You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Bremser, Kurt (Allianz Technology GmbH)" <Ku...@allianz.at> on 2017/09/13 11:48:18 UTC

AW: [users@httpd] Run apache without master [wd-vc]

In most cases, you can only have ONE process binding to ONE IP-address/port combination. Children of this process will then inherit the socket, which is the way how apache works.

On Linux and BSD, there is the SO_REUSEPORT option that can be set by a listening process, so that other processes can also bind to the socket, and let the OS handle which incoming data ends up where.
If you think about that, it opens the port up for hijacking, as the initial listener process has no idea which other processes might also bind to the port and intercept traffic.

So the apache method of one master process binding to the port and spawning children is the prudent one.

Kurt Bremser
Allianz Technology GmbH

Newton was wrong. There is no gravity. The Earth sucks.
________________________________________
Von: Hemant Chaudhary [hemantdude.chaudhary@gmail.com]
Gesendet: Mittwoch, 13. September 2017 13:29
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Run apache without master [wd-vc]

Hi

I want to create different processes not forking from parent or anywhere.
It is still okay if parent process is started and parent process will not fork child processes but parent should serve requests.

On Sep 13, 2017 4:47 PM, "Eric Covener" <co...@gmail.com>> wrote:
On Wed, Sep 13, 2017 at 7:09 AM, Hemant Chaudhary
<he...@gmail.com>> wrote:
> Hi,
>
> I want to start my apache without master process means when I will give
> "httpd" command, it should start 5 worker process which has access to
> httpd.conf as well as serve requests.
>
> Is it possible to achieve this ? If yes, then how should to achieve this ?

Not really. Why not just ignore the parent process? The worst thing
that can happen is that it doesn't manage the children, which you're
already losing in this hypothetical setup.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ma...@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<ma...@httpd.apache.org>


Allianz Technology GmbH 
1130 Wien, Hietzinger Kai 101-105 
FN 365014k, Handelsgericht Wien 
UID: ATU 66614737 

http://www.allianz.at 

******************************************************** 
Dieses E-Mail und allfaellig daran angeschlossene Anhaenge 
enthalten Informationen, die vertraulich und 
ausschliesslich fuer den (die) bezeichneten Adressaten 
bestimmt sind. 
Wenn Sie nicht der genannte Adressat sind, darf dieses 
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen 
Personen zugaenglich gemacht noch in anderer Weise 
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen. 

Please note: This email and any files transmitted with it is 
intended only for the named recipients and may contain 
confidential and/or privileged information. If you are not the 
intended recipient, please do not read, copy, use or disclose 
the contents of this communication to others and notify the 
sender immediately. Then please delete the email and any 
copies of it. Thank you.

********************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: AW: [users@httpd] Run apache without master [wd-vc]

Posted by Hemant Chaudhary <he...@gmail.com>.
As i have seen in my system that master process also binds to port that i
have given in my configuration. Then how master process is binding to port
80 ? If i am running my apache other than root user then how can master
binds to port 80 ?

If i am running apache as root user then on any port my apache is working
but other than root user, i need to give port greater than 1024.

Thanks
Hemant

On Sep 13, 2017 5:56 PM, "Bremser, Kurt (Allianz Technology GmbH)" <
Kurt.Bremser@allianz.at> wrote:

