From 9c39e18b97048a730c710057e0edd994b0bb1638 Mon Sep 17 00:00:00 2001 From: Daniel Gruno Date: Fri, 4 May 2012 14:36:40 +0000 Subject: [PATCH] Backporting syntax highlighting for misc/ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1333991 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/misc/perf-tuning.xml | 254 +++++++++++--------------- docs/manual/misc/perf-tuning.xml.fr | 2 +- docs/manual/misc/security_tips.xml | 58 +++--- docs/manual/misc/security_tips.xml.fr | 2 +- 4 files changed, 139 insertions(+), 177 deletions(-) diff --git a/docs/manual/misc/perf-tuning.xml b/docs/manual/misc/perf-tuning.xml index c9630446cf..a38d55619f 100644 --- a/docs/manual/misc/perf-tuning.xml +++ b/docs/manual/misc/perf-tuning.xml @@ -152,14 +152,12 @@ matching the criteria. Here's an example which disables lookups except for .html and .cgi files:

- - HostnameLookups off
- <Files ~ "\.(html|cgi)$">
- - HostnameLookups on
- - </Files> - + +HostnameLookups off +<Files ~ "\.(html|cgi)$"> + HostnameLookups on +</Files> +

But even still, if you just need DNS names in some CGIs you could consider doing the gethostbyname call in the @@ -177,14 +175,12 @@ system calls to check up on symlinks. One extra call per filename component. For example, if you had:

- - DocumentRoot /www/htdocs
- <Directory />
- - Options SymLinksIfOwnerMatch
- - </Directory> - + +DocumentRoot /www/htdocs +<Directory /> + Options SymLinksIfOwnerMatch +</Directory> +

and a request is made for the URI /index.html. Then Apache will perform lstat(2) on @@ -194,20 +190,16 @@ every single request. If you really desire the symlinks security checking you can do something like this:

- - DocumentRoot /www/htdocs
- <Directory />
- - Options FollowSymLinks
- - </Directory>
-
- <Directory /www/htdocs>
- - Options -FollowSymLinks +SymLinksIfOwnerMatch
- - </Directory> - + +DocumentRoot /www/htdocs +<Directory /> + Options FollowSymLinks +</Directory> + +<Directory /www/htdocs> + Options -FollowSymLinks +SymLinksIfOwnerMatch +</Directory> +

This at least avoids the extra checks for the DocumentRoot path. @@ -229,14 +221,12 @@ .htaccess for each filename component. For example,

- - DocumentRoot /www/htdocs
- <Directory />
- - AllowOverride all
- - </Directory> - + +DocumentRoot /www/htdocs +<Directory /> + AllowOverride all +</Directory> +

and a request is made for the URI /index.html. Then Apache will attempt to open /.htaccess, @@ -258,15 +248,11 @@ penalties. There's one case where you can speed up the server. Instead of using a wildcard such as:

- - DirectoryIndex index - + DirectoryIndex index

Use a complete list of options:

- - DirectoryIndex index.cgi index.pl index.shtml index.html - + DirectoryIndex index.cgi index.pl index.shtml index.html

where you list the most common choice first.

@@ -445,6 +431,12 @@ one connection at a time. Worker generally is a good choice for high-traffic servers because it has a smaller memory footprint than the prefork MPM. + +
  • The event MPM is threaded like the + Worker MPM, but is designed to allow more requests to be + served simultaneously by passing off some processing work + to supporting threads, freeing up the main threads to work + on new requests.
  • The prefork MPM uses multiple child processes with one thread each. Each process handles @@ -473,7 +465,7 @@ matter of commenting out the associated LoadModule directive for that module. This allows you to experiment with removing modules, and seeing - if your site still functions in their absense.

    + if your site still functions in their absence.

    If, on the other hand, you have modules statically linked into your Apache binary, you will need to recompile Apache in @@ -586,39 +578,29 @@ do not match the code, they're contrived for pedagogical purposes):

    - - for (;;) {
    - - for (;;) {
    - - fd_set accept_fds;
    -
    - FD_ZERO (&accept_fds);
    - for (i = first_socket; i <= last_socket; ++i) {
    - - FD_SET (i, &accept_fds);
    -     - }
    - rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
    - if (rc < 1) continue;
    - new_connection = -1;
    - for (i = first_socket; i <= last_socket; ++i) {
    - - if (FD_ISSET (i, &accept_fds)) {
    - - new_connection = accept (i, NULL, NULL);
    - if (new_connection != -1) break;
    -     - }
    -     - }
    - if (new_connection != -1) break;
    -     - }
    - process the new_connection;
    -     + + for (;;) { + for (;;) { + fd_set accept_fds; + + FD_ZERO (&accept_fds); + for (i = first_socket; i <= last_socket; ++i) { + FD_SET (i, &accept_fds); + } + rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL); + if (rc < 1) continue; + new_connection = -1; + for (i = first_socket; i <= last_socket; ++i) { + if (FD_ISSET (i, &accept_fds)) { + new_connection = accept (i, NULL, NULL); + if (new_connection != -1) break; + } + } + if (new_connection != -1) break; + } + process_the(new_connection); } -     +

    But this naive implementation has a serious starvation problem. Recall that multiple children execute this loop at the same @@ -657,41 +639,31 @@ entry into the inner loop. The loop looks like this (differences highlighted):

