From bf7cc0553f96d0c54d20e28627704234eee925e3 Mon Sep 17 00:00:00 2001 From: Daniel Gruno Date: Wed, 25 Apr 2012 13:43:43 +0000 Subject: [PATCH] highlight config in misc/ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1330291 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/misc/perf-tuning.html.en | 251 +++++++++++-------------- docs/manual/misc/perf-tuning.xml | 242 ++++++++++-------------- docs/manual/misc/security_tips.html.en | 55 +++--- docs/manual/misc/security_tips.xml | 50 +++-- 4 files changed, 262 insertions(+), 336 deletions(-) diff --git a/docs/manual/misc/perf-tuning.html.en b/docs/manual/misc/perf-tuning.html.en index 99c1f31f256..30ce151e0cd 100644 --- a/docs/manual/misc/perf-tuning.html.en +++ b/docs/manual/misc/perf-tuning.html.en @@ -137,14 +137,13 @@ matching the criteria. Here's an example which disables lookups except for .html and .cgi files:

-

- HostnameLookups off
- <Files ~ "\.(html|cgi)$">
- - HostnameLookups on
- - </Files> -

+ 
+HostnameLookups off
+<Files ~ "\.(html|cgi)$">
+  HostnameLookups on
+</Files>
+
+

But even still, if you just need DNS names in some CGIs you could consider doing the gethostbyname call in the @@ -162,14 +161,13 @@ system calls to check up on symlinks. One extra call per filename component. For example, if you had:

-

- DocumentRoot /www/htdocs
- <Directory />
- - Options SymLinksIfOwnerMatch
- - </Directory> -

+ 
+DocumentRoot /www/htdocs
+<Directory />
+  Options SymLinksIfOwnerMatch
+</Directory>
+
+

and a request is made for the URI /index.html. Then Apache will perform lstat(2) on @@ -179,20 +177,17 @@ every single request. If you really desire the symlinks security checking you can do something like this:

-

- DocumentRoot /www/htdocs
- <Directory />
- - Options FollowSymLinks
- - </Directory>
-
- <Directory /www/htdocs>
- - Options -FollowSymLinks +SymLinksIfOwnerMatch
- - </Directory> -

+ 
+DocumentRoot /www/htdocs
+<Directory />
+  Options FollowSymLinks
+</Directory>
+
+<Directory /www/htdocs>
+  Options -FollowSymLinks +SymLinksIfOwnerMatch
+</Directory>
+
+

This at least avoids the extra checks for the DocumentRoot path. @@ -214,14 +209,13 @@ .htaccess for each filename component. For example,

-

- DocumentRoot /www/htdocs
- <Directory />
- - AllowOverride all
- - </Directory> -

+ 
+DocumentRoot /www/htdocs
+<Directory />
+  AllowOverride all
+</Directory>
+
+

and a request is made for the URI /index.html. Then Apache will attempt to open /.htaccess, @@ -243,15 +237,13 @@ penalties. There's one case where you can speed up the server. Instead of using a wildcard such as:

-

- DirectoryIndex index -

+ 
DirectoryIndex index
+

Use a complete list of options:

-

- DirectoryIndex index.cgi index.pl index.shtml index.html -

+ 
DirectoryIndex index.cgi index.pl index.shtml index.html
+

where you list the most common choice first.

@@ -559,39 +551,30 @@ do not match the code, they're contrived for pedagogical purposes):

-

- for (;;) {
- - for (;;) {
- - fd_set accept_fds;
-
- FD_ZERO (&accept_fds);
- for (i = first_socket; i <= last_socket; ++i) {
- - FD_SET (i, &accept_fds);
- - }
- rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
- if (rc < 1) continue;
- new_connection = -1;
- for (i = first_socket; i <= last_socket; ++i) {
- - if (FD_ISSET (i, &accept_fds)) {
- - new_connection = accept (i, NULL, NULL);
- if (new_connection != -1) break;
- - }
- - }
- if (new_connection != -1) break;
- - }
- process the new_connection;
- + 