> Spawning children servers one very important purpose: while the master has
> to be run as root to bind to the privileged port 80, the child is spawned
> as the user named in the configuration, reducing security issues by orders
> of magnitude.
> Changing that and running the whole server process (inlcuding spawned cgi
> scripts etc) as root would be extremely stupid, IMO.
>
> Kurt Bremser
> Allianz Technology GmbH
>
> Newton was wrong. There is no gravity. The Earth sucks.
> ________________________________________
> Von: Hemant Chaudhary [hemantdude.chaudhary@gmail.com]
> Gesendet: Mittwoch, 13. September 2017 14:03
> An: users@httpd.apache.org
> Betreff: Re: [users@httpd] Run apache without master [wd-vc]
>
> Yes true. I want to start only one process and it should not spawn child
> processes.
> In apache, we have master process and then it spawns child. After that
> child serves requests by client.
> My aim is to start master process and it should not spawn child as well as
> it should serve requests from client.
>
> Thanks
> Hemant
>
> On Wed, Sep 13, 2017 at 5:18 PM, Bremser, Kurt (Allianz Technology GmbH) <
> Kurt.Bremser@allianz.at<ma...@allianz.at>> wrote:
> In most cases, you can only have ONE process binding to ONE
> IP-address/port combination. Children of this process will then inherit the
> socket, which is the way how apache works.
>
> On Linux and BSD, there is the SO_REUSEPORT option that can be set by a
> listening process, so that other processes can also bind to the socket, and
> let the OS handle which incoming data ends up where.
> If you think about that, it opens the port up for hijacking, as the
> initial listener process has no idea which other processes might also bind
> to the port and intercept traffic.
>
> So the apache method of one master process binding to the port and
> spawning children is the prudent one.
>
> Kurt Bremser
> Allianz Technology GmbH
>
> Newton was wrong. There is no gravity. The Earth sucks.
> ________________________________________
> Von: Hemant Chaudhary [hemantdude.chaudhary@gmail.com<mailto:hemantdude.
> chaudhary@gmail.com>]
> Gesendet: Mittwoch, 13. September 2017 13:29
> An: users@httpd.apache.org<ma...@httpd.apache.org>
> Betreff: Re: [users@httpd] Run apache without master [wd-vc]
>
> Hi
>
> I want to create different processes not forking from parent or anywhere.
> It is still okay if parent process is started and parent process will not
> fork child processes but parent should serve requests.
>
> On Sep 13, 2017 4:47 PM, "Eric Covener" <covener@gmail.com<mailto:cove
> ner@gmail.com><ma...@gmail.com>>> wrote:
> On Wed, Sep 13, 2017 at 7:09 AM, Hemant Chaudhary
> <hemantdude.chaudhary@gmail.com<mailto:hemantdude.chaudhary@gmail.com
> ><mailto:hemantdude.chaudhary@gmail.com<mailto:hemantdude.chaudhary@
> gmail.com>>> wrote:
> > Hi,
> >
> > I want to start my apache without master process means when I will give
> > "httpd" command, it should start 5 worker process which has access to
> > httpd.conf as well as serve requests.
> >
> > Is it possible to achieve this ? If yes, then how should to achieve this
> ?
>
> Not really. Why not just ignore the parent process? The worst thing
> that can happen is that it doesn't manage the children, which you're
> already losing in this hypothetical setup.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<mailto:users-
> unsubscribe@httpd.apache.org><mailto:users-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>>
> For additional commands, e-mail: users-help@httpd.apache.org<mailto:
> users-help@httpd.apache.org><mailto:users-help@httpd.apache.org<mailto:
> users-help@httpd.apache.org>>
>
>
> Allianz Technology GmbH
> 1130 Wien, Hietzinger Kai 101-105
> FN 365014k, Handelsgericht Wien
> UID: ATU 66614737
>
> http://www.allianz.at
>
> ********************************************************
> Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
> enthalten Informationen, die vertraulich und
> ausschliesslich fuer den (die) bezeichneten Adressaten
> bestimmt sind.
> Wenn Sie nicht der genannte Adressat sind, darf dieses
> E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
> Personen zugaenglich gemacht noch in anderer Weise
> verwertet werden.
> Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
> wir Sie, dieses E-Mail und saemtliche angeschlossene
> Anhaenge zu loeschen.
>
> Please note: This email and any files transmitted with it is
> intended only for the named recipients and may contain
> confidential and/or privileged information. If you are not the
> intended recipient, please do not read, copy, use or disclose
> the contents of this communication to others and notify the
> sender immediately. Then please delete the email and any
> copies of it. Thank you.
>
> ********************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<mailto:users-
> unsubscribe@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org<mailto:
> users-help@httpd.apache.org>
>
>
>
> Allianz Technology GmbH
> 1130 Wien, Hietzinger Kai 101-105
> FN 365014k, Handelsgericht Wien
> UID: ATU 66614737
>
> http://www.allianz.at
>
> ********************************************************
> Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
> enthalten Informationen, die vertraulich und
> ausschliesslich fuer den (die) bezeichneten Adressaten
> bestimmt sind.
> Wenn Sie nicht der genannte Adressat sind, darf dieses
> E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
> Personen zugaenglich gemacht noch in anderer Weise
> verwertet werden.
> Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
> wir Sie, dieses E-Mail und saemtliche angeschlossene
> Anhaenge zu loeschen.
>
> Please note: This email and any files transmitted with it is
> intended only for the named recipients and may contain
> confidential and/or privileged information. If you are not the
> intended recipient, please do not read, copy, use or disclose
> the contents of this communication to others and notify the
> sender immediately. Then please delete the email and any
> copies of it. Thank you.
>
> ********************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

AW: [users@httpd] Run apache without master [wd-vc]

Posted by "Bremser, Kurt (Allianz Technology GmbH)" <Ku...@allianz.at>.
Spawning children servers one very important purpose: while the master has to be run as root to bind to the privileged port 80, the child is spawned as the user named in the configuration, reducing security issues by orders of magnitude.
Changing that and running the whole server process (inlcuding spawned cgi scripts etc) as root would be extremely stupid, IMO.

