Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>> The Natural Philosopher wrote:
>>>> Jerry Stuckle wrote:
>>>>
>>>>>> You cannot, for example, have multiple instances of Apache
>>>>>> listening on
>>>>>> port 80 of a single IP address, and I thought assigning 255 IP
>>>>>> addresses
>>>>>> to a single web server went out with browsers that don't understand
>>>>>> HTTP/1.1 and the Host: header.
>>>>>>
>>>>>
>>>>> I didn't say anything about multiple instances on port 80, did I?
>>>>>
>>>>
>>>> Actually you can, and often do, have multiple instances of Apache
>>>> (effectively) listening on port 80..
>>>>
>>>> That's how virtual hosting and load balancing works.
>>>
>>> No. You can only have one instance of Apache running on port 80 on a
>>> single machine.
>>>
>>> Virtual hosting works because that one instance has several hosts
>>> defined. But it is still only one instance.
>>>
>>> Load balancing works because the instances of Apache are on different
>>> systems.
>>>
>>
>> Semantics.
>>
>
> No, much more than semantics. If you have multiple instances of Apache
> running on different ports, those processes can have different owners. A
> single instance of Apache only has one owner.
>
>> You can chain more listeners than one to a single port. At what point
>> that becomes 'more than one instance tied to a port' as against 'one
>> OS routine vectoring calls to multiple processes' is a moot one.
>>
>> My process list for apache shows this:-
>>
>> ps -eadf| grep apache
>> root 9310 1 0 Jul16 ? 00:00:00 /usr/sbin/apache
>> www-data 22302 9310 0 Sep16 ? 00:00:00 /usr/sbin/apache
>> www-data 22303 9310 0 Sep16 ? 00:00:00 /usr/sbin/apache
>> www-data 22304 9310 0 Sep16 ? 00:00:00 /usr/sbin/apache
>> www-data 22305 9310 0 Sep16 ? 00:00:00 /usr/sbin/apache
>> www-data 22306 9310 0 Sep16 ? 00:00:00 /usr/sbin/apache
>> www-data 22807 9310 0 Sep16 ? 00:00:00 /usr/sbin/apache
>> www-data 22892 9310 0 Sep16 ? 00:00:00 /usr/sbin/apache
>> www-data 23339 9310 0 Sep16 ? 00:00:00 /usr/sbin/apache
>> www-data 23417 9310 0 Sep17 ? 00:00:00 /usr/sbin/apache
>> www-data 23418 9310 0 Sep17 ? 00:00:00 /usr/sbin/apache
>>
>> i.e 10 instances of apache on ONE server instance are running. Plus
>> the original spawner. This is on an IDLE web server..the spare
>> processes are there to add load capacity without the overhead of a
>> fork().
>>
>
> Sure. They are different processes.
>
>> It is perfectly possible for more than one process to bind() to the
>> same socket, provided that the socket options are set up that way. The
>> only proviso being that the processes understand each other and work
>> co-operatively. In essence its no more complex than e.g sharing a
>> hardaware interrupt: All processes that are attached to that interrupt
>> wake up, and one of them decides 'its mine' and takes it whilst the
>> others go back to sleep..
>>
>>
>>
>> I am fairly sure apache does this routinely as above:
>
>
> Or does the main process get the request and hand it off to the
> appropriate process? This would seem to be much lower overhead. I'm
> not sure about it.
>

Yes and no. The main process is, I think, the operating system.I.e. the
ten processes register themselves as waiting for a SYN packet on port
80..the OS notes that, and when one arrives simply resumes all of them.
The first one to get there accepts the connection and the rest wake up,
find nothing to do and go back to sleep probably.

dshesnicky@yahoo.com wrote:
>> You can set a sticky bit somewhere in the directory umask to enforce the
>> group ownership on new files as well..I forget how..must set it up.
>
> That's the setgid bit not the sticky bit which is different.
>
> If you do a "chmod g+s dir" it will turn that on, or put a 2 in front
> of the octal permissions "chmod 2755 dir".
>
I always got that one wrong.

So many stupid bits to remember..

