Press "Enter" to skip to content

nuxx.net Posts

Timeouts with PHP as FastCGI, phpBB + reCAPTCHA + DNSBL, Apache 2.2, mod_fcgi, and FastCgiExternalServer

Published April 16, 2012

Sunday evening after migrating the MMBA Forum to a new webserver I received email from a user claiming that they were unable to sign up for the forum, receiving an 500 Internal Server Error some time after clicking submit. The problem ended up being the signup page taking longer than expected to run and timing out and was resolved by increasing the timeout by adding -idle-timeout 60 to the FastCgiExternalServer line in the vhost’s config.

More specifically, I’d just moved from an older server running lighttpd to a new one using the venerable Apache HTTP Server v2.2. Both setups had per-vhost FastCGI setups pointing to PHP instances running as the user who owned the vhost, which helps ensure that compromised PHP apps affect only files/sites owned by that the user.

For example, lighttpd would be set up something like this:

fastcgi.server = ( ".php" =>
  ( "socket" => "/var/run/php-fastcgi/username/username-php-fastcgi.sock",
    "check-local" => "disable",
    "broken-scriptfilename" => "enable"
  )
)

Apache uses something like this:

FastCgiExternalServer /var/run/php-fastcgi/vhosts/example.com -socket /var/run/php-fastcgi/users/username/username-php-fastcgi.sock
AddHandler php-fastcgi .php
Action php-fastcgi /php-fastcgi
Alias /php-fastcgi /var/run/php-fastcgi/vhosts/example.com

During the forum signup, to help cut down on the number of spammy accounts created, there are both reCAPTCHA and DNS Blacklist checks that occur before the account creation actually happens. These were taking longer than the default 30 second timeout, causing the FastCGI interface to time out and close the connection, resulting in log entries such as this:

[Sun Apr 15 20:00:09 2012] [error] [client 192.168.0.2] FastCGI: comm with server "/var/run/php-fastcgi/vhosts/mmba.org" aborted: idle timeout (30 sec)

This led me to increase the FastCgiExternalServer timeout in mod_fastcgi by adding -idle-timeout 60, doubling it from its default, as follows:

FastCgiExternalServer /var/run/php-fastcgi/vhosts/example.com -socket /var/run/php-fastcgi/users/username/username-php-fastcgi.sock -idle-timeout 60
AddHandler php-fastcgi .php
Action php-fastcgi /php-fastcgi
Alias /php-fastcgi /var/run/php-fastcgi/vhosts/example.com

The problem then went away.

I’m not exactly sure why this cropped up with the move to Apache, but I suspect that on lighttpd there was a considerably longer default timeout. This can be set in the lighttpd config by setting idle-timeout, but I wasn’t able to easily figure out what the default is. It’s possible I’ll have to further tune this further in the future, but at least I now know why the problem was occurring.

Yes, I know this isn’t a perfect solution, but it’s been proven to work when sites are compromised by automatic tools that attempt to change/delete all they can. In each case that I’ve experienced the damage has typically been limited to content in that user’s home directory. This would not be good mitigation against something which attempted privilege escalation once on the box, went after the httpd itself, etc.

1 Comment

Blanding’s Turtle Rescue

Published April 14, 2012

While out riding at Stony Creek today, just before finishing up a segment of single track, I came around a corner and almost hit a turtle. It was walking along the middle of some grooved, dry, sunny sandy single track, and liable to get run over. When I passed it quickly pulled its head and legs in, so after quickly stopping I was able to easily moved it off the trail, but not before taking this picture of it. On my next pass through the turtle was nowhere to be seen, so hopefully it has made its way back to a more suitable piece of land.

It turns out that this is a Blanding’s Turtle, a Michigan Protected Species. According to MSU it is categorized as S3, or “rare or uncommon in state (on the order of 21 to 100 occurrences)”.

Leave a Comment

Large Bottle of ProLink

Published April 12, 2012

I really like ProGold’s ProLink chain lube, and I’ve been using it for a couple years. Since my smaller 4oz bottles were running out I picked up a large 16oz one and refilled the others. With the large 16oz bottle costing around $19 on Amazon I was able to refill the smaller bottles for half the price of buying new ones. This worked out pretty well, and pouring from the soda bottle-sized neck into the small squeeze bottle necks was easier than planned.

The only odd / amusing thing is that the 16oz bottle comes with a spray head. As I normally lubricate my chain one drop at a time (one drop per roller) I can’t ever see the need for dumping that much chain lube on anything in one go. Maybe if I was using it to lube industrial chains… Maybe…

Leave a Comment

Arataki Manuka Honey

Published April 12, 2012

Some friends of mine (Erik and Kristi) recently took a trip to New Zealand, and they brought back some of this Arataki Manuka Honey. I’m really enjoying this stuff, as it’s a nicely thick, creamy honey with a very strong flower-y taste. It goes very well on medium-toasted English muffins.

Leave a Comment

New WickWërks Middle Rings

Published April 9, 2012

Today two new middle rings from WickWërks arrived in the mail. Earlier last week I emailed the folks over there asking about some rumored stainless steel middle rings, and while they replied saying that project is on hold, they offered me some replacement aluminum rings for $10/ea. That was a deal I couldn’t pass up, as I really like their rings and will likely have worn through my current middle ring by the end of the year.

They also mentioned a set of 22-33-44 tooth rings that are coming out soon… Those sound pretty nifty. I’d bet there’s something neat they figured out with the 11-tooth step between rings.