Kurt Bremser
Allianz Technology GmbH

Newton was wrong. There is no gravity. The Earth sucks.
________________________________________
Von: Hemant Chaudhary [hemantdude.chaudhary@gmail.com]
Gesendet: Mittwoch, 13. September 2017 14:03
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Run apache without master [wd-vc]

Yes true. I want to start only one process and it should not spawn child processes.
In apache, we have master process and then it spawns child. After that child serves requests by client.
My aim is to start master process and it should not spawn child as well as it should serve requests from client.

Thanks
Hemant

On Wed, Sep 13, 2017 at 5:18 PM, Bremser, Kurt (Allianz Technology GmbH) <Ku...@allianz.at>> wrote:
In most cases, you can only have ONE process binding to ONE IP-address/port combination. Children of this process will then inherit the socket, which is the way how apache works.

On Linux and BSD, there is the SO_REUSEPORT option that can be set by a listening process, so that other processes can also bind to the socket, and let the OS handle which incoming data ends up where.
If you think about that, it opens the port up for hijacking, as the initial listener process has no idea which other processes might also bind to the port and intercept traffic.

So the apache method of one master process binding to the port and spawning children is the prudent one.

Kurt Bremser
Allianz Technology GmbH

Newton was wrong. There is no gravity. The Earth sucks.
________________________________________
Von: Hemant Chaudhary [hemantdude.chaudhary@gmail.com<ma...@gmail.com>]
Gesendet: Mittwoch, 13. September 2017 13:29
An: users@httpd.apache.org<ma...@httpd.apache.org>
Betreff: Re: [users@httpd] Run apache without master [wd-vc]

Hi

I want to create different processes not forking from parent or anywhere.
It is still okay if parent process is started and parent process will not fork child processes but parent should serve requests.

On Sep 13, 2017 4:47 PM, "Eric Covener" <co...@gmail.com>>> wrote:
On Wed, Sep 13, 2017 at 7:09 AM, Hemant Chaudhary
<he...@gmail.com>>> wrote:
> Hi,
>
> I want to start my apache without master process means when I will give
> "httpd" command, it should start 5 worker process which has access to
> httpd.conf as well as serve requests.
>
> Is it possible to achieve this ? If yes, then how should to achieve this ?

Not really. Why not just ignore the parent process? The worst thing
that can happen is that it doesn't manage the children, which you're
already losing in this hypothetical setup.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ma...@httpd.apache.org>>
For additional commands, e-mail: users-help@httpd.apache.org<ma...@httpd.apache.org>>


Allianz Technology GmbH
1130 Wien, Hietzinger Kai 101-105
FN 365014k, Handelsgericht Wien
UID: ATU 66614737

http://www.allianz.at

********************************************************
Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
enthalten Informationen, die vertraulich und
ausschliesslich fuer den (die) bezeichneten Adressaten
bestimmt sind.
Wenn Sie nicht der genannte Adressat sind, darf dieses
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
Personen zugaenglich gemacht noch in anderer Weise
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen.

Please note: This email and any files transmitted with it is
intended only for the named recipients and may contain
confidential and/or privileged information. If you are not the
intended recipient, please do not read, copy, use or disclose
the contents of this communication to others and notify the
sender immediately. Then please delete the email and any
copies of it. Thank you.

********************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ma...@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<ma...@httpd.apache.org>



Allianz Technology GmbH 
1130 Wien, Hietzinger Kai 101-105 
FN 365014k, Handelsgericht Wien 
UID: ATU 66614737 

http://www.allianz.at 

******************************************************** 
Dieses E-Mail und allfaellig daran angeschlossene Anhaenge 
enthalten Informationen, die vertraulich und 
ausschliesslich fuer den (die) bezeichneten Adressaten 
bestimmt sind. 
Wenn Sie nicht der genannte Adressat sind, darf dieses 
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen 
Personen zugaenglich gemacht noch in anderer Weise 
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen. 

