Http Accept filters (accf_http)
Bernd Walter
ticso at cicely12.cicely.de
Wed Apr 23 01:49:58 UTC 2008
On Tue, Apr 22, 2008 at 03:36:27PM -0700, Xin LI wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Antony Mawer wrote:
> | Poul-Henning Kamp wrote:
> |> In message <480E589C.8010108 at delphij.net>, Xin LI writes:
> |>
> |>> | Does anyone know why accf_accept is disabled by default in the ports'
> |>> | stock Apache 2.2 (it's disabled in the default config files)? I
> |>> thought
> |>> | it was because it was dangerous or flawed for some reason, though (at
> |>> | least for light loads comparable to those of OP) it seems to work
> |>> fine.
> |>
> |> I think adding them to the apache is OK, as long as apache fails
> |> gracefully if they are not present in the kernel.
It tries to kldload if configured and not already in the kernel, but
uses traditional connection handling if loading the module fails.
> | I seem to recall I had problems trying to get Apache to run with accept
> | filters turned on in a jail environment... having said that, I just
> | tried to enable it in a jail and restarted Apache and it started up
> | fine. Maybe I was just imagining it?
>
> Hmm... I think Apache would just work as long as it is loaded into
> kernel or statically linked into it, no matter if it is in a jail
> environment (my personal server uses Apache in jail for dynamic contents
> and it just worked fine).
A jailed apache can't load the module, so to enable the feature you
can't rely on autoloading.
If you compile it into the kernel or load the module outside of the
jail it runs fine within the jail.
--
B.Walter <bernd at bwct.de> http://www.bwct.de
Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.
More information about the freebsd-current
mailing list