Leave a Comment

Scotch 2228 for Chainstay Protection

Published April 2, 2012

Up to this point I’d used an old tube cable-tied on for chainstay protection and it has worked out pretty well. Recently I’d been reading about 3M’s Scotch 2228 Rubber Mastic Tape for the same purpose, and when doing some spring cleaning on the Titus I decided to give it a go.

At $5.57/roll (1″ wide x 4′ long, found at Lowes) it wasn’t as cheap as a tube, but like the UHMW tape it’s far less than a specific commercial solution and looks much better. The tape comes on a paper-backed roll and sticks nicely to the frame like other materials, but the magic happens when the tape is laid on itself: it fuses together and becomes essentially a solid piece of rubber. This means that it cannot be removed once applied and one must get the initial installation right, but I found that peeling the tape off the backing just as it was wrapped worked nicely, tearing away the resulting strip of paper as it got too long.

After application the surface of the tape is very slightly tacky after application meaning that dust and lint readily sticks to it, but a quick wipe-down with glass cleaner removed this and seemed to seal the surface. I suspect that within a couple weeks it’ll be more similar to a rubber tube. The directions on the box recommend overwrapping it with electrical tape, but for bicycle uses I don’t think this’ll be necessary. To ensure that it was well stuck and fused I spent some time squeezing it snug against itself, and while doing this it only seemed to bind better.

The tape is to be stretched when installed, but with a base thickness of 1.65mm when half-lapped it builds up fairly quickly, ending up thicker than the wrapped tube I’d previously used. The one roll perfectly fit the chainstay, and I ended up finishing unrolling it just as I got near the end, so with a little bit of stretching it wrapped around and seated nicely. Here is another view of how it came out. There is another 3M / Scotch product, 2229 which is the same material but 3.2mm thick, but I think it’d be overkill for this application. Building up to 5-6mm of rubber (once stretched) will possibly contribute to clearance issues.

Time will tell if it holds up as nicely as cable-tied tube, but thus far I’m happy with this choice. It matches the frame nicely, is thicker than a tube, installed reasonably easily, was affordably priced, and was available locally.

2 Comments

Fallen Tornado Siren

Published April 1, 2012

While out on today’s ride I was finally able to get photos of the tornado siren on 22 Mile just east of M-53 which was knocked down after apparently being hit by a car. Per the decal inside of the Vortex Gear Drive Rotor this is made by Whelen Engineering, and after digging around a bit this appears to be part of Whelen’s Vortex series. I probably should have looked closer at the outside of the control box to see more specifically what it is.

This company was featured in an episode of How It’s Made about warning sires which can be viewed here on their site.

Seeing it laying at the side of the road for the past couple weeks it’s hard not to fantasize about picking up the siren and taking it home to play. Ignoring the illegality (and potential terrorism charges) related to this, there’s some serious practical concerns… Like, how exactly does one activate a tornado siren anywhere but the remotest parts of Michigan without attracting significant attention? After all, the literature I was finding online claims 129dB at 100 feet. Playing with this would be a bad, bad idea.

For some more photos of this fallen siren, click here. There is also a PDF listing all of Whelen’s Mass Notification products available here, and this is a series of tutorial videos showing how to use their online siren location planning software. Finally, this map lists all the warning siren locations in Macomb County. Apparently the place where Danielle and I live is technically just slightly outside of listed coverage areas.

1 Comment

Post-Barry-Roubaix Treats

Published March 24, 2012

This weekend Danielle and I traveled out to the Grand Rapids area for my first go at Barry-Roubaix. After a great race and hanging out for a while we headed to get Roxie and then back home, but not before stopping in Ann Arbor at Zingerman’s. Being just off of I-94 we were able to easily stop at both the Bakehouse and Creamery where we picked up a bunch of great baked goods and cheeses. This resulted in tonight’s outstanding snack of a sea salt bagel spread with pimento cheese spread, eaten while sipping a glass of Bell’s Hopslam. We’d also picked up some doughnuts from Zingerman’s Bakehouse; properly fried ones filled with chocolate pudding. A picture of it can be see here, and this may be the best doughnut that I have ever eaten. The filling, dough, and topping were perfect.

As far as the race goes, it was a wonderful time. I probably could have pushed myself a little harder, but during the race I felt good, and finished with a time that I’m content with: 2:21:42 / 15.2 MPH average / 66th our of 92 in my class. My max heart rate was right at the end meaning I probably could have pushed a bit harder, but with an average of 156 I think I was doing okay.

The course was through some really beautiful areas, and the rain the night prior had the dirt roads in tip-top shape. Some of the anticipated sandy bits were a bit of a slog and required dismounting and walking, and there were some serious puddles in a few sections, but it was overall quite fun. The weather was absolutely beautiful, with 60-ish temperatures and overcast skies making me perfectly comfortable in typical summer wear of shorts and a short sleeved jersey, lightweight gloves, and simple socks. A bit of misting rain found its way to us for around 20 minutes of the race, but only the slight visibility degradation was a problem.

The start/finish area was also very well set up and included both some great beer and excellent food. I had some Korean-style pork tacos (with kimchi!) and a really nice chili-pork burrito. There was also a few kegs of Founders beer on hand, with tickets reasonably priced and proceeds going to benefit the WMMBA‘s campaign to build fifty new miles of single track trails in the next five years.

This was a really great race. I’m extremely glad I went.

My Garmin Connect data from it is here, if you’re interested.

1 Comment