GRSEC and Varnish
Bernardf FRIT
bernard at frit.net
Fri Feb 5 12:01:00 CET 2010
Tollef Fog Heen a écrit :
> ]] Bernardf FRIT
>
> | Then the parent varnishd process starts immediately a new child process
> | which lasts some time.
> |
> | Is there any way to fix this. Remocve the GRSEC kernel ? Upgrade the
> | kernel ? Varnish ? or whatever ?
>
> Work out why it thinks that varnishd is doing something wrong? It
> doesn't seem to say so in the log.
>
Seems a bit complicated to add monitoring features on a running GRSEC
kernel. Need to install all kernel files then configure and recompile
the kernel. I will do it if we need it. The only extra feature I found
relevant is CONFIG_GRKERNSEC_RESLOG wich stands for "Denied resource
logging".
I have monitored the following segfault with varnislog :
Jan 29 19:59:07 XXXXXXX varnishd[13812]: segfault at 1000 ip
000000000043abf0 sp 0000000046332ae0 error 4 in varnishd[400000+50000]
Jan 29 19:59:07 XXXXXXX grsec: From 91.163.168.48: signal 11 sent to
/usr/sbin/varnishd[varnishd:13812] uid/euid:65534/65534
gid/egid:65534/65534, pare
nt /usr/sbin/varnishd[varnishd:28927] uid/euid:0/0 gid/egid:0/0
I hope that could help to figure out what happened.
0 CLI - Rd ping
0 CLI - Wr 0 200 PONG 1264791539 1.0
0 CLI - Rd ping
0 CLI - Wr 0 200 PONG 1264791542 1.0
9 SessionOpen c 91.163.168.48 49273 87.98.137.117:80
9 ReqStart c 91.163.168.48 49273 879416771
9 RxRequest c GET
9 RxURL c /a_liste_ville_cp.php?q=59
9 RxProtocol c HTTP/1.1
9 RxHeader c x-requested-with: XMLHttpRequest
9 RxHeader c Accept-Language: fr
9 RxHeader c Referer: http://www.your-immo.fr/recherche.php
9 RxHeader c Accept: */*
9 RxHeader c UA-CPU: x86
9 RxHeader c Accept-Encoding: gzip, deflate
9 RxHeader c User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.0; GTB6.3; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1) ; S
LCC1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.5.30729; .NET CLR
3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)
9 RxHeader c Host: www.your-immo.fr
9 RxHeader c Connection: Keep-Alive
9 RxHeader c Cookie: PHPSESSID=9d73c9bbf8944a710f3d954a2e16c838;
DYNSRV=s0;
__utma=235703049.2110649494.1264791338.1264791338.1264791338.1; __u
tmb=235703049.6.10.1264791338; __utmc=235703049;
__utmz=235703049.1264791338.1.1.utmcsr=google|utmccn=generique|utmcmd=cpc|ut
9 VCL_call c recv
9 VCL_return c lookup
9 VCL_call c hash
9 VCL_return c hash
9 VCL_call c miss
9 VCL_return c fetch
10 BackendOpen b ha_proxy 127.0.0.1 35735 127.0.0.1 80
9 Backend c 10 ha_proxy ha_proxy
10 TxRequest b GET
10 TxURL b /a_liste_ville_cp.php?q=59
10 TxProtocol b HTTP/1.1
10 TxHeader b x-requested-with: XMLHttpRequest
10 TxHeader b Accept-Language: fr
10 TxHeader b Referer: http://www.your-immo.fr/recherche.php
10 TxHeader b Accept: */*
10 TxHeader b UA-CPU: x86
10 TxHeader b User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.0; GTB6.3; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1) ; S
LCC1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.5.30729; .NET CLR
3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)
10 TxHeader b Host: www.your-immo.fr
10 TxHeader b Cookie: PHPSESSID=9d73c9bbf8944a710f3d954a2e16c838;
DYNSRV=s0;
__utma=235703049.2110649494.1264791338.1264791338.1264791338.1; __u
tmb=235703049.6.10.1264791338; __utmc=235703049;
__utmz=235703049.1264791338.1.1.utmcsr=google|utmccn=generique|utmcmd=cpc|ut
10 TxHeader b X-Forwarded-For: 91.163.168.48
10 TxHeader b Accept-Encoding: gzip
10 TxHeader b X-Varnish: 879416771
10 TxHeader b X-Forwarded-For: 91.163.168.48
10 RxProtocol b HTTP/1.1
10 RxStatus b 200
10 RxResponse b OK
10 RxHeader b Date: Fri, 29 Jan 2010 19:05:12 GMT
10 RxHeader b Server: Apache
10 RxHeader b X-Powered-By: PHP/5.2.5-pl1-gentoo
10 RxHeader b Expires: Thu, 19 Nov 1981 08:52:00 GMT
10 RxHeader b Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
