GRSEC and Varnish

Bernardf FRIT bernard at frit.net
Fri Feb 5 12:01:00 CET 2010


Tollef Fog Heen a écrit :
> ]] Bernardf FRIT 
>
> | Then the parent varnishd process starts immediately a new child process 
> | which lasts some time.
> | 
> | Is there any way to fix this. Remocve the GRSEC kernel ? Upgrade the 
> | kernel ? Varnish ? or whatever ?
>
> Work out why it thinks that varnishd is doing something wrong?  It
> doesn't seem to say so in the log.
>   
Seems a bit complicated to add monitoring features on a running GRSEC
kernel. Need to install all kernel files then configure and recompile
the kernel. I will do it if we need it. The only extra feature I found
relevant is CONFIG_GRKERNSEC_RESLOG wich stands for "Denied resource
logging".

I have monitored the following segfault with varnislog :

Jan 29 19:59:07 XXXXXXX varnishd[13812]: segfault at 1000 ip
000000000043abf0 sp 0000000046332ae0 error 4 in varnishd[400000+50000]
Jan 29 19:59:07 XXXXXXX grsec: From 91.163.168.48: signal 11 sent to
/usr/sbin/varnishd[varnishd:13812] uid/euid:65534/65534
gid/egid:65534/65534, pare
nt /usr/sbin/varnishd[varnishd:28927] uid/euid:0/0 gid/egid:0/0

I hope that could help to figure out what happened.

    0 CLI          - Rd ping
    0 CLI          - Wr 0 200 PONG 1264791539 1.0
    0 CLI          - Rd ping
    0 CLI          - Wr 0 200 PONG 1264791542 1.0

