|
|
Admin Guide for HP-UX Apache-based Web Server
TABLE OF CONTENTS
Important Changes
- Increasing the Number of Available File Descriptors
- HP-UX Apache-based Web Server Restructuring
- Apache API Changes from Previous Releases
- Changed behavior of Scriptsock directive for mod_cgid
- Added mod_jk2 support
- mod_jk moved from Tomcat Product to Apache Product
- Added two new directives CGIScriptTimeoutEnabled and CGIScriptTimeout
- Enabling multiple cgi daemons using ScriptMultipleDaemons directive
Setup
- Prerequisites
- IPv6-specific System Information
- Installation
- Starting and Stopping HP-UX Apache-based Web Server
Configuration
- Configuration Files
- Admin Guides
- Moving the Root Directory
- Automatic Restart of Apache
- Enabling more file descriptors
- Configuring mod_jk and mod_jk2
- Running Multiple instances of Apache
- Running 11.00 depot on 11.11
IPV6 Information
- Functionality Supported
- Supporting Components
- Enabling/Disabling IPv6
Troubleshooting
Known Bugs
Tuning
- Using Directives
- Using Modules
- Configuring HP-UX Environment
- Other Configuration
Legal Notices
IMPORTANT CHANGES
This feature release of HP-UX Apache-based Web Server contains support for
Microsoft(R) FrontPage Server Extensions, more PHP extensions, different
cryptography libraries used for SSL transactions and version upgrades.
Increasing the Number of Available File Descriptors
HP-UX Apache-based Web Server version A.2.0.48.00 and later are compiled with
_USE_BIG_FDS to raise the maximum allowed number of simultaneous open files,
or maximum number of file descriptors, from 2048 to 60000 per process
(depending on the system configuration). This value is specified by the
constant MAXFUPLIM (and the equivalents _MAXFUPLIM and FD_SETSIZE). To enable
this feature requires changes to the HP-UX environment as specified in,
Enabling more file descriptors
HP-UX Apache-based Web Server Restructuring
Starting with the HP-UX Web Server Suite, HP-UX Apache-based Web
Server, HP-UX Webmin-based Admin, and HP-UX Tomcat-based Servlet Engine are
separate installable components and now reside under their own directory
structure. Each component has its own root directory under /opt/hpws.
The new directories are:
/opt/hpws/apache/
/opt/hpws/tomcat/
/opt/hpws/webmin/
/opt/hpws/xmltools/
/opt/hpws/apache/ includes the Apache binary (httpd) as well as HP add-on
features such as mod_auth_ldap, mod_perl, mod_php, etc.
This structure reflects HP-UX Web Server Suite's flexibility for
installing and running Apache, Webmin, Tomcat and XML Tools either separately
or in combination.
Documentation common to all products (Migration Guides, FAQ) is delivered
with the HP-UX Webmin-based Admin product. To access these documents, it
must be installed. Uninstalling HP-UX Webmin-based Admin may lead to
inaccessibility of HP-UX Web Server Suite documentation by other components
of the suite that may still be installed. For more information on resolving
this condition, please refer to /opt/hpws/apache/hpws_docs/.hp_docs/README
IMPORTANT NOTE:
HP-UX Apache-based Web Server will no longer automatically start after
installation, you will have to start it manually.
Apache API Changes from Previous Releases
The following has changed between this release and earlier releases of
Apache 2.x.
- Changes between Apache 2.0.49 and Apache 2.0.50
This version of Apache is principally a bug fix release. Of particular note is
that 2.0.50 addresses two security vulnerabilities:
A remotely triggered memory leak in http header parsing can allow a denial of service
attack due to excessive memory consumption.
Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a (trusted) client
certificate subject DN which exceeds 6K in length.
- Changes between Apache 2.0.48 and Apache 2.0.49
This version of Apache is principally a bug fix release. Of particular note is
that 2.0.49 addresses three security vulnerabilities:
Apache does not filter terminal escape sequences from error logs,
which could make it easier for attackers to insert those sequences into
terminal emulators.
Starvation issue on listening sockets occurs when a short-lived connection
on a rarely-accessed listening socket will cause a child to hold the accept
mutex and block out new connections.
Memory leak in mod_ssl allows a remote denial of service attack against a
SSL-enabled server by sending plain HTTP requests to the SSL port.
- Changes between Apache 2.0.47 and Apache 2.0.48
This version of Apache is principally a bug fix release. Of particular note is
that 2.0.48 addresses two security vulnerabilities:
mod_cgid mishandling of CGI redirect paths could result in CGI output going to
the wrong client when a threaded MPM is used.
A buffer overflow could occur in mod_alias and mod_rewrite when a regular
expression with more than 9 captures is configured.
This release is compatible with modules compiled for 2.0.42 and later versions.
- Changes between Apache 2.0.43 and Apache 2.0.45/2.0.46
This release is binary-compatible with Apache 2.0.42 and greater. All the
modules compiled with Apache 2.0.42 or greater will continue to work with
this version.
- Changes between Apache 2.0.39 and Apache 2.0.43
This release is binary-compatible only with 2.0.42, and no other previous
releases. All modules must be recompiled in order to work with this version.
For example, a module compiled to work with 2.0.39 will not work with 2.0.43.
The definitions of the following functions have changed to include an
additional parameter, ap_init_filter_func:
ap_register_input_filter ( ... )
ap_register_output_filter ( ... )
More information can be found in /opt/hpws/apache/include/util_filter.h.
- Changes between Apache 2.0.32 and Apache 2.0.39
Apart from the following API changes, 2.0.32-based modules may have to
be recompiled for 2.0.39, due to redefinition of some data structures.
If a module is based on the 2.0.32 or earlier API, it may be affected by
name changes for apr_lock-related functions. Make sure to verify that the
module is using the correct name and rebuild if needed. The following table
lists the name changes for the apr_lock-related functions. More information
can be found in /opt/hpws/apache/include/apr_thread_mutex.h.
v.2.0.32 (or earlier): corresponding function in v.2.0.39:
-------------------------- ------------------------------------
apr_lock_create ( ... ); apr_thread_mutex_create ( ... );
apr_lock_acquire ( ... ); apr_thread_mutex_lock ( ... );
apr_lock_release ( ... ); apr_thread_mutex_unlock ( ... );
apr_lock_destroy ( ... ); apr_thread_mutex_destroy ( ... );
Changed behavior of Scriptsock directive for mod_cgid
The behavior of 'Scriptsock' directive has been changed to fix multiple bugs
in mod_cgid, including:
- httpd hangs if 'read' is used in the CGI script
- the POST operation to a CGI script fails to complete
Old Behavior: The httpd daemon opens a AF_UNIX socket (based on the value
given by Scriptsock directive) to connect to the CGI daemon.
New Behavior:
option 1: Using AF_INET socket by specifying a port number in Scriptsock directive.
The httpd daemon opens a AF_INET socket to the CGI daemon.
The CGI daemon will listen on the localhost (127.0.0.1), using the port
specified by the Scriptsock directive. By default, the CGI daemon will listen
on default port 127.0.0.1:5080
NOTE: HP has found that binding to the localhost address (127.0.0.1), provides
the same level of security as offered by the AF_UNIX socket.
option 2: Continue to use the old behavior. This will not have the fix for the above problems.
If Scriptsock directive is not specified, by default, the httpd daemon opens a AF_INET socket
to the CGI daemon. The CGI daemon will listen on default port 127.0.0.1:5080
Examples of using the Scriptsock directive:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Scriptsock 8000
the CGID will listen on 127.0.0.1:8000
2. Scriptsock logs/cgisock
The httpd daemon opens a AF_UNIX socket (based on the value given by Scriptsock directive)
to connect to the CGI daemon.
3. Scriptsock 8000logs/cgisock
the CGID will listen on 127.0.0.1:8000, the string logs/cgisock is discarded.
4. NO Scriptsock is defined in httpd.conf
the CGI daemon will listen on the default port: 127.0.0.1:5080
Added mod_jk2 support
For more information on mod_jk2 please visit:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/jk2/jk2/confighowto.html
mod_jk moved from Tomcat Product to Apache Product
mod_jk is moved to /opt/hpws/apache/modules.
Added two new directives CGIScriptTimeoutEnabled and CGIScriptTimeout
mod_cgid from 2.0.59.00 onwards supports two new directives which can be
configured to control the amount of time cgi scripts are allowed to run on
the server. These can be configured in the apache configuration file httpd.conf
as below:
- CGIScriptTimeoutEnabled :
Allows to set the timeout for cgi scripts.
When the value of this directive is set to "On", the default timeout for the
cgi scripts would be set to the value of TimeOut directive, unless it is
overridden by CGIScriptTimeout directive as shown below.
Usage: CGIScriptTimeoutEnabled On
Default: Off
If the CGIScriptTimeoutEnabled is set to "Off", then there is no timeout for the
cgi scripts even if CGIScriptTimeout is configured with a value. So, make sure
CGIScriptTimeoutEnabled is On, whenever you need a timeout to be configured.
- CGIScriptTimeout :
The maximum amount of time in seconds a cgi script is allowed to
run. This value overrides the one set by TimeOut directive.
CGIScriptTimeoutEnabled should be set to "On" to use this directive.
