServers: maximum number of server processes which are kept spare
    # MaxClients: maximum number of server processes allowed to start
    # MaxRequestsPerChild: maximum number of requests a server process serves

    StartServers         10
    MinSpareServers      10
    MaxSpareServers      15
    ServerLimit          2000
    MaxClients           2000
    MaxRequestsPerChild  10000

    改为
    StartServers 150
    MinSpareServers 10
    MaxSpareServers 20
    ServerLimit  20000
    MaxClients 20000
    MaxRequestsPerChild 10000

    查看httpd进程数(即prefork模式下Apache能够处理的并发请求数):
    Linux命令:

    ps -ef | grep httpd | wc -l

    查看Apache的并发请求数及其TCP连接状态:
    Linux命令:

    netstat -n | awk ‘/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}’

    返回结果示例:
    LAST_ACK 5
    SYN_RECV 30
    ESTABLISHED 1597
    FIN_WAIT1 51
    FIN_WAIT2 504
    TIME_WAIT 1057
    其中的SYN_RECV表示正在等待处理的请求数;ESTABLISHED表示正常数据传输状态;TIME_WAIT表示处理完毕,等待超时结束的请求数。

    CLOSED:无连接是活动的或正在进行
    LISTEN:服务器在等待进入呼叫
    SYN_RECV:一个连接请求已经到达,等待确认
    SYN_SENT:应用已经开始,打开一个连接
    ESTABLISHED:正常数据传输状态
    FIN_WAIT1:应用说它已经完成
    FIN_WAIT2:另一边已同意释放
    ITMED_WAIT:等待所有分组死掉
    CLOSING:两边同时尝试关闭
    TIME_WAIT:另一边已初始化一个释放
    LAST_ACK:等待所有分组死掉

  • [apache] mod_reqtimeout模块

    ll /usr/lib64/httpd/modules/mod_reqtimeout.so
    -rwxr-xr-x. 1 root root 14576 Feb 22 2013 /usr/lib64/httpd/modules/mod_reqtimeout.so

     

    为了说明mod_reqtimeout模块的用途,需要先说明一下背景。

    【背景】

    客户端发送请求头(或者body)到web服务器,web服务器一直等待,直到它收到一个完整的请求头(或者body)。
    客户端继续发送新的请求,打开新的连接再次发送不完整的请求头(或者body)。
    这样可能导致大量的进程/线程等待客户端的数据,耗光了web服务器的资源,导致了正常请求无法得到处理。

    这个漏洞在Apache 1.x、 2.x都存在,其他的服务器nginx、dhttpd、 GoAhead WebServer、IIS6.0、 IIS7.0、lighttpd我没有确认。

    【解决方法】
    apache这个漏洞,会导致拒绝服务攻击(DoS攻击),请大家注意啦。
    可以通过HTTP DoS的工具“OWASP HTTP POST Tool”或者“Slowloris”来发起攻击,检查一下是否网站是否存在这个漏洞。

    apache发生问题时,从servser-status的状态看,下面的进程/线程都正在读取请求,

    —————————————————-

    64 requests currently being processed, 0 idle workers
    RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRWR

    Scoreboard Key:
    “_” Waiting for Connection, “S” Starting up, “R” Reading Request,
    “W” Sending Reply, “K” Keepalive (read), “D” DNS Lookup,
    “C” Closing connection, “L” Logging, “G” Gracefully finishing,
    “I” Idle cleanup of worker, “.” Open slot with no current process

    —————————————————-
    apache的mod_reqtimeout模块就是为了避免这个问题的出现。

    【设定方法】

    httpd.conf

    LoadModule reqtimeout_module modules/mod_reqtimeout.so
    <IfModule reqtimeout_module>
    RequestReadTimeout header=5-40,MinRate=500 body=20,MinRate=500
    </IfModule>
    ※header, body 单位:秒、Rate单位:Byte/秒。


    相应的工具)
    OWASP HTTP POST Tool
    http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool
    Slowloris
    http://ha.ckers.org/slowloris/

    参考链接 http://httpd.apache.org/docs/2.2/en/mod/mod_reqtimeout.html

    http://www.acunetix.com/blog/web-security-zone/articles/slow-http-dos-attacks-mitigate-apache-http-server/

     

  • Starting httpd: (98)Address already in use: make_sock: could not bind to add

    service httpd start
    Starting httpd: (98)Address already in use: make_sock: could not bind to address
    (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
    no listening sockets available, shutting down
    Unable to open logs
    [FAILED]

    ps ax |grep httpd | awk ‘{if (NR = 2) { print “kill -KILL ” $1} }’ > /home/xxx.sh
    先把占用80端口的进程找出来 kill掉
    1.如果是windows下 netstat -aon|findstr “80”
    2.如果linux平台,使用:lsof -i:80
    kill -9 对应ID
    service httpd restart

     

    Starting httpd: (98)Address already in use: make_sock: could not bind to add

    Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:80
    (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
    no listening sockets available, shutting down
    Unable to open logs
    [FAILED]

    1.netstat -lnp|grep 80

    tcp        0      0 192.168.180.68:61027        0.0.0.0:*                   LISTEN      6289/oproxyd
    tcp        0      0 :::80                       :::*                        LISTEN      846/httpd
    tcp        0      0 ::ffff:192.168.180.68:7001 :::*                        LISTEN      32015/java

    找到pid 846

    #ps 846
    查看
    #kill -9 846
    杀掉

    #./apachectl start
    启动成功

    service httpd start
    Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:443
    no listening sockets available, shutting down
    Unable to open logs
    [FAILED]
    [root@mypiao ~]# netstat -lnp|grep 80
    tcp        0      0 :::80                       :::*                        LISTEN      11886/wget
    [root@mypiao ~]# kill -9 11886
    [root@mypiao ~]# service httpd start
    Starting httpd:                                            [  OK  ]