accf_http and incqlen
Uwe Doering
gemini at geminix.org
Thu Mar 6 21:59:47 UTC 2008
Scott Oertel wrote:
> (I sent this to freebsd-questions, but I didn't receive any replies,
> thought I would try my luck here)
>
> I setup the http accept filter with apache and I was having a hard time
> understanding this, maybe you guys could help out.
>
> I've tested this among various version of freebsd, primarily FreeBSD
> 6.3-RELEASE, and with various
> apache configs, and it appears to behave the same across the board.
>
> So why is it that it "appears" that the TCP connections never terminate,
> just stay in a state of ESTABLISHED, and why doesn't this queue ever
> flush itself, is it normal, if it is, what happens exactly when the
> queue fills up to maxqlen. From the netstat output below, you can see
> that the incqlen is maxed out. I've done quite a bit of searching
> regarding this queue but haven't found any real solid information which
> describes what happens when it fills up, and at the same time this is
> going on, I have 517 established connections to port 80.
>
> ]# netstat -an|grep "\.80"|grep ESTAB|wc -l
> 519
> [...]
Last time I looked (in FreeBSD 4.x) these were connections that got
stuck in an early stage, that is, before the HTTP request had been
received. The 'accf_http' filter which wants to parse said request
waits forever in this situation because there is no timeout implemented,
as far as I recall. So these would-be HTTP connections pile up over time.
The actual cause are quite likely port scans and such from the Internet.
I don't know whether one would eventually run out of resources, but so
many stuck connections certainly look sick, and you can't see the wood
for the trees if you need to debug something under these circumstances.
What I did instead was compile Apache 1.3 with the flag
-DACCEPT_FILTER_NAME=\\\\\"dataready\\\\\"
added to CFLAGS in the ports repository's Makefile. This way Apache
uses the 'dataready' filter instead of 'httpready'. This doesn't cause
any stuck connections, and it improves the performance as well because
most modern browsers and proxies send the HTTP request plus the whole
set of headers in a single data packet anyway, which means that
unconditionally returning from accept(2) on the first data packet
received is sufficient. Under these circumstances the overhead of
parsing the HTTP request in the kernel, like the 'httpready' filter
does, no longer makes much sense.
I haven't looked at Apache 2.x so far in this regard. Perhaps there is
a similar compile time option. In any case, maybe this tweak helps in
your case, too.
Regards,
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini at geminix.org | http://www.escapebox.net
More information about the freebsd-stable
mailing list