Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Jun 2012 09:32:18 +0200
From:      Damien Fleuriot <ml@my.gd>
To:        n dhert <ndhertbsd@gmail.com>
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: apache PHP suhosin load
Message-ID:  <F8A9D3A9-6825-4EFB-9B56-1D5C21143C1D@my.gd>
In-Reply-To: <CAEFCw4uyugX6t2PEJREVZMRCnKhmBz81QXS2MGvYBX3O6-HWaQ@mail.gmail.com>
References:  <CAEFCw4uyugX6t2PEJREVZMRCnKhmBz81QXS2MGvYBX3O6-HWaQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On 21 Jun 2012, at 08:34, n dhert <ndhertbsd@gmail.com> wrote:

> On FreeBSD 8.3 I have apache22 web server with PHP. PHP is PHP52 for
> compatibility with existing applications, but the most recent version
> in the php52 branch
> $ php --version
> PHP 5.2.17 with Suhosin-Patch 0.9.7 (cli) (built: May  7 2012 08:45:58)
>=20
>> =46rom time to time, I notice in a top output, that a huge number of http=
d
> daemons are being started, making the load rapidly increase to levels of
> 5, 10, 15, ... and very slow interactive respons ...
>=20
> Stopping apache makes the load rapidly decrease to a normal level.
>=20
> I noticed at the console, at stopping apache, several messages such as
>=20
> Jun 14 09:12:20 macos kernel: Jun 14 09:12:20 macos suhosin[28824]: ALERT -=

> canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR=

> not set', file
> '/home/wins/win/win/www/wiki/mediawiki-1.16.0/includes/AutoLoader.php',
> line 654)
>=20
> (the file value differs, but it's always "suhosin .. canany mismatch
> - heap overflow detected")
> My PHP has following options set
> # cd /usr/ports/lang/php52
>=20
> My PHP has following options set
> # cd /usr/ports/lang/php52
> # make showconfig
> =3D=3D=3D> The following configuration options are available for php52-5.2=
.17_8:
>     CLI=3Don: Build CLI version
>     CGI=3Don: Build CGI version
>     APACHE=3Don: Build Apache module
>     DEBUG=3Doff: Enable debug
>     SUHOSIN=3Don: Enable Suhosin protection system (not for jails)
>     MULTIBYTE=3Doff: Enable zend multibyte support
>     IPV6=3Don: Enable ipv6 support
>     MAILHEAD=3Doff: Enable mail header patch
>     REDIRECT=3Doff: Enable force-cgi-redirect support (CGI only)
>     DISCARD=3Doff: Enable discard-path support (CGI only)
>     FASTCGI=3Don: Enable fastcgi support (CGI only)
>     FPM=3Doff: Enable fastcgi process manager (CGI only)
>     PATHINFO=3Don: Enable path-info-check support (CGI only)
>     LINKTHR=3Doff: Link thread lib (for threaded extensions)
>=20
> Is that heap overlow causing the trouble? Has suhosin to do something with=

> it?
> How to solve?
>=20

For starters, I would suggest moving away from apace and towards nginx + fas=
tcgi php.

A friend had a small dedicated server with a vbulletin forum overloaded with=
 addons, and apache/php were bringing the server to "high" load levels, 10-2=
0ish.

I've moved him to nginx and the server hardly ever goes above 1 now.

Additionally, nginx is immune to Slowloris attacks, while apache is not.



Only after migrating to nginx would I investigate of the suhosin problem sti=
ll exists.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F8A9D3A9-6825-4EFB-9B56-1D5C21143C1D>