Differences between version 21 and previous revision of ApacheNotes.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 21 | Last edited on Wednesday, February 23, 2005 12:09:47 pm | by JohnMcPherson | Revert |
| Older page: | version 20 | Last edited on Friday, January 28, 2005 9:11:59 am | by JohnMcPherson | Revert |
@@ -1,19 +1,9 @@
!!! Installation
If you're going to compile and install [Apache] from source, use the [Apache Toolbox | http://www.apachetoolbox.com/].
-!!! Rotating your logs
-Want to rotate all of your separate ~VirtualHost log files without restarting [Apache]? Use a little-known tool that comes with [Apache] called rotatelogs(8).
-
-Change your ~TransferLog lines to:
-
-<verbatim>
-TransferLog "|/path/to/rotatelogs /your/log/file.log 64800"
-</verbatim>
-
-Read the ManPage for more information, or replace with ~CronoLog which has more features.
!!! Securing [Apache]
[Apache] recently featured in a [list of security problems | http://isc.sans.org/top20.html]. They generally boil down to configuration mistakes. Points to note when installing, configuring and mantaining [Apache] include: <br> <br> :
@@ -84,11 +74,65 @@
ServerAlias wlug.org.nz
ServerAlias www2.wlug.org.nz
...
</verbatim>
+
+
+!!! Rotating your logs
+
+Want to rotate all of your separate ~VirtualHost log files without restarting [Apache]? Use a little-known tool that comes with [Apache] called rotatelogs(8).
+
+Change your ~TransferLog lines to:
+
+<verbatim>
+TransferLog "|/path/to/rotatelogs /your/log/file.log 64800"
+</verbatim>
+
+Read the ManPage for more information, or replace with ~CronoLog which has more features.
+
+!! Errors on log rotation
+Some people encounter a problem where apache dies on logrotation.
+It's not the actual rotation that's the problem, it's the "graceful
+restart" that the logrotate program sends to apache. This only seems
+to affect people using Debian Woody, and only with some undetermined
+set of conditions. Here is our setup:
+<verbatim>
+ii apache 1.3.27-0.1.ipv6.r2 Versatile, high-performance HTTP server
+ii apache-common 1.3.27-0.1.ipv6.r2 Support files for all Apache webservers
+ii libapache-auth-ldap 1.6.0-3 LDAP authentication module for Apache
+ii libapache-mod-gzip 1.3.19.1a-5 HTTP compression module for Apache
+ii libapache-mod-ldap 1.4-3 Apache authentication via LDAP directory
+ii libapache-mod-perl 1.27-3.ipv6.r1 Integration of perl with the Apache web server
+ii libapache-mod-ruby 0.9.7-2 Embedding Ruby in the Apache web server
+ii libapache-mod-ssl 2.8.9-2.4 Strong cryptography (HTTPS support) for Apache
+ii libapache-reload-perl 0.07-1 Reload changed modules in a mod_perl environment
+</verbatim>
+We are using backports of apache 1.3, for [IPv6] support.
+
+When it happens, the following is in /var/log/apache/error.log:
+<verbatim>
+[Wed Feb 23 06:26:00 2005] [notice] SIGUSR1 received. Doing graceful restart
+accept_mutex_on: Identifier removed
+[Wed Feb 23 06:26:03 2005] [notice] Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.1.2 mod_ssl/2.8.9 OpenSSL/0.9.6c mod_perl/1.27 configured
+-- resuming normal operations
+[Wed Feb 23 06:26:03 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
+[Wed Feb 23 06:26:03 2005] [notice] Accept mutex: sysvsem (Default: sysvsem)
+[Wed Feb 23 06:26:03 2005] [alert] Child 6894 returned a Fatal error...
+Apache is exiting!
+</verbatim>
+
+Each time that the reload fails, there is a message about __accept_mutex_on__ or __accept_mutex_off: Invalid argument__ in the
+error.log file that isn't present when the reload succeeds.
+
+Also note the logrotate runs the 'postrotate' section (in apache's case, the reload) every day, even if it only rotates the log files every week.
+
+Suggested workarounds include:
+* replacing '/etc/init.d/apache reload' in /etc/logrotate.d/apache with '/etc/init.d/apache restart', although that will result in your server being inaccessible for at least several seconds.
+* using cronolog or something else, and remove apache from the logrotate system.
+* use the 'HUP' signal instead of the 'USR1' signal. (See http://httpd.apache.org/docs/stopping.html).
!!! See also
* NameVirtualHosting
* ModBackhand