Usage: CGIScriptTimeout 250
Default: Set to the value of TimeOut directive if CGIScriptTimeoutEnabled is set to "On
Enabling multiple cgi daemons using ScriptMultipleDaemons directive
- ScriptMultipleDaemons:
mod_cgid from 2.0.59.00 onwards supports this directive, which can be
configured to create multiple cgi daemons (rather than one daemon which is the
default) during Apache startup. Configure this directive to a reasonable value(integer)
to improve cgid performance.
Usage: ScriptMultipleDaemons <number of daemons>
Default: By default only one daemon is created for serving cgi requests
NOTE: This directive should appear after 'Scriptsock' directive as shown below:
<IfModule mod_cgid.c>
Scriptsock logs/cgisock
ScriptMultipleDaemons 10
</IfModule>
SETUP
Prerequisites
1. See individual Admin Guides for each component to determine patch
requirements.
LDAP Admin Guide
PHP Admin Guide
SSL Admin Guide
suEXEC Admin Guide
Frontpage Admin Guide
Webproxy Admin Guide
2. Building Apache modules in C and C++ requires aCC. For more information
go to http://www.hp.com/go/hpc++ within the "Developer & Solution Partner
Portal" at http://dsportal.eservices.hp.com/.
C++ plug-in modules should be built with the Standard C++ runtimes libraries,
-lstd_v2 and -lCsup. Standard C++ runtime libraries are the default
on IPF so plug-ins can be compiled using the default or by explicitly
selecting the Standard C++ runtime libraries with the -AA compile option:
Using the default,
aCC -b +DD64 -mt +z -I/opt/hpws/apache/include -o mod_hello.so \
mod_hello.cpp
To specify the -AA option,
aCC -b +DD64 -AA -mt +z -I/opt/hpws/apache/include -o mod_hello.so \
mod_hello.cpp
For more information about C++ libraries, please see http://www.hp.comd/go/C++.
#endif
3. Building DSOs using /opt/hpws/apache/bin/apxs depends on Perl. There are two
version of Perl available for IPF: 32-bit version and 64-bit version.
By default all Perl scripts bundled with Apache expect 32-bit Perl and
mod_perl requires 64-bit Perl. The expected location for Perl is
/opt/perl_64/bin/perl.
To use 32-bit Perl:
Download and install Perl 5.8.8 for HP-UX 11i Version 1.6 (IPF)
from HP Software Depot:
http://software.hp.com/
Search for: Perl 5.8.8
Make sure to select the 32-bit version of Perl for IPF.
If you prefer to use different Perl change the path in the apxs
script to the Perl location installed on your machine.
4. HP-UX Apache-based Web Server binary is perl-enabled. That is, mod_perl is
built as a DSO module and is distributed as part of the HP-UX Apache-based
Web Server release bundle.
However, mod_perl has not been enabled in the default installation.
Follow these steps to configure and enable mod_perl:
a. Download and install Perl 5.8.8 on HP-UX 11i Versions 1.6 for IPF
from HP Software Depot:
http://software.hp.com/
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL
Search for: Perl 5.8.8
Make sure to select the 64-bit version of Perl for IPF.
b. Edit /opt/hpws/apache/conf/httpd.conf and uncomment the line
(i.e. remove the beginning '#' character).
LoadModule perl_module modules/mod_perl.so
To have mod_perl handle all scripts ending in *.pl, make sure that
the section enclosed in <IfModule mod_perl.c> ...
is uncommented.
This step will make HP-UX Apache-based Web Server perl-ready.
c. Restart the HP-UX Apache-based Web Server
/opt/hpws/apache/bin/apachectl stop
/opt/hpws/apache/bin/apachectl start
IPv6-specific System Information
1. IPv6 support is available by default on HP-UX 11i version 2. You do not
need a separate installation of any IPv6 product.
Installation
Information on installing all products of HP-UX Web Server Suite can be found in
Getting Started
The user configurable files of HP-UX Apache-based Web Server will be saved
as per the standard HP-UX newconfig methodology. More information can be
found in the newconfig section of Getting Started.
Starting and Stopping HP-UX Apache-based Web Server
Note: In the default installation you must be root to start/stop
the HP-UX Apache-based Web Server.
Apache
To start the HP-UX Apache-based Web Server:
$/opt/hpws/apache/bin/apachectl start
To stop the HP-UX Apache-based Web Server:
$/opt/hpws/apache/bin/apachectl stop
To start the HP-UX Apache-based Web Server with SSL capability:
$/opt/hpws/apache/bin/apachectl startssl
IF YOU HAVE ADDED A NEW SERVER KEY (CERTIFICATE) WHICH
HAS A PEM ENCODED PASS PHRASE, YOU WILL BE PROMPTED TO
ENTER IT HERE
To stop the HP-UX Apache-based Web Server with SSL capability:
$/opt/hpws/apache/bin/apachectl stop
For server startup with PHP, suexec and ldap authentication, see the
corresponding Admin guides located in /opt/hpws/hp_docs/apache/.
