Re: [mod-security-users] Disappointed with the Google Safe Listimplementation
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Disappointed with the Google Safe Listimplementation
|
From: Breno S. <bre...@gm...> - 2011-05-27 12:20:29
|
I cannot stress it too much ... my "server" is a vm image with 500mb of memory and low cpu. On Fri, May 27, 2011 at 4:19 AM, Rainer Jung <rai...@ki...>wrote: > On 27.05.2011 11:03, Phoenix Kiula wrote: > > On Fri, May 27, 2011 at 4:06 PM, Rainer Jung <rai...@ki...> > wrote: > > > Rainer, thanks for this informative post. > > > > I am the one who was testing with Breno live on my very high traffic > > server. And we had no success. > > > > I have to use Prefork. Cannot use Worker MPM as highly customized php > > functionality is paramount. Worker MPM is not great for PHP as one > > needs to tinker with mod_fcgi dribble. > > > > My setup is as follows: > > > > TimeOut 6 > > KeepAlive On > > KeepAliveTimeout 2 > > StartServers 5 > > MinSpareServers 5 > > MaxSpareServers 15 > > ServerLimit 600 > > MaxClients 350 > > MaxRequestsPerChild 2000 > > > > > > I have quad core CentOS 64 bit, with 12GB RAM. I can spare about 3GB > > for Apache alone, as the rest is needed for heavylifting by > > Postgresql. It's a RAID 10 setup if that matters. > > > > With this in mind, and peak traffic of about 1000 concurrent > > connections (which are very small and quick) -- and images are > > offloaded either to a CDN static server or to a separate nginx > > installation -- and about 500 MaxClients, what would you recommend? > > > > Your description is very lucid, but it's for Worker MPM and its > > threads. Would love to hear your opinion about Prefork's processes > > too, because as of now I cannot use the Google safe Browsing rules > > with my setup above -- Apache crashes in less than a minute. Even with > > Breno's latest build of 2.6.1_rc. > > 1) Start with MaxClients. Despite its name MaxClients configures the > maximum number of concurrent connections Apache will handle. For prefork > each connection is one thread which in turn is one process. > > A few additional connections might stay in kernel accept, but this won't > be much. > > If you need to handle a peak load of 1000 concurrent connections with > prefork, you need MaxClients 1000 and prepare for 1000 Apache processes > (!). So think twice, whether that number is realistic. You can reduce > the number of connections by either turning KeepAlive off, or reducing > your KeepAliveTimeout from 2 to 1. You might also want to monitor > server-status to find out, how many concurrent connections are there > actually during peak times. > > I will assume 1000 for now. > > 2) StartServers I would suggest a number close to the number of > concurrent connections you experience most time of the day. It might be > something like 100. It should usually be somewhere between 10 and 20% of > MaxClients. > > 3) MinSpareServers: I suggest about 5% to 10% of the number of > concurrent connections you experience most time of the day. So here it > might be about 5-10. > > 4) MaxSpareServers: I'd say 25% of the number of concurrent connections > you experience most time of the day. So here it might be about 25. > > 5) ServerLimit must be at least as big as MaxClients. If you do not want > to increase MaxClients using a graceful restart, you can set ServerLimit > equals to MaxClients. > > 6) MaxRequestsPerChild could be OK, depending on your rate of new > connections per process. > > 5) If your process table shows that Apache processes are not being > reused nicely, i.e. you always see a high number of processes that are > only a few minutes old, then you neded to increase MaxRequestsPerChild > and possibly also the difference between min spare and max spare. > > Regards, > > Rainer > > > ------------------------------------------------------------------------------ > vRanger cuts backup time in half-while increasing security. > With the market-leading solution for virtual backup and recovery, > you get blazing-fast, flexible, and affordable data protection. > Download your free trial now. > http://p.sf.net/sfu/quest-d2dcopy1 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |