You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Paul Querna <ch...@force-elite.com> on 2005/05/04 03:13:58 UTC

Accept Filters, was Re: Timeout for requests

Rasmus Lerdorf wrote:
>>
>> Ya, I got messed up in my other email too.
>>
>> SO_ACCEPTFILTER is in 2.0.xx.
>>
>> TCP_DEFER_ACCEPT is in 2.1.xx.
>>
>> -Paul
> 
> 
> By the way Paul, I have been meaning ask, are you falling back from
> httpready to dataready on SSL requests in 2.x?  I don't see it in
> server/listen.c, but I am not really up on the 2.x code.  We can't use
> httpready on an SSL request for obvious reasons.

Nope, it always tries to use accf_http.

In real life, I don't believe this is detrimental, since if the
accf_http filter sees data it doesn't understand, it acts just like
accf_data -- and mod_ssl reads the data just like normal.

There was a thread discussing refactoring of how accept filters and
TCP_DEFER_ACCEPT should be applied, but the root problem is that we do
not know that a socket is SSL, until after we have accept()'ed that
socket.  This thread was started when I committed support for
TCP_DEFER_ACCEPT:
http://marc.theaimsgroup.com/?t=110275895100002&r=1&w=2

A proposed solution is a 'mod_acceptfilter':
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=110297187029584&w=2

Unfortunately, no one followed up with Rici's ideas on it.  I think the
longterm solution is to remove things like 'SSLEngine On', and fix HTTPD
to associate a single protocol with a single listening socket.

An alternative that was also proposed at the same time was  <Listen> Blocks:
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=110297188417604&w=2

This would allow something like:
<Listen 1.2.3.4:443>
# would imply the accf_data filter on FreeBSD...
Protocol https
<VirtualHost>
....
</VirtualHost>
</Listen>

Either way, we need a better method to know which protocol will at least
initially be ran on a socket.  Currently it is all runtime, but it must
be changed to be done at startup, to properly apply the accept filters.

In the real world, it is not a big issue, since most people are running
HTTP or HTTPS Servers with apache, but maybe someday httpd will fully
support SMTP, IMAP, and FTP :)

-Paul

Re: Accept Filters, was Re: Timeout for requests

Posted by Rasmus Lerdorf <ra...@lerdorf.com>.

Paul Querna wrote:
> In real life, I don't believe this is detrimental, since if the
> accf_http filter sees data it doesn't understand, it acts just like
> accf_data -- and mod_ssl reads the data just like normal.

Hrm..  I am not sure I am convinced of that based on what I have seen on 
some misconfigured Apache1 servers.

> There was a thread discussing refactoring of how accept filters and
> TCP_DEFER_ACCEPT should be applied, but the root problem is that we do
> not know that a socket is SSL, until after we have accept()'ed that
> socket.  

Ah, in Apache1 that isn't a problem.  I can see how that complicates 
things in Apache2.

-Rasmus