For server startup with WebDAV, when your server is running, see the FAQ
located at http://yourserver.com/hp_docs/faq/, or use Webmin and access
http://yourserver.com:10000/hp_docs/faq/.
CONFIGURATION
Configuration Files
The HP-UX Apache-based Web Server 2.x has additional configuration files
beyond the /opt/hpws/apache/conf/httpd.conf file. These configuration files
are specific to a major component and are found in the following locations
by default:
Apache: /opt/hpws/apache/conf/httpd.conf
Apache (SSL): /opt/hpws/apache/conf/ssl.conf
Apache (caching): /opt/hpws/apache/conf/cache.conf
PHP: /opt/hpws/apache/conf/php.ini
auth_ldap: /opt/hpws/apache/conf/ldap.conf
mod_auth_ldap/mod_ldap (caching): /opt/hpws/apache/conf/ldap.conf
mod_jk: /opt/hpws/apache/conf/mod_jk.conf
/opt/hpws/apache/conf/workers.properties
mod_jk2: /opt/hpws/apache/conf/mod_jk2.conf
/opt/hpws/apache/conf/workers2.properties
Admin Guides
Refer to the following documents included with the software located
in the /opt/hpws/hp_docs/ directory. If HP-UX Apache-based Web Server
has been started with the default configuration, these documents
can be viewed at http://yourserver.com/hp_docs. These are also viewable
via Webmin at http://yourserver.com:10000/hp_docs/.
Apache Admin Guide
LDAP Admin Guide
PHP Admin Guide
SSL Admin Guide
suEXEC Admin Guide
Frontpage Admin Guide
Webproxy Admin Guide
Moving the Root Directory
The altroot.sh script has been provided to easily move the entire /opt/hpws/
directory, including HP-UX Apache-based Web Server, HP-UX Tomcat-based
Servlet Engine, HP-UX Webmin-based Admin and HP-UX XML Web Server Tools.
The script is located in the /opt/hpws/util/ directory. Detailed information
is located in the General Utilities User Guide.
Automatic Restart of Apache
If you would like to automatically restart HP-UX Apache-based Web Server at
boot-up time, you will have to modify the specific components configuration
file:
/etc/rc.config.d/hpws_apacheconf for HP-UX Apache-based Web Server
If you do not set the HPWS_APACHE_START or HPWS_APACHE_START_SSL to 1,
then you will need to manually start HP-UX Apache-based Web Server when the
system comes online after a system reboot. These values are set to '0'
(no reboot) by default.
NOTE:
(1) If you intend to start HP-UX Apache-based Web Server in SSL-mode,
ensure that the Certificate key file is not encrypted with a password.
In the case that the key file requires a password, the system bootup
will hang.
(2) With their default configurations, the startup of HP Apache-based Web
Server 1.3 has higher precedence over HP-UX Apache-based Web Server
at reboot time. Therefore, if both 1.3 and are configured to use
the same port number and set to be restarted at boot time, only 1.3
would come up. Therefore, it is recommended that the user set the
config files (/etc/rc.config.d/apacheconf for 1.3 and
/etc/rc.config.d/hpws_apacheconf for ) to start either HP
Apache-based Web Server 1.3 or HP-UX Apache-based Web Server .
Starting both HP Apache-based Web Server 1.3 and HP-UX Apache-based
Web Server at reboot time is currently not supported.
- To automatically start HP-UX Apache-based Web Server at boot-up time.
Set the HPWS_APACHE_START variable to 1. If you do not desire this
feature, set the HPWS_APACHE_START variable to 0. The line below
shows how to turn it on.
HPWS_APACHE_START=1
The startup scripts have a direct dependency on the HPWS_APACHE_HOME
variable, and expects HP-UX Apache-based Web Server to be located in the
<HPWS_APACHE_HOME> directory.
Enabling more file descriptors
HP-UX Apache-based Web Server is now compiled with _USE_BIG_FDS to raise the
maximum allowed number of simultaneous open files, or maximum number of file
descriptors, from 2048 to 60000 (depending on the system configuration) per
process. This value is specified by the constant MAXFUPLIM (and the equivalents
_MAXFUPLIM and FD_SETSIZE). To enable this feature requires the following
changes:
To enable HP-UX Apache-based Web Server for handling a large amount of file
descriptors, your need to change the system-wide RLIMIT_NOFILE defaults by
modifying the kernel tunables maxfiles and maxfiles_lim; see the SAM on-line
kernel configuration help for more information.