+        for (;;) {
+          for (;;) {
+            fd_set accept_fds;
+
+            FD_ZERO (&accept_fds);
+            for (i = first_socket; i <= last_socket; ++i) {
+              FD_SET (i, &accept_fds);
+            }
+            rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
+            if (rc < 1) continue;
+            new_connection = -1;
+            for (i = first_socket; i <= last_socket; ++i) {
+              if (FD_ISSET (i, &accept_fds)) {
+                new_connection = accept (i, NULL, NULL);
+                if (new_connection != -1) break;
+              }
+            }
+            if (new_connection != -1) break;
+          }
+          process_the(new_connection);
         }
-
+ +

But this naive implementation has a serious starvation problem. Recall that multiple children execute this loop at the same @@ -629,41 +612,32 @@ entry into the inner loop. The loop looks like this (differences highlighted):

-

- for (;;) {
- - accept_mutex_on ();
- for (;;) {
- - fd_set accept_fds;
-
- FD_ZERO (&accept_fds);
- for (i = first_socket; i <= last_socket; ++i) {
- - FD_SET (i, &accept_fds);
- - }
- rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
- if (rc < 1) continue;
- new_connection = -1;
- for (i = first_socket; i <= last_socket; ++i) {
- - if (FD_ISSET (i, &accept_fds)) {
- - new_connection = accept (i, NULL, NULL);
- if (new_connection != -1) break;
- - }
- - }
- if (new_connection != -1) break;
- - }
- accept_mutex_off ();
- process the new_connection;
- + 

+        for (;;) {
+          accept_mutex_on ();
+          for (;;) {
+            fd_set accept_fds;
+            
+            FD_ZERO (&accept_fds);
+            for (i = first_socket; i <= last_socket; ++i) {
+              FD_SET (i, &accept_fds);
+            }
+            rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
+            if (rc < 1) continue;
+            new_connection = -1;
+            for (i = first_socket; i <= last_socket; ++i) {
+              if (FD_ISSET (i, &accept_fds)) {
+                new_connection = accept (i, NULL, NULL);
+                if (new_connection != -1) break;
+              }
+            }
+            if (new_connection != -1) break;
+          }
+          accept_mutex_off ();
+          process the new_connection;
         }
-
+ +

The functions accept_mutex_on and accept_mutex_off @@ -771,39 +745,32 @@ http_main.c). The function looks roughly like this:

-

- void lingering_close (int s)
- {
- - char junk_buffer[2048];
-
- /* shutdown the sending side */
- shutdown (s, 1);
-
- signal (SIGALRM, lingering_death);
- alarm (30);
-
- for (;;) {
- - select (s for reading, 2 second timeout);
- if (error) break;
- if (s is ready for reading) {
- - if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) {
- - break;
- - }
- /* just toss away whatever is here */
- - }
- - }
-
- close (s);
- + 

+        void lingering_close (int s)
+        {
+          char junk_buffer[2048];
+          
+          /* shutdown the sending side */
+          shutdown (s, 1);
+
+          signal (SIGALRM, lingering_death);
+          alarm (30);
+
+          for (;;) {
+            select (s for reading, 2 second timeout);
+            if (error) break;
+            if (s is ready for reading) {
+              if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) {
+                break;
+              }
+              /* just toss away whatever is here */
+            }
+          }
+          
+          close (s);
         }
-
+ +

This naturally adds some expense at the end of a connection, but it is required for a reliable implementation. As HTTP/1.1 diff --git a/docs/manual/misc/perf-tuning.xml b/docs/manual/misc/perf-tuning.xml index fcbd0c010de..5fe5faafd85 100644 --- a/docs/manual/misc/perf-tuning.xml +++ b/docs/manual/misc/perf-tuning.xml @@ -152,14 +152,12 @@ matching the criteria. Here's an example which disables lookups except for .html and .cgi files:

- - HostnameLookups off
- <Files ~ "\.(html|cgi)$">
- - HostnameLookups on
- - </Files> - + +HostnameLookups off +<Files ~ "\.(html|cgi)$"> + HostnameLookups on +</Files> +

But even still, if you just need DNS names in some CGIs you could consider doing the gethostbyname call in the @@ -177,14 +175,12 @@ system calls to check up on symlinks. One extra call per filename component. For example, if you had:

- - DocumentRoot /www/htdocs
- <Directory />
- - Options SymLinksIfOwnerMatch
- - </Directory> - + +DocumentRoot /www/htdocs +<Directory /> + Options SymLinksIfOwnerMatch +</Directory> +

and a request is made for the URI /index.html. Then Apache will perform lstat(2) on @@ -194,20 +190,16 @@ every single request. If you really desire the symlinks security checking you can do something like this:

