apache PHP suhosin load
Damien Fleuriot
ml at my.gd
Thu Jun 21 07:32:30 UTC 2012
On 21 Jun 2012, at 08:34, n dhert <ndhertbsd at gmail.com> wrote:
> On FreeBSD 8.3 I have apache22 web server with PHP. PHP is PHP52 for
> compatibility with existing applications, but the most recent version
> in the php52 branch
> $ php --version
> PHP 5.2.17 with Suhosin-Patch 0.9.7 (cli) (built: May 7 2012 08:45:58)
>
>> From time to time, I notice in a top output, that a huge number of httpd
> daemons are being started, making the load rapidly increase to levels of
> 5, 10, 15, ... and very slow interactive respons ...
>
> Stopping apache makes the load rapidly decrease to a normal level.
>
> I noticed at the console, at stopping apache, several messages such as
>
> Jun 14 09:12:20 macos kernel: Jun 14 09:12:20 macos suhosin[28824]: ALERT -
> canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR
> not set', file
> '/home/wins/win/win/www/wiki/mediawiki-1.16.0/includes/AutoLoader.php',
> line 654)
>
> (the file value differs, but it's always "suhosin .. canany mismatch
> - heap overflow detected")
> My PHP has following options set
> # cd /usr/ports/lang/php52
>
> My PHP has following options set
> # cd /usr/ports/lang/php52
> # make showconfig
> ===> The following configuration options are available for php52-5.2.17_8:
> CLI=on: Build CLI version
> CGI=on: Build CGI version
> APACHE=on: Build Apache module
> DEBUG=off: Enable debug
> SUHOSIN=on: Enable Suhosin protection system (not for jails)
> MULTIBYTE=off: Enable zend multibyte support
> IPV6=on: Enable ipv6 support
> MAILHEAD=off: Enable mail header patch
> REDIRECT=off: Enable force-cgi-redirect support (CGI only)
> DISCARD=off: Enable discard-path support (CGI only)
> FASTCGI=on: Enable fastcgi support (CGI only)
> FPM=off: Enable fastcgi process manager (CGI only)
> PATHINFO=on: Enable path-info-check support (CGI only)
> LINKTHR=off: Link thread lib (for threaded extensions)
>
> Is that heap overlow causing the trouble? Has suhosin to do something with
> it?
> How to solve?
>
For starters, I would suggest moving away from apace and towards nginx + fastcgi php.
A friend had a small dedicated server with a vbulletin forum overloaded with addons, and apache/php were bringing the server to "high" load levels, 10-20ish.
I've moved him to nginx and the server hardly ever goes above 1 now.
Additionally, nginx is immune to Slowloris attacks, while apache is not.
Only after migrating to nginx would I investigate of the suhosin problem still exists.
More information about the freebsd-questions
mailing list