Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Apr 2008 03:49:25 +0200
From:      Bernd Walter <ticso@cicely12.cicely.de>
To:        d@delphij.net
Cc:        Poul-Henning Kamp <phk@phk.freebsd.dk>, freebsd-current@freebsd.org, Ivan Voras <ivoras@freebsd.org>, Antony Mawer <fbsd-current@mawer.org>
Subject:   Re: Http Accept filters (accf_http)
Message-ID:  <20080423014924.GO81277@cicely12.cicely.de>
In-Reply-To: <480E686B.7090703@delphij.net>
References:  <13383.1208899946@critter.freebsd.dk> <480E6698.7000008@mawer.org> <480E686B.7090703@delphij.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 22, 2008 at 03:36:27PM -0700, Xin LI wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Antony Mawer wrote:
> | Poul-Henning Kamp wrote:
> |> In message <480E589C.8010108@delphij.net>, Xin LI writes:
> |>
> |>> | Does anyone know why accf_accept is disabled by default in the ports'
> |>> | stock Apache 2.2 (it's disabled in the default config files)? I
> |>> thought
> |>> | it was because it was dangerous or flawed for some reason, though (at
> |>> | least for light loads comparable to those of OP) it seems to work
> |>> fine.
> |>
> |> I think adding them to the apache is OK, as long as apache fails
> |> gracefully if they are not present in the kernel.

It tries to kldload if configured and not already in the kernel, but
uses traditional connection handling if loading the module fails.

> | I seem to recall I had problems trying to get Apache to run with accept
> | filters turned on in a jail environment... having said that, I just
> | tried to enable it in a jail and restarted Apache and it started up
> | fine. Maybe I was just imagining it?
> 
> Hmm...  I think Apache would just work as long as it is loaded into
> kernel or statically linked into it, no matter if it is in a jail
> environment (my personal server uses Apache in jail for dynamic contents
> and it just worked fine).

A jailed apache can't load the module, so to enable the feature you
can't rely on autoloading.
If you compile it into the kernel or load the module outside of the
jail it runs fine within the jail.

-- 
B.Walter <bernd@bwct.de> http://www.bwct.de
Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080423014924.GO81277>