10 RxHeader b Pragma: no-cache
10 RxHeader b Connection: close
10 RxHeader b Transfer-Encoding: chunked
10 RxHeader b Content-Type: text/html
9 ObjProtocol c HTTP/1.1
9 ObjStatus c 200
9 ObjResponse c OK
9 ObjHeader c Date: Fri, 29 Jan 2010 19:05:12 GMT
9 ObjHeader c Server: Apache
9 ObjHeader c X-Powered-By: PHP/5.2.5-pl1-gentoo
9 ObjHeader c Expires: Thu, 19 Nov 1981 08:52:00 GMT
9 ObjHeader c Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
9 ObjHeader c Pragma: no-cache
9 ObjHeader c Content-Type: text/html
10 BackendClose b ha_proxy
9 TTL c 879416771 RFC 0 1264791545 1264791912 375007920 0 0
9 VCL_call c fetch
9 TTL c 879416771 VCL 0 1264791545
9 VCL_return c pass
9 Length c 12193
9 VCL_call c deliver
9 VCL_return c deliver
9 TxProtocol c HTTP/1.1
9 TxStatus c 200
9 TxResponse c OK
9 TxHeader c Expires: Thu, 19 Nov 1981 08:52:00 GMT
9 TxHeader c Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
9 TxHeader c Pragma: no-cache
9 TxHeader c Content-Type: text/html
9 TxHeader c Content-Length: 12193
9 TxHeader c X-Cacheable: NO:Not-Cacheable
9 TxHeader c Date: Fri, 29 Jan 2010 18:59:05 GMT
9 TxHeader c X-Varnish: 879416771
9 TxHeader c Age: 0
9 TxHeader c Via: 1.1 varnish
9 TxHeader c Connection: keep-alive
9 TxHeader c X-Served-By: Server 203
9 TxHeader c X-Cache: MISS
9 TxHeader c Server: Apache-NSCA
9 ReqEnd c 879416771 1264791545.113656044 1264791545.259571791
0.011645794 0.145873547 0.000042200
0 StatAddr - 91.163.168.48 0 173 23 129 3 9 15 49930 1202797
0 CLI - Rd ping
0 CLI - Wr 0 200 PONG 1264791545 1.0
0 WorkThread - 0x420a0ce0 start
0 CLI - Rd vcl.load boot ./vcl.1P9zoqAU.so
0 CLI - Wr 0 200 Loaded "./vcl.1P9zoqAU.so" as "boot"
0 CLI - Rd vcl.use boot
0 CLI - Wr 0 200
0 CLI - Rd start
0 Debug - "Acceptor is epoll"
0 CLI - Wr 0 200
0 WorkThread - 0x440a4ce0 start
0 WorkThread - 0x448a5ce0 start
0 WorkThread - 0x450a6ce0 start
0 WorkThread - 0x458a7ce0 start
0 WorkThread - 0x460a8ce0 start
0 WorkThread - 0x468a9ce0 start
0 WorkThread - 0x470aace0 start
0 WorkThread - 0x478abce0 start
0 WorkThread - 0x480acce0 start
9 SessionOpen c 91.163.168.48 49275 87.98.137.117:80
9 SessionClose c pipe
9 ReqStart c 91.163.168.48 49275 667915017
9 RxRequest c POST
9 RxURL c /recherche.php
9 RxProtocol c HTTP/1.1
9 RxHeader c Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-ms-application,
application/vnd.ms-xpsdocument, applica
tion/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
9 RxHeader c Referer: http://www.your-immo.fr/recherche.php
9 RxHeader c Accept-Language: fr
9 RxHeader c Content-Type: application/x-www-form-urlencoded
9 RxHeader c UA-CPU: x86
9 RxHeader c Accept-Encoding: gzip, deflate
9 RxHeader c User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.0; GTB6.3; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1) ; S
LCC1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.5.30729; .NET CLR
3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)
9 RxHeader c Host: www.your-immo.fr
9 RxHeader c Content-Length: 240
9 RxHeader c Connection: Keep-Alive
9 RxHeader c Cache-Control: no-cache
9 RxHeader c Cookie: PHPSESSID=9d73c9bbf8944a710f3d954a2e16c838;
DYNSRV=s0;
__utma=235703049.2110649494.1264791338.1264791338.1264791338.1; __u
tmb=235703049.6.10.1264791338; __utmc=235703049;
__utmz=235703049.1264791338.1.1.utmcsr=google|utmccn=generique|utmcmd=cpc|ut
9 VCL_call c recv
9 VCL_return c pipe
9 VCL_call c pipe
9 VCL_return c pipe
10 BackendOpen b ha_proxy 127.0.0.1 35741 127.0.0.1 80
9 Backend c 10 ha_proxy ha_proxy
10 TxRequest b POST
10 TxURL b /recherche.php
10 TxProtocol b HTTP/1.1
10 TxHeader b Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-ms-application,
application/vnd.ms-xpsdocument, applica
tion/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
10 TxHeader b Referer: http://www.your-immo.fr/recherche.php
More information about the varnish-misc
mailing list