You might also need to reconfigure the machine with a larger value for the
kernel tunable nfile. This tunable specifies the per-machine (as opposed to
per-process) maximum number of simultaneous open files and the default value
is much less than 60000. See the SAM online kernel configuration help for more
information.
Configuring mod_jk and mod_jk2
To use HP-UX Apache-based Web Server with HP-UX Tomcat-based Servlet Engine
Modify /opt/hpws/apache/conf/httpd.conf:
In this file enable mod_jk or mod_jk2 connector by uncommenting one of the following lines:
Include /opt/hpws/apache/conf/mod_jk.conf -OR-
Include /opt/hpws/apache/conf/mod_jk2.conf
Modify /opt/hpws/apache/conf/mod_jk.conf (if necessary):
You can add here additional mount points if you want HP-UX Apache-based
Web Server to forward requests to HP-UX Tomcat-based Servlet Engine.
Add lines similar to the following:
JkMount /mywebapp ajp13
JkMount /mywebapp/* ajp13
In the case of /opt/hpws/apache/conf/mod_jk2.conf:
<Location "/mywebapp/*">
JkUriSet worker ajp13:localhost:8009
</Location>
Start HP-UX Tomcat-based Servlet Engine
$ cd /opt/hpws/tomcat
$ bin/startup.sh
Start HP-UX Apache-based Web Server
$ /opt/hpws/apache/bin/apachectl start
To enable logging in mod_jk
If we suspect problems in communication between the web server and HP-UX
Tomcat-based Servlet Engine we can turn on logging inside mod_jk. To do that edit
/opt/hpws/apache/conf/mod_jk.conf file and set
JkLogFile /opt/hpws/apache/logs/jk.log
JkLogLevel debug
Available logging levels are: debug, info, error, emerg.
To enable logging in mod_jk2
There is no special directive to enable error logging in mod_jk2 specifically
mod_jk2 error log is integrated into Apache web server's error log.
<h3>Running Multiple instances of Apache
1)Install Apache and Webmin on your machine. It is mandatory to install Webmin.
Webmin contains the file, altroot.sh, that is used to change the apache install directory.
Note: If Apache and Webmin are already installed, ensure that they are are not running.
2)Enter the following command at the HP-UX prompt:
#/opt/hpws/util/altroot.sh --apache /opt/hpws/apache <New_location_for_Apache>
Eg: #/opt/hpws/util/altroot.sh --apache /opt/hpws/apache /usr/local/hpws/apache
The /opt/hpws/apache directory will be moved to the specified location after this.
For more information about Altroot, visit:
http://servername.com/hp_docs/utilities.user.guide
3)Open the <New_location_for_Apache>/conf/httpd.conf file. Change the Listen directive
option to a value, other than the default 80, so that Apache can listen on a different port.
Note: If you are installing a lower version of Apache, you must remove the current
installation of Apache using the swremove command. Removing the current installation will
not delete any files from the altrooted apache installation. However, it will only
remove the IPD entries from the previous installation.
4)Install another instance of Apache.
The default location of the installation files is /opt/hpws
5)To run this newly installed Apache in a location other than the default location,
repeat steps 1-3.
<h3>Running 11.00 depot on 11.11
Patch PHSS_33263 needs to be installed to run a 11.00 depot on a 11.11 system.
IPV6 INFORMATION
IPv6 stands for "Internet Protocol Version 6", the "next generation"
protocol designed by the IETF to replace the current version Internet
Protocol Version 4 (IPv4). The new IPv6 addresses the current problem of
and network configuration.
IPv6 is only supported on the HP-UX Apache-based Web Server for HP-UX
11i (for PA-RISC) and HP-UX 11i version 2.
Functionality Supported
Since HP-UX Apache-based Web Server is dependent on other products such as
Perl, it may or may not work the same as it does in its IPv4 version.
A. Complete Support
The following components work on IPv6 platform, and all the
functionality of IPv6 is also implemented.
- Apache Core
- PHP
- SSI
- CGI (C-based and shell script)
B. Partial Support
Although the following components works on IPv6 platform, they may not
behave correctly for networking calls related to IPv6 address, due to
a lack of underlying support.
- OpenSSL
OpenSSL does not have support for IPv6. However, on an IPv6 machine,
it could still be used in IPv4 mode.
- mod_ssl
Since HP-UX Apache-based Web Server implements the SSL using the OpenSSL
library, mod_ssl does not support IPv6 addresses.
- ab and OpenSSL
/opt/hpws/apache/bin/ab implements SSL using OpenSSL. Since OpenSSL
does not have support for IPv6, ab does not either.
