Comments on: FreeBSD: Apache httpready filter – Failed to enable the 'httpready' Accept Filter

By: ben

ben — Wed, 17 Nov 2010 02:27:29 +0000

It’s a little bit of confused after study FreeBSD installation of Apache. Can you help me to figure out what should I do?

After install the port of apache22, I noticed the auto-generated file /usr/local/etc/apache22/Includes/no-accf.conf including the following directive:

AcceptFilter http none
AcceptFilter https none

and I also find the description in Apache official site, http://httpd.apache.org/docs/2.2/mod/core.html:
The default values on FreeBSD are:
AcceptFilter http httpready
AcceptFilter https dataready

There is no warning or error in http_error_log after I follow your instruction to load accf_http driver, but I am wondering if I should delete no-accf.conf file, and add the above directives for apache 2.2.17 , since I’ve already load the driver into FreeBSD? Or do nothing? ( I’ve tried both, but doesn’t find any difference)

Also, I’ve noticed a lot of simultaneous message logs like following generated by a very close & legal visit to the server. Is it related to the accept filter driver?

kernel: TCP: [visitor's ip]:37229 to [server's ip]:80 tcpflags 0×4; syncache_chkrst: Spurious RST without matching syncache entry (possibly syncookie only), segment ignored

or a lot of three way shaking failed messages( if from very far location to visit the server) , e.g.
_syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK
syncache_timer: Response timeout, retransmitting (1) SYN|ACK
syncache_timer: Response timeout, retransmitting (1) SYN|ACK

ps. I set ipfw limit 50 simultaneous connections for the same IP to visit the site to prevent DoS attack.

By: Ben

Ben — Thu, 21 Oct 2010 18:19:43 +0000

I come back to say “Thank you”. When I was very frustrated … I took a shower…and come back to my PC to fight again…I get it WORKS!!

This is another typo error, while I checked the error log, it said hostname nor servname provided, or not known: ….HAHA… and the hostname in the error log is not the one I put in /etc/hosts file ( just a private dummy hostname)

It took me so long to get it works… thank you again!! ( Today is my first day to try FreeBSD, wonderful experience!! especially, I send command : portmaster -a, it took so long to upgrade all ports. )

By: Vivek Gite

Vivek Gite — Thu, 21 Oct 2010 17:21:01 +0000

Check your Apache error log and access log files.

By: Ben

Ben — Thu, 21 Oct 2010 16:47:33 +0000

Thanks a lot … sorry for my typo error. Now I got the message “kldload: can’t load accf_http: File exists”, I think the system has loaded the module already.

but the httpd still not running… haha…and I cannot figure out why….

I have tried portsnap fetch extract to update /usr/ports to the most update…and install apache22.17 , but it still doesn’t function….

Because I am in a vbox machine to test FreeBSD ? There is no full-qualified hostname….but why ? I’ve studies the handbook again and again….haha…don’t know why, I just cannot start apache22

By: Vivek Gite

Vivek Gite — Thu, 21 Oct 2010 08:52:52 +0000

It is

kldload

and not the

kidload

You got a typo in your command.

By: Ben

Ben — Thu, 21 Oct 2010 08:45:16 +0000

It doesn’t work, and I got kidload: Command not found
(FreeBSD 8.1 amd64 and Apache 2.2.15_9 )

By: pascal

pascal — Fri, 21 May 2010 18:53:02 +0000

this works for me (FreeBSD 8.0 i386 and Apache 2.2.15). Thanks

By: hexabit

hexabit — Fri, 07 May 2010 07:13:20 +0000

In fact this solution does not help in my case (FreeBsd 7.2 amd64) so I recompiled the kernel with both modules (accf_http and accf_data) filters hoping it will help… unfortunately this didn’t help either – but strangely apache seems to work without problems… but message “[warn] (2)No such file or directory: Failed to enable the ‘httpready’ Accept Filter” is still present in the logs…

By: motivez

motivez — Sun, 31 Jan 2010 21:46:23 +0000

I have done the above, but whenever I get a graceful restart request during log rollovers, I am still getting the error.. additionally, my Apache is segfaulting after every graceful restart.

Any suggestions?

By: Vivek Gite

Vivek Gite — Thu, 25 Jun 2009 15:42:35 +0000

Noop, there is not such thing for Linux. Set your apache timeout to 30, use iptables to limit connection per IP, there is also unoffical patch that changes Timeout on fly.

By: Florin Grosu

Florin Grosu — Thu, 25 Jun 2009 14:19:38 +0000

Is there any other linux distro with this option? Or a “accf_http like” way for red hat, or ubuntu? I’m asking this question, having in mind the slowloris attack.