- - DocumentRoot /www/htdocs
- <Directory />
- - Options FollowSymLinks
- - </Directory>
-
- <Directory /www/htdocs>
- - Options -FollowSymLinks +SymLinksIfOwnerMatch
- - </Directory> - + +DocumentRoot /www/htdocs +<Directory /> + Options FollowSymLinks +</Directory> + +<Directory /www/htdocs> + Options -FollowSymLinks +SymLinksIfOwnerMatch +</Directory> +

This at least avoids the extra checks for the DocumentRoot path. @@ -229,14 +221,12 @@ .htaccess for each filename component. For example,

- - DocumentRoot /www/htdocs
- <Directory />
- - AllowOverride all
- - </Directory> - + +DocumentRoot /www/htdocs +<Directory /> + AllowOverride all +</Directory> +

and a request is made for the URI /index.html. Then Apache will attempt to open /.htaccess, @@ -258,15 +248,11 @@ penalties. There's one case where you can speed up the server. Instead of using a wildcard such as:

- - DirectoryIndex index - + DirectoryIndex index

Use a complete list of options:

- - DirectoryIndex index.cgi index.pl index.shtml index.html - + DirectoryIndex index.cgi index.pl index.shtml index.html

where you list the most common choice first.

@@ -586,39 +572,29 @@ do not match the code, they're contrived for pedagogical purposes):

- - for (;;) {
- - for (;;) {
- - fd_set accept_fds;
-
- FD_ZERO (&accept_fds);
- for (i = first_socket; i <= last_socket; ++i) {
- - FD_SET (i, &accept_fds);
- - }
- rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
- if (rc < 1) continue;
- new_connection = -1;
- for (i = first_socket; i <= last_socket; ++i) {
- - if (FD_ISSET (i, &accept_fds)) {
- - new_connection = accept (i, NULL, NULL);
- if (new_connection != -1) break;
- - }
- - }
- if (new_connection != -1) break;
- - }
- process the new_connection;
- + + for (;;) { + for (;;) { + fd_set accept_fds; + + FD_ZERO (&accept_fds); + for (i = first_socket; i <= last_socket; ++i) { + FD_SET (i, &accept_fds); + } + rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL); + if (rc < 1) continue; + new_connection = -1; + for (i = first_socket; i <= last_socket; ++i) { + if (FD_ISSET (i, &accept_fds)) { + new_connection = accept (i, NULL, NULL); + if (new_connection != -1) break; + } + } + if (new_connection != -1) break; + } + process_the(new_connection); } - +

But this naive implementation has a serious starvation problem. Recall that multiple children execute this loop at the same @@ -657,41 +633,31 @@ entry into the inner loop. The loop looks like this (differences highlighted):

- - for (;;) {
- - accept_mutex_on ();
- for (;;) {
- - fd_set accept_fds;
-
- FD_ZERO (&accept_fds);
- for (i = first_socket; i <= last_socket; ++i) {
- - FD_SET (i, &accept_fds);
- - }
- rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
- if (rc < 1) continue;
- new_connection = -1;
- for (i = first_socket; i <= last_socket; ++i) {
- - if (FD_ISSET (i, &accept_fds)) {
- - new_connection = accept (i, NULL, NULL);
- if (new_connection != -1) break;
- - }
- - }
- if (new_connection != -1) break;
- - }
- accept_mutex_off ();
- process the new_connection;
- + + for (;;) { + accept_mutex_on (); + for (;;) { + fd_set accept_fds; + + FD_ZERO (&accept_fds); + for (i = first_socket; i <= last_socket; ++i) { + FD_SET (i, &accept_fds); + } + rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL); + if (rc < 1) continue; + new_connection = -1; + for (i = first_socket; i <= last_socket; ++i) { + if (FD_ISSET (i, &accept_fds)) { + new_connection = accept (i, NULL, NULL); + if (new_connection != -1) break; + } + } + if (new_connection != -1) break; + } + accept_mutex_off (); + process the new_connection; } - +

The functions accept_mutex_on and accept_mutex_off @@ -800,39 +766,31 @@ http_main.c). The function looks roughly like this:

