Comments on: Bad Behavior 2.0.35

By: chawl

chawl — Thu, 25 Feb 2010 12:04:13 +0000

Yes, but we are using many RewriteMaps each is several MBs in size. Then Apache should be hit first, or at least is transparently reached ‘including’ static files. and Varnish is good at for 301′s also.

By the way, we set up mod_rpaf and this solved every bit of issues. No need to hack something anymore.

Tx for your assistance and such a useful piece of code.

By: Gordon

Gordon — Fri, 19 Feb 2010 02:03:28 +0000

chawl, sounds like you’ve got the static-offloading proxy idea backwards. The idea is to have lighttpd or nginx in front, serving all static requests, and proxying dynamic requests to Apache.

By: chawl

chawl — Sun, 24 Jan 2010 19:05:50 +0000

In short,
1. We have many MBs of RewriteMaps which needs Apache.
2. FCGI has shared memory problems with opcode cachers, causes some conf problems for our server setup, and slightly slower, therefore mod_php is more feasable.
3. mod_proxy+lighttpd offloading of static files has no real benefit in terms of memory, as an httpd is dedicated even for a proxy request.
4. It is impossible to use KeepAlives with our loads
5. We are mostly using Drupal and 7.x will introduce ESI technology for complex dynamic caching mechanisms.
6. Redirecting static content to other subdomains/ports of nginx,lighty etc. is an overkill especially when using complex CMS structures, and for a single server, this is again Apache offloading, not caching.
7. We have not much money for insane servers or have no labour to tweak every bit all day long.
8. Varnished response times are incredibly low in our test case, our Core i7 seems to contribute to speed at last. At least not sitting ducks for some sockets to be available as in our previous “offloading” test setup. Varnish seems more kernel level, though I am not an expert.

I know it is not geeky enough, but varnishing helps in our case, as we have a rather rough and dull underlayer and need practical solutions.

Sure there will be people or hosts using reverse proxies in the future, therefore making BB more compatible with these will be beneficial I think.

Thank you for your efforts

By: Michael Hampton

Michael Hampton — Sun, 24 Jan 2010 17:47:36 +0000

Well, you never said why you needed varnish, so I won’t try to give you any advice. But it doesn’t sound like you need it.

By: chawl

chawl — Sun, 24 Jan 2010 10:03:23 +0000

In fact, I am varnishing Apache (mod_php) for a 350MB httpd process not to serve a 25 byte gif but to do something useful instead.

I also hacked all match_cidr() calling inc.s (not the main func) to use X-Forwarded-For if defined. Nasty but more than enough for now. I am protecting Drupal by the way.

Tx for your fast consideration

By: Michael Hampton

Michael Hampton — Sun, 24 Jan 2010 08:08:31 +0000

If you’re running a reverse proxy on the same host as the origin server, you’re probably doing it wrong. In this case, use something like nginx as the origin server and just pass PHP to fastcgi or php-fpm. Using varnish or squid in this case is completely unnecessary.

I will do some work in the current development cycle for better support of installations which need a reverse proxy.

By: chawl

chawl — Sun, 24 Jan 2010 06:49:12 +0000

match_cidr() function should really consider X-Forwarded-For for reverse proxies like Varnish, Squid etc. BB always gives 403 to Googlebot, MSNBot as they seem to come from localhost.

I know there is a whitelist to allow localhost, but unfortunately this will abandon all IP checks, if a reverse proxy is present.

Am I missing something?

By: Bad Behavior / Bad Behaviour: Bad Behavior 2.1.1 and 2.0.36 Security Release

Bad Behavior / Bad Behaviour: Bad Behavior 2.1.1 and 2.0.36 Security Release — Mon, 21 Dec 2009 13:43:02 +0000

[...] New in this release (since 2.1.0 and 2.0.35): [...]