    - - for (;;) {
    - - accept_mutex_on ();
    - for (;;) {
    - - fd_set accept_fds;
    -
    - FD_ZERO (&accept_fds);
    - for (i = first_socket; i <= last_socket; ++i) {
    - - FD_SET (i, &accept_fds);
    -     - }
    - rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
    - if (rc < 1) continue;
    - new_connection = -1;
    - for (i = first_socket; i <= last_socket; ++i) {
    - - if (FD_ISSET (i, &accept_fds)) {
    - - new_connection = accept (i, NULL, NULL);
    - if (new_connection != -1) break;
    -     - }
    -     - }
    - if (new_connection != -1) break;
    -     - }
    - accept_mutex_off ();
    - process the new_connection;
    -     + + for (;;) { + accept_mutex_on (); + for (;;) { + fd_set accept_fds; + + FD_ZERO (&accept_fds); + for (i = first_socket; i <= last_socket; ++i) { + FD_SET (i, &accept_fds); + } + rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL); + if (rc < 1) continue; + new_connection = -1; + for (i = first_socket; i <= last_socket; ++i) { + if (FD_ISSET (i, &accept_fds)) { + new_connection = accept (i, NULL, NULL); + if (new_connection != -1) break; + } + } + if (new_connection != -1) break; + } + accept_mutex_off (); + process the new_connection; } -     +

    The functions accept_mutex_on and accept_mutex_off @@ -800,39 +772,31 @@ http_main.c). The function looks roughly like this:

    - - void lingering_close (int s)
    - {
    - - char junk_buffer[2048];
    -
    - /* shutdown the sending side */
    - shutdown (s, 1);
    -
    - signal (SIGALRM, lingering_death);
    - alarm (30);
    -
    - for (;;) {
    - - select (s for reading, 2 second timeout);
    - if (error) break;
    - if (s is ready for reading) {
    - - if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) {
    - - break;
    -     - }
    - /* just toss away whatever is here */
    -     - }
    -     - }
    -
    - close (s);
    -     + + void lingering_close (int s) + { + char junk_buffer[2048]; + + /* shutdown the sending side */ + shutdown (s, 1); + + signal (SIGALRM, lingering_death); + alarm (30); + + for (;;) { + select (s for reading, 2 second timeout); + if (error) break; + if (s is ready for reading) { + if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) { + break; + } + /* just toss away whatever is here */ + } + } + + close (s); } -     +

    This naturally adds some expense at the end of a connection, but it is required for a reliable implementation. As HTTP/1.1 @@ -904,7 +868,7 @@

    The -l option tells truss to log the ID of the - LWP (lightweight process--Solaris's form of kernel-level thread) + LWP (lightweight process--Solaris' form of kernel-level thread) that invokes each system call.

    Other systems may have different system call tracing utilities @@ -974,7 +938,7 @@

    Next, the worker thread puts the connection to the client (file descriptor 9) in non-blocking mode. The setsockopt(2) and getsockopt(2) calls are a side-effect of how - Solaris's libc handles fcntl(2) on sockets.

    + Solaris' libc handles fcntl(2) on sockets.

    /65:    read(9, " G E T   / 1 0 k . h t m".., 8000)     = 97
    diff --git a/docs/manual/misc/perf-tuning.xml.fr b/docs/manual/misc/perf-tuning.xml.fr index 512ef7bdcb..9e91e58d02 100644 --- a/docs/manual/misc/perf-tuning.xml.fr +++ b/docs/manual/misc/perf-tuning.xml.fr @@ -1,7 +1,7 @@ - + diff --git a/docs/manual/misc/security_tips.xml b/docs/manual/misc/security_tips.xml index e272f995f6..efa1f8f7fd 100644 --- a/docs/manual/misc/security_tips.xml +++ b/docs/manual/misc/security_tips.xml @@ -327,11 +327,11 @@

    In the server configuration file, put

    - - <Directory />
    - AllowOverride None
    - </Directory> -     + +<Directory /> + AllowOverride None +</Directory> +

    This prevents the use of .htaccess files in all directories apart from those specifically enabled.

    @@ -358,27 +358,27 @@ work around this, add the following block to your server's configuration:

    - - <Directory />
    - Order Deny,Allow
    - Deny from all
    - </Directory> -     + +<Directory /> + Order Deny,Allow + Deny from all +</Directory> +

    This will forbid default access to filesystem locations. Add appropriate Directory blocks to allow access only in those areas you wish. For example,

    - - <Directory /usr/users/*/public_html>
    - Order Deny,Allow
    - Allow from all
    - </Directory>
    - <Directory /usr/local/httpd>
    - Order Deny,Allow
    - Allow from all
    - </Directory> -     + +<Directory /usr/users/*/public_html> + Order Deny,Allow + Allow from all +</Directory> +<Directory /usr/local/httpd> + Order Deny,Allow + Allow from all +</Directory> +

    Pay particular attention to the interactions of Location and - - UserDir disabled root - + UserDir disabled root @@ -438,12 +436,12 @@ you probably commented out the following in your server configuration file:

    - - <Files ".ht*">
    - Order allow,deny
    - Deny from all
    - </Files> -     + +<Files ".ht*"> + Order allow,deny + Deny from all +</Files> + diff --git a/docs/manual/misc/security_tips.xml.fr b/docs/manual/misc/security_tips.xml.fr index cc98401f0c..466340ad9a 100644 --- a/docs/manual/misc/security_tips.xml.fr +++ b/docs/manual/misc/security_tips.xml.fr @@ -1,7 +1,7 @@ - + -- 2.40.0