You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Goran Tepshic <pu...@gmail.com> on 2014/08/13 12:40:44 UTC
[users@httpd] FreebSD jailed Apache 2.4 rewrite/proxy module errors
Just set up a FreeBSD jail to run httpd in it and all works good except
these two, rewrite/proxy modules.
*These are error logs excerpts:*
*mod_rewrite* error:
[rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite:
could not init rewrite_mapr_lock_acquire in child
*mod_proxy* error:
[proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init
proxy_mutex in child
Not sure permissions of *what* are being denied as html in document root is
being served just fine when these modules are disabled.
I tried googling but found nothing but rubbish.
Please help, this thing is making me crazy.
Re: [users@httpd] FreebSD jailed Apache 2.4 rewrite/proxy module errors
Posted by Goran Tepshic <pu...@gmail.com>.
Great, thanks a ton mate!
On Wed, Aug 13, 2014 at 8:30 PM, Jeff Trawick <tr...@gmail.com> wrote:
> On Wed, Aug 13, 2014 at 8:05 AM, Goran Tepshic <pu...@gmail.com>
> wrote:
>
>> Hmm, interesting tip Jedd.
>>
>> I now tried changing mutex (*commended by default*) to *sem *and those
>> error logs stopped.
>> Now, reading this page
>> http://httpd.apache.org/docs/current/mod/core.html#mutex i see that
>> there are couple of mutexes available (*i still don't know what that is
>> and why do I need one*) and couple of them seems to remedy this issue.
>> Not sure which one should i choose, which is stable and most performant.
>>
>> I'm by no means an expert, just a unix fan trying to set up a simple,
>> secure VPS.
>> Could you please shed some light on choosing the best solution?
>>
>
> Safe:
>
> Follow the "strength in numbers" path. Use flock since that is the
> default for FreeBSD and presumably most httpd configurations there are
> still using it. But as you noticed originally the default path is not in a
> place where the child has permission to write to it, so see about that.
> (The path should default to ServerRoot / logs / ) dtruss/truss/whatever
> should be able to show what path can't be accessed in the jail.
>
>
> Fastest:
>
> Unless you want to benchmark your environment, I wouldn't worry about it.
> Some that may be theoretically faster have caveats listed in the
> documentation.
>
> Posixsem (which you might get with "sem") is the one that most recently
> was found to have code bugs exposed in some httpd configurations (fixed in
> future releases of apr).
>
>
>
>>
>> ALso, HUGE thanks for your help!
>>
>>
>> On Wed, Aug 13, 2014 at 1:10 PM, Jeff Trawick <tr...@gmail.com> wrote:
>>
>>> On Wed, Aug 13, 2014 at 6:40 AM, Goran Tepshic <pu...@gmail.com>
>>> wrote:
>>>
>>>> Just set up a FreeBSD jail to run httpd in it and all works good except
>>>> these two, rewrite/proxy modules.
>>>>
>>>> *These are error logs excerpts:*
>>>>
>>>>
>>>> *mod_rewrite* error:
>>>>
>>>> [rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite:
>>>> could not init rewrite_mapr_lock_acquire in child
>>>>
>>>> *mod_proxy* error:
>>>>
>>>> [proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init
>>>> proxy_mutex in child
>>>>
>>>>
>>>> Not sure permissions of *what* are being denied as html in document
>>>> root is being served just fine when these modules are disabled.
>>>>
>>>> I tried googling but found nothing but rubbish.
>>>>
>>>>
>>>> Please help, this thing is making me crazy.
>>>>
>>> httpd/APR on FreeBSD uses a file-based mutex ("flock") by default. It
>>> looks like the mutex files are placed in a location where the httpd child
>>> processes don't have permission.
>>>
>>> You should be able to use 2.4's Mutex directive (
>>> http://httpd.apache.org/docs/current/mod/core.html#mutex) to resolve
>>> the issue.
>>>
>>> Perhaps the necessary magic is
>>>
>>> Mutex file:/some/path/ default
>>>
>>> where /some/path is writable by httpd parent and child. I don't *think*
>>> this is some jail-specific issue, other than that child-writable paths in
>>> the jail may be different/more limited due to the way it is set up.
>>>
>>>
>>> --
>>> Born in Roswell... married an alien...
>>> http://emptyhammock.com/
>>>
>>>
>>
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
> http://edjective.org/
>
>
Re: [users@httpd] FreebSD jailed Apache 2.4 rewrite/proxy module errors
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Aug 13, 2014 at 8:05 AM, Goran Tepshic <pu...@gmail.com>
wrote:
> Hmm, interesting tip Jedd.
>
> I now tried changing mutex (*commended by default*) to *sem *and those
> error logs stopped.
> Now, reading this page
> http://httpd.apache.org/docs/current/mod/core.html#mutex i see that there
> are couple of mutexes available (*i still don't know what that is and why
> do I need one*) and couple of them seems to remedy this issue.
> Not sure which one should i choose, which is stable and most performant.
>
> I'm by no means an expert, just a unix fan trying to set up a simple,
> secure VPS.
> Could you please shed some light on choosing the best solution?
>
Safe:
Follow the "strength in numbers" path. Use flock since that is the default
for FreeBSD and presumably most httpd configurations there are still using
it. But as you noticed originally the default path is not in a place where
the child has permission to write to it, so see about that. (The path
should default to ServerRoot / logs / ) dtruss/truss/whatever should be
able to show what path can't be accessed in the jail.
Fastest:
Unless you want to benchmark your environment, I wouldn't worry about it.