- Stunnel
Stunnel currently does not have IPv6 capabilities, i.e. it cannot
listen on IPv6 addresses. Therefore, when one starts Stunnel they need
to specify an IPv4 address/port for Stunnel. Hence your ldap
authentication configuration should point to the IPv4 address/port
that Stunnel is listening on.
- SSL clients
Currently, there are no SSL clients available from HP on HP-UX for
IPv6. However, one could use the standard SSL clients in IPv4 mode.
- CGI (Perl-based)
- mod_perl
CGI scripts or Perl modules written in Perl will return failure for
any calls to gethostbyname() for the IPv6 addresses, as Perl does not
support IPv6. Hence, perl-based CGI and mod_perl are supported only in
IPv4 mode.
- LDAP connectivity
If your LDAP server is not IPv6 capable, then you will need to
configure your ldap authentication to connect to the LDAP server
using the IPv4 address.
- WebDAV
Currently there are no IPv6 compatible clients for WebDAV. Hence, WebDAV
with IPv6 addresses is not supported for this release of HP-UX Apache-based
Web Server.
Supporting Components
- HP-UX Webmin-based Admin
Currently there is no support for IPv6 in Perl. Since HP-UX Webmin-based
Admin is entirely written in Perl, it is not supported for IPv6 platform.
Also, HP-UX Webmin-based admin currently does not have support for
recognizing IPv6 addresses correctly. Therefore, specifying IPv6
addresses for Apache may not work.
- HP-UX Tomcat-based Servlet Engine
Starting with 1.4, Java has support for IPv6. Thus any version of HP-UX
Tomcat-based Servlet Engine which is based on Tomcat base version of 4.x
is supported for IPv6 platform.
If HP-UX Tomcat-based Servlet Engine is installed, look at documentation
provided in Tomcat Admin Guide.
Enabling/Disabling IPv6
IPv6 is enabled on the system "out of the box". More information on configuring
the system for IPv6 is available in the system release notes.
Simple checks to verify IPv6 functionality:
1. Make sure that one of the network interfaces is configured for IPv6
addresses. At the command prompt type:
% ifconfig lan0
You should see output similar to the following:
lan0: flags=843<UP,BROADCAST,RUNNING,MULTICAST>
inet 111.222.333.444 netmask ffffff00 broadcast 111.222.333.255
lan0: flags=4800841<UP,RUNNING,MULTICAST,ONLINK>
inet6 fe80::210:83ff:feff:da14 prefix 10
If you do not see output for IPv6 (colon separated IP address for "inet6")
for a particular network interface, say lan0, then you can enable IPv6
on that interface by typing the following command:
% ifconfig lan0 inet6 up
2. Make sure that DNS server is properly configured for the IPv6 address.
If you are using "/etc/hosts", for hostname lookup, then an entry for
the IPv6 address should be present in "/etc/hosts"
3. Ensure that "/etc/nsswitch.conf" has a line corresponding to "ipnodes".
An example entry is shown below:
ipnodes: dns [NOTFOUND=continue] files
TROUBLESHOOTING
Please refer to a component's admin guide for log file locations and other
troubleshooting tips. Check the individual logs files for failures in the
components.
For information about HP-UX Apache-based Web Server failures, look in the log
files under /opt/hpws/apache/logs/
Note: The access_log is disabled by default. To enable it, make sure
that the following line is uncommented:
CustomLog logs/access_log common
By default the access_log is enabled for ssl connections in
ssl.conf.
- When logging at debug level, /opt/hpws/apache/logs/error_log says:
"End of file found: read_request_line() failed"
----------------------------------------------------------------
This is a harmless error. Either ignore it or increase your LogLevel
setting. More details can be found at:
http://www.apache.org/dist/httpd/Announcement2.html
- /opt/hpws/apache/logs/error_log says : "Apache.pm" failed to load.
----------------------------------------------------------------
This is usually due to Perl binaries not being in the PATH.
or the PERL5LIB environment not being set correctly.
SOLUTION: Verify that 64-bit Perl 5.8.8 is installed in /opt/perl_64/bin
and that /opt/perl_64/bin/perl and /opt/perl_64/lib/5.8.8 exist. Also
verify that /opt/perl_64/bin is in the PATH. If it isn't, make
sure to add it. After installing Perl, use the following command
to specify where the mod_perl libraries are:
export PERL5LIB=/opt/hpws/apache/lib/perl/lib/site_perl/5.8.8/IA64.ARCHREV_0-thread-multi-LP64
The PERL5LIB environment variable is preset by apachectl (the
shell that runs the Apache executable). If you experience
problems, manually set this environment variable as shown above.
