我的Apache 已启用 ModSecurity、mod_evasive20偶尔会崩溃:
这些是错误日志的一瞥:
[core:warn]**: child process 24709 still did not exit, sending a SIGTERM
[core:error]**: child process 24709 still did not exit, sending a SIGKILL
[mpm_event:notice] **: caught SIGTERM, shutting down
上次 Apache 崩溃时,谷歌分析报告实时浏览量超过 2K。我发现太多子进程也可能是 DDoS 等攻击的结果。但我想确定这真的是攻击还是配置缺陷。
请帮忙。
机器:Ubuntu 18.04、16 GB RAM、8 核 CPU、180GB SSD
MPM 事件配置:
<IfModule mpm_event_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 150
ThreadLimit 250
ThreadsPerChild 250
MaxRequestWorkers 6250
ServerLimit 25
MaxConnectionsPerChild 0
</IfModule>
详细错误日志:
[Thu Mar 19 06:25:02.506142 2020] [mpm_event:notice] [pid 1460:tid 139655311739840] AH00489: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g Apache configured -- resuming normal operations
[Thu Mar 19 06:25:02.506172 2020] [core:notice] [pid 1460:tid 139655311739840] AH00094: Command line: '/usr/sbin/apache2'
[Thu Mar 19 09:15:42.817591 2020] [core:warn] [pid 1460:tid 139655311739840] AH00045: child process 24709 still did not exit, sending a SIGTERM
[Thu Mar 19 09:15:44.819958 2020] [core:warn] [pid 1460:tid 139655311739840] AH00045: child process 24709 still did not exit, sending a SIGTERM
[Thu Mar 19 09:15:46.822259 2020] [core:warn] [pid 1460:tid 139655311739840] AH00045: child process 24709 still did not exit, sending a SIGTERM
[Thu Mar 19 09:15:48.824514 2020] [core:error] [pid 1460:tid 139655311739840] AH00046: child process 24709 still did not exit, sending a SIGKILL
[Thu Mar 19 09:15:49.826497 2020] [mpm_event:notice] [pid 1460:tid 139655311739840] AH00491: caught SIGTERM, shutting down
[Thu Mar 19 09:15:49.962067 2020] [:notice] [pid 29976:tid 140194146679744] ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/) configured.
[Thu Mar 19 09:15:49.962131 2020] [:notice] [pid 29976:tid 140194146679744] ModSecurity: APR compiled version="1.6.2"; loaded version="1.6.3"
[Thu Mar 19 09:15:49.962136 2020] [:warn] [pid 29976:tid 140194146679744] ModSecurity: Loaded APR do not match with compiled!
[Thu Mar 19 09:15:49.962140 2020] [:notice] [pid 29976:tid 140194146679744] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Thu Mar 19 09:15:49.962144 2020] [:notice] [pid 29976:tid 140194146679744] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Mar 19 09:15:49.962147 2020] [:notice] [pid 29976:tid 140194146679744] ModSecurity: YAJL compiled version="2.1.0"
[Thu Mar 19 09:15:49.962150 2020] [:notice] [pid 29976:tid 140194146679744] ModSecurity: LIBXML compiled version="2.9.4"
[Thu Mar 19 09:15:49.962154 2020] [:notice] [pid 29976:tid 140194146679744] ModSecurity: Original server signature: Apache/2.4.29 (Ubuntu)
[Thu Mar 19 09:15:49.962157 2020] [:notice] [pid 29976:tid 140194146679744] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Thu Mar 19 09:15:50.025004 2020] [mpm_event:notice] [pid 29986:tid 140194146679744] AH00489: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g Apache configured -- resuming normal operations
[Thu Mar 19 09:15:50.025066 2020] [core:notice] [pid 29986:tid 140194146679744] AH00094: Command line: '/usr/sbin/apache2'
如果需要任何其他信息,请提及。谢谢。
答案1
许多因素都可能导致 Apache 重新启动或关闭。要深入了解,您可以运行这些命令,然后按照线索操作。
cat /var/log/messages | grep apache
cat /var/log/syslog | grep apache
cat /var/log/messages | grep kill
如果您有多个站点正在运行(sites-available),并且它们有自己的错误日志,那么检查每个站点的错误日志以确保有助于缩小问题范围也是明智之举。这是必要的,因为 Apache 可能会正常重启,并且在重启时,站点配置可能会导致致命错误,而该错误不会显示在系统日志中。
如果尚未启动,请确保所有站点的错误日志都已打开。
此外,尽管很明显,但请确保您已更新。插件版本问题通常会导致 Apache 崩溃或无法重新启动。
sudo apt-get update && sudo apt-get upgrade -y
始终使用此命令检查全局和站点配置。特别是 000-default.conf、apache2.conf 和 ports.conf。
sudo apachectl configtest
确保此命令也不会返回错误。
apache2ctl restart
如果您有耐心和能力,您也可以尝试一次禁用一个 mod。从 mod_fastcgi、rewrite 和任何与 SSL 相关的 mod 开始,因为它们是常见的罪魁祸首。
SIGTERM 用于重新启动 Apache,如果您到目前为止还没有解决方案,那么值得阅读一下(假设它在 init 中设置为自动重启):http://httpd.apache.org/docs/2.2/stopping.html
作为最后的手段,全新安装 Apache 和 PHP 可能会解决问题。如果可以,我强烈建议使用 docker / docker-compose 来运行堆栈。它使保持 apache、PHP 和数据库更新的过程变得非常轻松。