Some that may be theoretically faster have caveats listed in the
documentation.
Posixsem (which you might get with "sem") is the one that most recently was
found to have code bugs exposed in some httpd configurations (fixed in
future releases of apr).
>
> ALso, HUGE thanks for your help!
>
>
> On Wed, Aug 13, 2014 at 1:10 PM, Jeff Trawick <tr...@gmail.com> wrote:
>
>> On Wed, Aug 13, 2014 at 6:40 AM, Goran Tepshic <pu...@gmail.com>
>> wrote:
>>
>>> Just set up a FreeBSD jail to run httpd in it and all works good except
>>> these two, rewrite/proxy modules.
>>>
>>> *These are error logs excerpts:*
>>>
>>>
>>> *mod_rewrite* error:
>>>
>>> [rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite:
>>> could not init rewrite_mapr_lock_acquire in child
>>>
>>> *mod_proxy* error:
>>>
>>> [proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init
>>> proxy_mutex in child
>>>
>>>
>>> Not sure permissions of *what* are being denied as html in document
>>> root is being served just fine when these modules are disabled.
>>>
>>> I tried googling but found nothing but rubbish.
>>>
>>>
>>> Please help, this thing is making me crazy.
>>>
>> httpd/APR on FreeBSD uses a file-based mutex ("flock") by default. It
>> looks like the mutex files are placed in a location where the httpd child
>> processes don't have permission.
>>
>> You should be able to use 2.4's Mutex directive (
>> http://httpd.apache.org/docs/current/mod/core.html#mutex) to resolve the
>> issue.
>>
>> Perhaps the necessary magic is
>>
>> Mutex file:/some/path/ default
>>
>> where /some/path is writable by httpd parent and child. I don't *think*
>> this is some jail-specific issue, other than that child-writable paths in
>> the jail may be different/more limited due to the way it is set up.
>>
>>
>> --
>> Born in Roswell... married an alien...
>> http://emptyhammock.com/
>>
>>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/
Re: [users@httpd] FreebSD jailed Apache 2.4 rewrite/proxy module errors
Posted by Goran Tepshic <pu...@gmail.com>.
Hmm, interesting tip Jedd.
I now tried changing mutex (*commended by default*) to *sem *and those
error logs stopped.
Now, reading this page
http://httpd.apache.org/docs/current/mod/core.html#mutex i see that there
are couple of mutexes available (*i still don't know what that is and why
do I need one*) and couple of them seems to remedy this issue.
Not sure which one should i choose, which is stable and most performant.
I'm by no means an expert, just a unix fan trying to set up a simple,
secure VPS.
Could you please shed some light on choosing the best solution?
ALso, HUGE thanks for your help!
On Wed, Aug 13, 2014 at 1:10 PM, Jeff Trawick <tr...@gmail.com> wrote:
> On Wed, Aug 13, 2014 at 6:40 AM, Goran Tepshic <pu...@gmail.com>
> wrote:
>
>> Just set up a FreeBSD jail to run httpd in it and all works good except
>> these two, rewrite/proxy modules.
>>
>> *These are error logs excerpts:*
>>
>>
>> *mod_rewrite* error:
>>
>> [rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite:
>> could not init rewrite_mapr_lock_acquire in child
>>
>> *mod_proxy* error:
>>
>> [proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init
>> proxy_mutex in child
>>
>>
>> Not sure permissions of *what* are being denied as html in document root
>> is being served just fine when these modules are disabled.
>>
>> I tried googling but found nothing but rubbish.
>>
>>
>> Please help, this thing is making me crazy.
>>
> httpd/APR on FreeBSD uses a file-based mutex ("flock") by default. It
> looks like the mutex files are placed in a location where the httpd child
> processes don't have permission.
>
> You should be able to use 2.4's Mutex directive (
> http://httpd.apache.org/docs/current/mod/core.html#mutex) to resolve the
> issue.
>
> Perhaps the necessary magic is
>
> Mutex file:/some/path/ default
>
> where /some/path is writable by httpd parent and child. I don't *think*
> this is some jail-specific issue, other than that child-writable paths in
> the jail may be different/more limited due to the way it is set up.
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
>
Re: [users@httpd] FreebSD jailed Apache 2.4 rewrite/proxy module errors
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Aug 13, 2014 at 6:40 AM, Goran Tepshic <pu...@gmail.com>
wrote:
> Just set up a FreeBSD jail to run httpd in it and all works good except
> these two, rewrite/proxy modules.
>
> *These are error logs excerpts:*
>
>
> *mod_rewrite* error:
>
> [rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite:
> could not init rewrite_mapr_lock_acquire in child
>
> *mod_proxy* error:
>
> [proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init
> proxy_mutex in child
>
>
> Not sure permissions of *what* are being denied as html in document root
> is being served just fine when these modules are disabled.
>
> I tried googling but found nothing but rubbish.
>
>
> Please help, this thing is making me crazy.
>
httpd/APR on FreeBSD uses a file-based mutex ("flock") by default. It
looks like the mutex files are placed in a location where the httpd child
processes don't have permission.
You should be able to use 2.4's Mutex directive (
http://httpd.apache.org/docs/current/mod/core.html#mutex) to resolve the
issue.
Perhaps the necessary magic is
Mutex file:/some/path/ default
where /some/path is writable by httpd parent and child. I don't *think*
this is some jail-specific issue, other than that child-writable paths in
the jail may be different/more limited due to the way it is set up.
--
Born in Roswell... married an alien...
http://emptyhammock.com/