>>>>> You cannot, for example, have multiple instances of Apache listening on
>>>>> port 80 of a single IP address, and I thought assigning 255 IP
>>>>> addresses
>>>>> to a single web server went out with browsers that don't understand
>>>>> HTTP/1.1 and the Host: header.
>>>>>
>>>>
>>>> I didn't say anything about multiple instances on port 80, did I?
>>>>
>>>
>>> Actually you can, and often do, have multiple instances of Apache
>>> (effectively) listening on port 80..
>>>
>>> That's how virtual hosting and load balancing works.
>>
>> No. You can only have one instance of Apache running on port 80 on a
>> single machine.
>>
>> Virtual hosting works because that one instance has several hosts
>> defined. But it is still only one instance.
>>
>> Load balancing works because the instances of Apache are on different
>> systems.
>>
>
>Semantics.
>
>You can chain more listeners than one to a single port. At what point
>that becomes 'more than one instance tied to a port' as against 'one OS
>routine vectoring calls to multiple processes' is a moot one.

Let's see you set it up so that (a) all of the processes have
different user ids, none of them root, (b) the dispatcher process(es)
actually doing the listen() is(are) not running as root, (c) no use
of setuid-root programs, and (d) the dispatcher is able to dispatch
the requests to the process with the correct user id (based on the
Host: header).

>> You cannot, for example, have multiple instances of Apache listening on
>> port 80 of a single IP address, and I thought assigning 255 IP addresses
>> to a single web server went out with browsers that don't understand
>> HTTP/1.1 and the Host: header.
>>
>
>I didn't say anything about multiple instances on port 80, did I?
>
>There are 65,535 ports available - and all but the first 4096 (0-4095)
>are available to anyone who wants them. Port 80 just happens to be the
>default port for the http: protocol.

Have you ever seen an advertised (with paid advertising) URL for a
non-default port? Nobody's going to take it seriously, or even
type it correctly. It might be OK if you also own the one on port
80 and the only links to the other one are yours. It's also not
too bad for a purely testing site, but it's not one a hosting company
is actually going to be able to sell.

>>>>> It would seem, then, that I would want to give rwx permissions for the
>>>>> content files to that user alone (and myself), not do a chmod 777. Is
>>>>> that right?
>>>> Standard UNIX file permissions don't allow a file to have two owners.
>>>>
>>>> You don't normally want to give x permission to any *file* that a
>>>> web application can write on (as distinguished from *directory*,
>>>> which needs x permission). x permission is for executables and
>>>> shell scripts.
>>
>>
>>> So why not just throw the door wide open to any hacker who could upload
>>> to that file and run whatever scripts he wants? :-)
>>
>> You'd even consider allowing uploads via HTTP?
>>
>
>Sure. Protections can be established.
>
>
>--
>==================
>Remove the "x" from my email address
>Jerry Stuckle
>JDS Computer Training Corp.
>jstucklex@attglobal.net
>==================

> I always got that one wrong.
>
> So many stupid bits to remember..

Agreed. It's hard if your not constantly in flipping em. For that one
remember "set group".

Gordon Burditt wrote:
>>> You cannot, for example, have multiple instances of Apache listening on
>>> port 80 of a single IP address, and I thought assigning 255 IP addresses
>>> to a single web server went out with browsers that don't understand
>>> HTTP/1.1 and the Host: header.
>>>
>> I didn't say anything about multiple instances on port 80, did I?
>>
>> There are 65,535 ports available - and all but the first 4096 (0-4095)
>> are available to anyone who wants them. Port 80 just happens to be the
>> default port for the http: protocol.
>
> Have you ever seen an advertised (with paid advertising) URL for a
> non-default port? Nobody's going to take it seriously, or even
> type it correctly. It might be OK if you also own the one on port
> 80 and the only links to the other one are yours. It's also not
> too bad for a purely testing site, but it's not one a hosting company
> is actually going to be able to sell.
>

Actually, yes I have - for various reasons. For instance, my Windows
VPS's use a different port for control. And I have seen it used for
links from the main site, i.e. when you want to run IIS and Apache on
the same (Windows) machine, as I'm doing on one site right now. It
works fine, and people do link to it. In fact, port 8080 is commonly
used as a secondary http port.

So I wouldn't suggest you make blanket statements like that. While not
common, it is done, and it works quite well.

>>>>>> It would seem, then, that I would want to give rwx permissions for the
>>>>>> content files to that user alone (and myself), not do a chmod 777. Is
>>>>>> that right?
>>>>> Standard UNIX file permissions don't allow a file to have two owners.
>>>>>
>>>>> You don't normally want to give x permission to any *file* that a
>>>>> web application can write on (as distinguished from *directory*,
>>>>> which needs x permission). x permission is for executables and
>>>>> shell scripts.
>>>
>>>> So why not just throw the door wide open to any hacker who could upload
>>>> to that file and run whatever scripts he wants? :-)
>>> You'd even consider allowing uploads via HTTP?
>>>
>> Sure. Protections can be established.
>>

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================