    9 SessionOpen  c 91.163.168.48 49273 87.98.137.117:80
    9 ReqStart     c 91.163.168.48 49273 879416771
    9 RxRequest    c GET
    9 RxURL        c /a_liste_ville_cp.php?q=59
    9 RxProtocol   c HTTP/1.1
    9 RxHeader     c x-requested-with: XMLHttpRequest
    9 RxHeader     c Accept-Language: fr
    9 RxHeader     c Referer: http://www.your-immo.fr/recherche.php
    9 RxHeader     c Accept: */*
    9 RxHeader     c UA-CPU: x86
    9 RxHeader     c Accept-Encoding: gzip, deflate
    9 RxHeader     c User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.0; GTB6.3; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1) ; S
LCC1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.5.30729; .NET CLR
3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)
    9 RxHeader     c Host: www.your-immo.fr
    9 RxHeader     c Connection: Keep-Alive
    9 RxHeader     c Cookie: PHPSESSID=9d73c9bbf8944a710f3d954a2e16c838;
DYNSRV=s0;
__utma=235703049.2110649494.1264791338.1264791338.1264791338.1; __u
tmb=235703049.6.10.1264791338; __utmc=235703049;
__utmz=235703049.1264791338.1.1.utmcsr=google|utmccn=generique|utmcmd=cpc|ut
    9 VCL_call     c recv
    9 VCL_return   c lookup
    9 VCL_call     c hash
    9 VCL_return   c hash
    9 VCL_call     c miss
    9 VCL_return   c fetch
   10 BackendOpen  b ha_proxy 127.0.0.1 35735 127.0.0.1 80
    9 Backend      c 10 ha_proxy ha_proxy
   10 TxRequest    b GET
   10 TxURL        b /a_liste_ville_cp.php?q=59
   10 TxProtocol   b HTTP/1.1
   10 TxHeader     b x-requested-with: XMLHttpRequest
   10 TxHeader     b Accept-Language: fr
   10 TxHeader     b Referer: http://www.your-immo.fr/recherche.php
   10 TxHeader     b Accept: */*
   10 TxHeader     b UA-CPU: x86
   10 TxHeader     b User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.0; GTB6.3; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1) ; S
LCC1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.5.30729; .NET CLR
3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)
   10 TxHeader     b Host: www.your-immo.fr
   10 TxHeader     b Cookie: PHPSESSID=9d73c9bbf8944a710f3d954a2e16c838;
DYNSRV=s0;
__utma=235703049.2110649494.1264791338.1264791338.1264791338.1; __u
tmb=235703049.6.10.1264791338; __utmc=235703049;
__utmz=235703049.1264791338.1.1.utmcsr=google|utmccn=generique|utmcmd=cpc|ut
   10 TxHeader     b X-Forwarded-For: 91.163.168.48
   10 TxHeader     b Accept-Encoding: gzip
   10 TxHeader     b X-Varnish: 879416771
   10 TxHeader     b X-Forwarded-For: 91.163.168.48
   10 RxProtocol   b HTTP/1.1
   10 RxStatus     b 200
   10 RxResponse   b OK
   10 RxHeader     b Date: Fri, 29 Jan 2010 19:05:12 GMT
   10 RxHeader     b Server: Apache
   10 RxHeader     b X-Powered-By: PHP/5.2.5-pl1-gentoo
   10 RxHeader     b Expires: Thu, 19 Nov 1981 08:52:00 GMT
   10 RxHeader     b Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
   10 RxHeader     b Pragma: no-cache
   10 RxHeader     b Connection: close
   10 RxHeader     b Transfer-Encoding: chunked
   10 RxHeader     b Content-Type: text/html
    9 ObjProtocol  c HTTP/1.1
    9 ObjStatus    c 200
    9 ObjResponse  c OK
    9 ObjHeader    c Date: Fri, 29 Jan 2010 19:05:12 GMT
    9 ObjHeader    c Server: Apache
    9 ObjHeader    c X-Powered-By: PHP/5.2.5-pl1-gentoo
    9 ObjHeader    c Expires: Thu, 19 Nov 1981 08:52:00 GMT
    9 ObjHeader    c Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
    9 ObjHeader    c Pragma: no-cache
    9 ObjHeader    c Content-Type: text/html
   10 BackendClose b ha_proxy
    9 TTL          c 879416771 RFC 0 1264791545 1264791912 375007920 0 0
    9 VCL_call     c fetch
    9 TTL          c 879416771 VCL 0 1264791545
    9 VCL_return   c pass
    9 Length       c 12193
    9 VCL_call     c deliver
    9 VCL_return   c deliver
    9 TxProtocol   c HTTP/1.1
    9 TxStatus     c 200
    9 TxResponse   c OK
    9 TxHeader     c Expires: Thu, 19 Nov 1981 08:52:00 GMT
    9 TxHeader     c Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
    9 TxHeader     c Pragma: no-cache
    9 TxHeader     c Content-Type: text/html
    9 TxHeader     c Content-Length: 12193
    9 TxHeader     c X-Cacheable: NO:Not-Cacheable
    9 TxHeader     c Date: Fri, 29 Jan 2010 18:59:05 GMT
    9 TxHeader     c X-Varnish: 879416771
    9 TxHeader     c Age: 0
    9 TxHeader     c Via: 1.1 varnish
    9 TxHeader     c Connection: keep-alive
    9 TxHeader     c X-Served-By: Server 203
    9 TxHeader     c X-Cache: MISS
    9 TxHeader     c Server: Apache-NSCA
    9 ReqEnd       c 879416771 1264791545.113656044 1264791545.259571791
0.011645794 0.145873547 0.000042200
    0 StatAddr     - 91.163.168.48 0 173 23 129 3 9 15 49930 1202797
    0 CLI          - Rd ping
    0 CLI          - Wr 0 200 PONG 1264791545 1.0
    0 WorkThread   - 0x420a0ce0 start
    0 CLI          - Rd vcl.load boot ./vcl.1P9zoqAU.so
    0 CLI          - Wr 0 200 Loaded "./vcl.1P9zoqAU.so" as "boot"
    0 CLI          - Rd vcl.use boot
    0 CLI          - Wr 0 200
    0 CLI          - Rd start
    0 Debug        - "Acceptor is epoll"
    0 CLI          - Wr 0 200
    0 WorkThread   - 0x440a4ce0 start
    0 WorkThread   - 0x448a5ce0 start
    0 WorkThread   - 0x450a6ce0 start
    0 WorkThread   - 0x458a7ce0 start
    0 WorkThread   - 0x460a8ce0 start
    0 WorkThread   - 0x468a9ce0 start
    0 WorkThread   - 0x470aace0 start
    0 WorkThread   - 0x478abce0 start
    0 WorkThread   - 0x480acce0 start
    9 SessionOpen  c 91.163.168.48 49275 87.98.137.117:80
    9 SessionClose c pipe
    9 ReqStart     c 91.163.168.48 49275 667915017
    9 RxRequest    c POST
    9 RxURL        c /recherche.php
    9 RxProtocol   c HTTP/1.1
    9 RxHeader     c Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-ms-application,
application/vnd.ms-xpsdocument, applica
tion/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
    9 RxHeader     c Referer: http://www.your-immo.fr/recherche.php
    9 RxHeader     c Accept-Language: fr
    9 RxHeader     c Content-Type: application/x-www-form-urlencoded
    9 RxHeader     c UA-CPU: x86
    9 RxHeader     c Accept-Encoding: gzip, deflate
    9 RxHeader     c User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.0; GTB6.3; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1) ; S
LCC1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.5.30729; .NET CLR
3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)
    9 RxHeader     c Host: www.your-immo.fr
    9 RxHeader     c Content-Length: 240
    9 RxHeader     c Connection: Keep-Alive
    9 RxHeader     c Cache-Control: no-cache
    9 RxHeader     c Cookie: PHPSESSID=9d73c9bbf8944a710f3d954a2e16c838;
DYNSRV=s0;
__utma=235703049.2110649494.1264791338.1264791338.1264791338.1; __u
tmb=235703049.6.10.1264791338; __utmc=235703049;
__utmz=235703049.1264791338.1.1.utmcsr=google|utmccn=generique|utmcmd=cpc|ut
    9 VCL_call     c recv
    9 VCL_return   c pipe
    9 VCL_call     c pipe
    9 VCL_return   c pipe
   10 BackendOpen  b ha_proxy 127.0.0.1 35741 127.0.0.1 80
    9 Backend      c 10 ha_proxy ha_proxy
   10 TxRequest    b POST
   10 TxURL        b /recherche.php
   10 TxProtocol   b HTTP/1.1
   10 TxHeader     b Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-ms-application,
application/vnd.ms-xpsdocument, applica
tion/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
   10 TxHeader     b Referer: http://www.your-immo.fr/recherche.php








More information about the varnish-misc mailing list