To test whether you have the correct Perl 5.8.8 on your system,
run the command:
/opt/perl_64/bin/perl -v | grep -i build
and make sure that Perl build is at least 631.
This version of Perl has been engineered by ActiveState for
HP-UX 11i Version 1.6 (IPF) environment. It can be downloaded from:
http://software.hp.com/
Search for: Perl 5.8.8, and then select 64-bit Perl.
- New modules don't execute.
----------------------------------------------------------------
When adding new modules make sure that permissions are set to
-rwxr-xr-x. Match owner and group to existing modules.
KNOWN BUGS
Make sure to review other admin guides for known bugs.
- SSL Session Caching errors
----------------------------------------------------------------
Some times you may notice the following errors in the Apache error_log file:
[error] scach2_lookup_session_id internal error
[error] 'shmcb' code was unable to store a session in the cache.
This does not affect the functionality (the connections will not be dropped).
It may affect the performance of the server, but the impact is insignificant.
- /opt/hpws/apache/bin/apachectl restart does not work
----------------------------------------------------------------
When all or most of the modules are enabled, the restart may not
successfully restart Apache. To resolve this problem, please explicitly
stop and then start Apache.
- /opt/hpws/apache/bin/apachectl stop does not work
----------------------------------------------------------------
Sometimes after HP-UX Apache-based Web Server has been subject to a heavy
load (especially when SSL is enabled), the apachectl stop may not kill all
of the httpd processes. To resolve this problem, please kill the processes
using the following "kill -9" command:
% kill -9 `ps -ef |grep httpd |grep -v grep |awk '{print $2}'`
- Apache Bench (ab) with SSL does not work
----------------------------------------------------------------
In this release, ab with SSL capability is still experimental. The SSL
feature is enabled only for debugging purposes, and cannot be used for
stress/load testing. Not all command line options of ab are supported
when used with SSL.
- Apache restart does not work with Multiple Listen directives
----------------------------------------------------------------
Restarting Apache with multiple Listen directives results in increased
CPU usage. This is because Apache 2.0 does not have any way to remove
listerners on a restart. Therefore, for multiple Listen directives, you
must stop and start the server instead of a restart.
TUNING
This tuning information is based on
http://httpd.apache.org/docs-2.0/misc/perf-tuning.html#runtime,
other documents and in-house testing.
These notes provide tips on configuring your HP-UX Apache-based Web Server
through intelligent use of directives and modules, as well as tuning your
HP-UX environment.
Using Directives
1) Hostname Lookups
http://httpd.apache.org/docs-2.0/mod/core.html#hostnamelookups
If HostNameLookups is not turned off, each client request will result in
at least one lookup request to the name server.
Example:
HostNameLookups off ##Turning off DNS lookups
2) Logging
- Avoid using debug, info and notice level.
- Do a minimal amount of logging.
Disable referer_log and agent_log, if you don't need to keep track of
client information.
3) FollowSymLinks and SymLinksIfOwnerMatch
When you do NOT have an "Options FollowSymLinks" in your URL-space, or you
do have an "Options SymLinksIfOwnerMatch," HP-UX Apache-based Web Server
will issue extra system calls to check up on symlinks. One extra call per
filename component will be made. For example, if you had:
DocumentRoot /www/htdocs
<Directory />
Options SymLinksIfOwnerMatch
</Directory>
If a request is made for the URI /index.html, HP-UX Apache-based Web Server
will perform lstat(2) on /www, /www/htdocs, and /www/htdocs/index.html.
The results of these lstats are never cached, so they will occur on every
single request. If you really desire the symlinks security checking try
the following instead:
DocumentRoot /www/htdocs
<Directory />
Options FollowSymLinks
</Directory>
<Directory /www/htdocs>
Options -FollowSymLinks +SymLinksIfOwnerMatch
</Directory>
This at least avoids the extra checks for the DocumentRoot path. Note that
you'll need to add similar sections if you have any Alias or RewriteRule
paths outside of your document root. For highest performance, and no
symlink protection, set FollowSymLinks everywhere, and never set
SymLinksIfOwnerMatch.
4) AllowOverride
Wherever in your URL-space you allow overrides (typically .htaccess files)
HP-UX Apache-based Web Server will attempt to open .htaccess for each
filename component. For highest performance use "AllowOverride None"
everywhere in your filesystem.
5) Negotiation
Use a complete list of options for DirectoryIndex, listing the most common
choice first.