- - void lingering_close (int s)
- {
- - char junk_buffer[2048];
-
- /* shutdown the sending side */
- shutdown (s, 1);
-
- signal (SIGALRM, lingering_death);
- alarm (30);
-
- for (;;) {
- - select (s for reading, 2 second timeout);
- if (error) break;
- if (s is ready for reading) {
- - if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) {
- - break;
- - }
- /* just toss away whatever is here */
- - }
- - }
-
- close (s);
- + + void lingering_close (int s) + { + char junk_buffer[2048]; + + /* shutdown the sending side */ + shutdown (s, 1); + + signal (SIGALRM, lingering_death); + alarm (30); + + for (;;) { + select (s for reading, 2 second timeout); + if (error) break; + if (s is ready for reading) { + if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) { + break; + } + /* just toss away whatever is here */ + } + } + + close (s); } - +

This naturally adds some expense at the end of a connection, but it is required for a reliable implementation. As HTTP/1.1 diff --git a/docs/manual/misc/security_tips.html.en b/docs/manual/misc/security_tips.html.en index baf4b279e66..1a5ec0a057e 100644 --- a/docs/manual/misc/security_tips.html.en +++ b/docs/manual/misc/security_tips.html.en @@ -334,11 +334,12 @@

In the server configuration file, put

-

- <Directory />
- AllowOverride None
+ 

+      <Directory />
+        AllowOverride None
       </Directory>
-
+ +

This prevents the use of .htaccess files in all directories apart from those specifically enabled.

@@ -365,27 +366,29 @@ work around this, add the following block to your server's configuration:

-

- <Directory />
- Order Deny,Allow
- Deny from all
+ 

+      <Directory />
+      Order Deny,Allow
+      Deny from all
       </Directory>
-
+ +

This will forbid default access to filesystem locations. Add appropriate Directory blocks to allow access only in those areas you wish. For example,

-

- <Directory /usr/users/*/public_html>
- Order Deny,Allow
- Allow from all
- </Directory>
- <Directory /usr/local/httpd>
- Order Deny,Allow
- Allow from all
+ 

+      <Directory /usr/users/*/public_html>
+        Order Deny,Allow
+        Allow from all
       </Directory>
-
+ <Directory /usr/local/httpd> + Order Deny,Allow + Allow from all + </Directory> + +

Pay particular attention to the interactions of Location and Directory directives; for instance, even if <Directory /> denies access, a @@ -397,9 +400,8 @@ recommend that you include the following line in your server configuration files:

-

- UserDir disabled root -

+ 
UserDir disabled root
+
top
@@ -442,12 +444,13 @@ you probably commented out the following in your server configuration file:

-

- <Files ".ht*">
- Order allow,deny
- Deny from all
+ 

+      <Files ".ht*">
+        Order allow,deny
+        Deny from all
       </Files>
-
+ +
top
diff --git a/docs/manual/misc/security_tips.xml b/docs/manual/misc/security_tips.xml index e272f995f6f..ed605b172f1 100644 --- a/docs/manual/misc/security_tips.xml +++ b/docs/manual/misc/security_tips.xml @@ -327,11 +327,11 @@

In the server configuration file, put

- - <Directory />
- AllowOverride None
+ + <Directory /> + AllowOverride None </Directory> - +

This prevents the use of .htaccess files in all directories apart from those specifically enabled.

@@ -358,27 +358,27 @@ work around this, add the following block to your server's configuration:

- - <Directory />
- Order Deny,Allow
- Deny from all
+ + <Directory /> + Order Deny,Allow + Deny from all </Directory> - +

This will forbid default access to filesystem locations. Add appropriate Directory blocks to allow access only in those areas you wish. For example,

- - <Directory /usr/users/*/public_html>
- Order Deny,Allow
- Allow from all
- </Directory>
- <Directory /usr/local/httpd>
- Order Deny,Allow
- Allow from all
+ + <Directory /usr/users/*/public_html> + Order Deny,Allow + Allow from all </Directory> - + <Directory /usr/local/httpd> + Order Deny,Allow + Allow from all + </Directory> +

Pay particular attention to the interactions of Location and - - UserDir disabled root - + UserDir disabled root @@ -438,12 +436,12 @@ you probably commented out the following in your server configuration file:

- - <Files ".ht*">
- Order allow,deny
- Deny from all
+ + <Files ".ht*"> + Order allow,deny + Deny from all </Files> - + -- 2.47.3