# httpd runs amok



## ericmurphy (May 3, 2002)

I recently noticed a somewhat unusual situation developing on my G4/500 AGP running OS X 10.4.1. It seems that after a while, I end up with several dozen copies of httpd running.  I figured the easiest way to kill them all was to turn off Apache, but whenever I see this condition, trying to access the "Sharing" preference panel (to turn off web sharing) crashes System Preferences.

Anyone have an idea as to what's going on? I'm running Wundermoosen's (www.wundermoosen.com) Little Dutch Moose, which is an Apache add-in that adds firewall entries to block Nimda and Code Red Exploits. I'm wondering if LDM has something to do with this situation...


----------



## dricci (May 3, 2002)

It could have something to do with that.. But as far as I know, HTTPD processes are spawned for each connection to the server.

If you're not having any connections from the outside world, then there is a problem. What it is, I don't know. Have you tried the httpd.log?


----------



## ericmurphy (May 3, 2002)

My machine is definitely connected to the outside world, and is serving web pages over a DSL connection. My assumption is that normally http daemons terminate after whatever request they're spawned for is served. So it looks like something is preventing the processes from terminating. Since Little Dutch Moose works in conjunction with Apache to modify firewall settings to block incoming requests from IP addresses that generate nimda-like and CodeRed-like exploits, I'm wondering if it doesn't have something to do with the situation.

I don't see anything in the Apache acess or error logs that seems untoward. Not much traffic at all, actually.


----------



## BSDimwit (May 3, 2002)

Normally, apache has a section in the config file that tells it how many servers to start and how many minimum spare servers to keep running.

look for the minservers and maxservers lines in your config file and set them appropriately.  Also, you might want to alter the startservers to a reasonable number as well.


----------



## ericmurphy (May 3, 2002)

Sounds like a good idea. But something else has occurred to me. I was looking at the access log, and there haven't been enough connections in the last WEEK to account for all the instances of httpd that are currently running. Right now there are about 30 instances of httpd running, and according to netstat there are no connections to port 80 at all.

So something must keep these http daemons from terminating. Any ideas?


----------



## ericmurphy (May 3, 2002)

Thanks, worked like a charm.

I guess the only reason I'm concerned about this is that it seems to be a new phenomenon. I never noticed more than a handful of httpd running before a few weeks ago. My webserver really is a personal webserver; it's extremely rare that there would ever be more than a literal handful of simultaneous connections. So it's a little mysterious how I could ever end up with several dozen copies of httpd running simultaneously.

The other problems I've noticed is the aforementioned crashing of the Sharing preference pane; also, Process Viewer seems to lock up if there are more than 120 or so processes running simultaneously.

Given the nature of my web server, perhaps I should limit the number of simultaneous connections to something realistic, like Maxclients 50.

I check Apache's access and error logs pretty frequently. Now that I'm running Little Dutch Moose, the logs aren't so totally clogged with errors and access entries due to nimda or CodeRed exploits as to be useless. And they don't seem to be saying anything about Apache not functioning normally.


----------



## ericmurphy (May 3, 2002)

I run fsck whenever I have to restart abnormally (kernel panic, system lockup, etc.). This doesn't happen very often; maybe once every couple of months on a system that's usually pretty stressed (twenty or more apps running simultaneously, including Photoshop and MayaPLE).

I do currently have a weird issue where if I log into my administrative account, the system kernel panics. I'm going to have to do some serious diagnostics at some point to isolate that problem, but right now I have other fish to fry...


----------



## Jadey (May 3, 2002)

I used to get some out of control httpd process as well, with tons of child processes running, with nobody connected to the machine - this seemed to make Apache crash. Whenever the web server wasn't running, I would check the processes with ps aux and see a bunch of child httpd processes, but not Apache itself. Checking the running status would say the server was off. My error logs showed nothing unusual to help me. I was also using Little Dutch Moose.

I've just recently upgraded to Apache 2.x. I haven't had this problem since upgrading, so this may fix it also for you. However, PHP doesn't work (at least for me) in Apache 2.


----------



## chenly (May 5, 2002)

...for the wonderful use of "amok."


----------



## ericmurphy (May 15, 2002)

I've been killing off excess httpd processes either from the command line using apachectl restart or from the web-sharing preference pane. But they keep coming back. I've been assuming they're either from http requests that don't terminate properly,  or that don't time out. But here's the latest twist:

I restarted apache this morning at 11:30 AM. I then make a few http requests from a web browser on my work computer. These requests show up in the access log, and I note the PID of the httpd processes that answer those requests. 

An hour later, I ssh into the machine and note that there are an additional 15 httpd processes running, all with higher PIDs than the ones I'd noted earlier. But there are no new entries in the access log! Nor are there any entries in the error log. So what created the additional httpd processes? Are we seeing evidence of spontaneous generation?


----------



## Gwailo (May 15, 2002)

> G4/500 AGP running OS X 10.4.1.


Where can I get OS 10.4 

Sorry just being a jackass...


----------