Example:
DirectoryIndex index.cgi index.pl index.shtml index.html
6) Tuning NumServers, StartThreads, MinSpareThreads, MaxSpareThreads,
MaxThreadsPerChild, MaxRequestsPerChild
HP-UX Apache-based Web Server tries to maintain a pool of spare or idle server threads,
which stand ready to serve incoming requests. In this way, clients do not need to
wait for new threads or processes to be created before their requests
can be served. HP-UX Apache-based Web Server assesses the total number of idle threads
in all processes, and forks or kills processes to keep this number within the
boundaries specified by MinSpareThreads and MaxSpareThreads. Since this
process is very self-regulating, it is rarely necessary to modify these
directives from their default values. The maximum number of clients that
may be served simultaneously is determined by multiplying the maximum
number of server processes that will be created (MaxClients) by the
number of threads created in each process (ThreadsPerChild).
Using Modules
1) Disable unused modules
Enable only the modules you need. Pre-processing and post-processing modules
like mod_speling, mod_include and mod_log_config add a lot of overhead.
Use http://httpd.apache.org/docs-2.0/mod/index.html to determine
which modules are used with your configuration, and which you can remove.
2) mod_vhost_alias
This module uses less memory than VirtualHost directive, when it is
used for a huge number of virtual hosts with similar configurations.
3) mod_perl
Using mod_perl for CGI scripts is considerably faster than using mod_cgi.
Configuring HP-UX Environment
1) Tuning the OS
Tune kernel parameters maxproc, shmem, maxfd, etc.
See FAQ: "performance/sizing" for suggested kernel parameters.
The FAQ is included in the bundle: http://yourserver.com/hp_docs/faq
or online: http://www.hp.com/products1/unix/webservers/apache/faqs/index.html
2) Monitor the memory
Make sure the web server has enough memory.
3) Renice
Increase the priority of HP-UX Apache-based Web Server process.
4) TCP/IP parameters tuning
On HP-UX 11.x the system listen queue parameter is called
tcp_conn_request_max. The utility for listing/modifying network settings
is called "ndd".
The following are equivalent commands to use on HP-UX 11.x:
- To check the current setting of the system listen queue:
ndd -get /dev/tcp tcp_conn_request_max
- To adjust the system listen queue size to 256, for example:
ndd -set /dev/tcp tcp_conn_request_max 256
Example:
Parameter Scope Default Value Tuned Value
--------- ----- ------------- -----------
maxfiles /stand/system 2048 4096 *
maxfiles_lim /stand/system 2048 4096 *
tcp_time_wait_interval ndd/dev/tcp 60000 60000
tcp_conn_request_max ndd/dev/tcp 20 1024 --> 4096
tcp_ip_abort_interval ndd/dev/tcp 600000 60000
tcp_keepalive_interval ndd/dev/tcp 72000000 900000
tcp_rexmit_interval_initial ndd/dev/tc 1500 1500
tcp_rexmit_interval_max ndd/dev/tcp 60000 60000
tcp_rexmit_interval_min ndd/dev/tcp 500 500
tcp_xmit_hiwater_def ndd/dev/tcp 32768 32768
tcp_recv_hiwater_def ndd/dev/tcp 32768 32768
5) Avoid using NFS
Don't use files on NFS for "LockFile" or "Scriptsock" directives.
This will cause the system to hang.
Examples:
LockFile NON_NFS_PATH/lockfile.lock
Scriptsock NON_NFS_PATH/logs/cgisock
Other Configuration
1) Use a cache proxy
Use cache proxy to cache the web pages.
***************************************************************************
LEGAL NOTICES
The information in this document is subject to change without notice.
WARRANTY DISCLAIMER
HEWLETT-PACKARD MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
INFORMATION, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard
shall not be liable for errors contained herein or for direct, indirect,
special, incidental or consequential damages in connection with the
furnishing, performance or use of this material.
RESTRICTED RIGHTS LEGEND
Use, duplication or disclosure by the U.S. Government is subject to
restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in
Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD
agencies. Rights for non-DOD U.S. Government Department and Agencies are
as set forth in FAR 52.227-19 (c)(1,2).
COPYRIGHT NOTICES
Copyright 2002-2007 Hewlett-Packard Development Company, L.P.
This document contains information which is protected by copyright.
All Rights Reserved. Reproduction, adaptation, or translation without
prior written permission is prohibited, except as allowed under the
copyright laws.
TRADEMARK NOTICES
UNIX is a registered trademark in the United States and other countries,
licensed exclusively through X/Open Company Limited.
Intel(R) Itanium(TM) Processor Family is a trademark of Intel Corporation
in the U.S. and other countries is used under license.
Java and all Java-based trademarks and logos are trademarks or
registered trademarks of Sun Microsystems, Inc. in the U.S. and
other countries.
ACKNOWLEDGEMENTS
This product includes software developed by the Apache Software Foundation.
This documentation is based on information from the Apache Software Foundation
(http://www.apache.org).
|
