You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Paul Querna <ch...@force-elite.com> on 2005/05/04 03:13:58 UTC
Accept Filters, was Re: Timeout for requests
Rasmus Lerdorf wrote:
>>
>> Ya, I got messed up in my other email too.
>>
>> SO_ACCEPTFILTER is in 2.0.xx.
>>
>> TCP_DEFER_ACCEPT is in 2.1.xx.
>>
>> -Paul
>
>
> By the way Paul, I have been meaning ask, are you falling back from
> httpready to dataready on SSL requests in 2.x? I don't see it in
> server/listen.c, but I am not really up on the 2.x code. We can't use
> httpready on an SSL request for obvious reasons.
Nope, it always tries to use accf_http.
In real life, I don't believe this is detrimental, since if the
accf_http filter sees data it doesn't understand, it acts just like
accf_data -- and mod_ssl reads the data just like normal.
There was a thread discussing refactoring of how accept filters and
TCP_DEFER_ACCEPT should be applied, but the root problem is that we do
not know that a socket is SSL, until after we have accept()'ed that
socket. This thread was started when I committed support for
TCP_DEFER_ACCEPT:
http://marc.theaimsgroup.com/?t=110275895100002&r=1&w=2
A proposed solution is a 'mod_acceptfilter':
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=110297187029584&w=2
Unfortunately, no one followed up with Rici's ideas on it. I think the
longterm solution is to remove things like 'SSLEngine On', and fix HTTPD
to associate a single protocol with a single listening socket.
An alternative that was also proposed at the same time was <Listen> Blocks:
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=110297188417604&w=2
This would allow something like:
<Listen 1.2.3.4:443>
# would imply the accf_data filter on FreeBSD...
Protocol https
<VirtualHost>
....
</VirtualHost>
</Listen>
Either way, we need a better method to know which protocol will at least
initially be ran on a socket. Currently it is all runtime, but it must
be changed to be done at startup, to properly apply the accept filters.
In the real world, it is not a big issue, since most people are running
HTTP or HTTPS Servers with apache, but maybe someday httpd will fully
support SMTP, IMAP, and FTP :)
-Paul
Re: Accept Filters, was Re: Timeout for requests
Posted by Rasmus Lerdorf <ra...@lerdorf.com>.
Paul Querna wrote:
> In real life, I don't believe this is detrimental, since if the
> accf_http filter sees data it doesn't understand, it acts just like
> accf_data -- and mod_ssl reads the data just like normal.
Hrm.. I am not sure I am convinced of that based on what I have seen on
some misconfigured Apache1 servers.
> There was a thread discussing refactoring of how accept filters and
> TCP_DEFER_ACCEPT should be applied, but the root problem is that we do
> not know that a socket is SSL, until after we have accept()'ed that
> socket.
Ah, in Apache1 that isn't a problem. I can see how that complicates
things in Apache2.
-Rasmus