Please note: This email and any files transmitted with it is 
intended only for the named recipients and may contain 
confidential and/or privileged information. If you are not the 
intended recipient, please do not read, copy, use or disclose 
the contents of this communication to others and notify the 
sender immediately. Then please delete the email and any 
copies of it. Thank you.

********************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Run apache without master [wd-vc]

Posted by Eric Covener <co...@gmail.com>.
On Wed, Sep 13, 2017 at 8:03 AM, Hemant Chaudhary
<he...@gmail.com> wrote:
> Yes true. I want to start only one process and it should not spawn child
> processes.
> In apache, we have master process and then it spawns child. After that child
> serves requests by client.
> My aim is to start master process and it should not spawn child as well as
> it should serve requests from client.

You could look into the -DONE_PROCESS option with a threaded MPM and
just use a single process.
But it all sounds like a pretty horrible plan.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Run apache without master [wd-vc]

Posted by Hemant Chaudhary <he...@gmail.com>.
Yes true. I want to start only one process and it should not spawn child
processes.
In apache, we have master process and then it spawns child. After that
child serves requests by client.
My aim is to start master process and it should not spawn child as well as
it should serve requests from client.

Thanks
Hemant

On Wed, Sep 13, 2017 at 5:18 PM, Bremser, Kurt (Allianz Technology GmbH) <
Kurt.Bremser@allianz.at> wrote:

> In most cases, you can only have ONE process binding to ONE
> IP-address/port combination. Children of this process will then inherit the
> socket, which is the way how apache works.
>
> On Linux and BSD, there is the SO_REUSEPORT option that can be set by a
> listening process, so that other processes can also bind to the socket, and
> let the OS handle which incoming data ends up where.
> If you think about that, it opens the port up for hijacking, as the
> initial listener process has no idea which other processes might also bind
> to the port and intercept traffic.
>
> So the apache method of one master process binding to the port and
> spawning children is the prudent one.
>
> Kurt Bremser
> Allianz Technology GmbH
>
> Newton was wrong. There is no gravity. The Earth sucks.
> ________________________________________
> Von: Hemant Chaudhary [hemantdude.chaudhary@gmail.com]
> Gesendet: Mittwoch, 13. September 2017 13:29
> An: users@httpd.apache.org
> Betreff: Re: [users@httpd] Run apache without master [wd-vc]
>
> Hi
>
> I want to create different processes not forking from parent or anywhere.
> It is still okay if parent process is started and parent process will not
> fork child processes but parent should serve requests.
>
> On Sep 13, 2017 4:47 PM, "Eric Covener" <covener@gmail.com<mailto:cove
> ner@gmail.com>> wrote:
> On Wed, Sep 13, 2017 at 7:09 AM, Hemant Chaudhary
> <he...@gmail.com>>
> wrote:
> > Hi,
> >
> > I want to start my apache without master process means when I will give
> > "httpd" command, it should start 5 worker process which has access to
> > httpd.conf as well as serve requests.
> >
> > Is it possible to achieve this ? If yes, then how should to achieve this
> ?
>
> Not really. Why not just ignore the parent process? The worst thing
> that can happen is that it doesn't manage the children, which you're
> already losing in this hypothetical setup.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<mailto:users-
> unsubscribe@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org<mailto:
> users-help@httpd.apache.org>
>
>
> Allianz Technology GmbH
> 1130 Wien, Hietzinger Kai 101-105
> FN 365014k, Handelsgericht Wien
> UID: ATU 66614737
>
> http://www.allianz.at
>
> ********************************************************
> Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
> enthalten Informationen, die vertraulich und
> ausschliesslich fuer den (die) bezeichneten Adressaten
> bestimmt sind.
> Wenn Sie nicht der genannte Adressat sind, darf dieses
> E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
> Personen zugaenglich gemacht noch in anderer Weise
> verwertet werden.
> Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
> wir Sie, dieses E-Mail und saemtliche angeschlossene
> Anhaenge zu loeschen.
>
> Please note: This email and any files transmitted with it is
> intended only for the named recipients and may contain
> confidential and/or privileged information. If you are not the
> intended recipient, please do not read, copy, use or disclose
> the contents of this communication to others and notify the
> sender immediately. Then please delete the email and any
> copies of it. Thank you.
>
> ********************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>