Windows/Apache Web Server

2003 Server in the Cellar (2)

Hosts File

For a while it was annoying me that whenever I entered http://brisray.com or http://www.brisray.com into the address bar of a browser on any machine on my network side of the router then I would be taken to the router configuration page. This should be at 192.168.2.1 but either of the brisray addresses would get you there.

I knew that the Windows hosts file can be used to stop lots of advertising from opening on the computer by the simple means of redirecting certain web addresses. I also read an explanation of what was causing my problem on the InstantServers (Internet Archive) site. This said that...

Certain routers do not allow a machine "behind" the router (i.e. on the local area network) to access itself, or to access any other machine "behind" the router using a domain name. The reason for this is that the domain name refers to the external IP address of the router. So, any request is routed "out" to the internet and then back "in"through the external IP of the router (which is configured to forward requests to the server machine). The router gets confused by this. The solution is to use the internal IP of the server (or 127.0.0.1 if on the server machine) when accessing the domain.

Armed with these two pieces of information I could see what the solution was. I needed to edit the hosts file on my networked PCs and on the web server itself. On Windows machines, depending on what version you're running the hosts file may be found in...

Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home/Vista c:\windows\system32\drivers\etc\hosts

On a Mac the hosts file may be found in...

System Folder: Preferences
System Folder

Note that the hosts file is simply called that, it has no file extension and it is not a directory or folder.

Luckily the hosts file is a plain text file and what you need to do is add the following lines...

IP_number_of_your_server web_address_of_your_site

To be specific, the lines I added to the hosts file on my ordinary networked PCs are...

192.168.2.2 brisray.com
192.168.2.2 www.brisray.com

On the Macs the lines would be...

brisray.com A 192.168.2.2
www.brisray.com A 192.168.2.2

If you can't find a hosts file then just create one, it is just a plain text file and does not need any header information, just the lines i've used above.

When you are looking for the hosts file you may come across one called lmhosts, do not edit this file as this is for NetBios names.

The router configuration file can still be accessed by using it's own IP address as you normally would if you weren't using a web server.

If you are running multiple domains on your server then simply add them to the hosts file in the same way...

192.168.2.2 mydomain.com
192.168.2.2 myotherdomain.com

The actual site displayed is controlled by the Apache Virtual Host

There is a problem editing the Hosts file if you are using Windows Vista. What happens is that you can edit the file but, by default, you cannot save the file back to disk. There are at least two workarounds for this behaviour...

Open Start -> All Programs -> Accessories
Right click "Notepad" and select "Run as administrator"
Click "Continue" on the UAC prompt
Click File -> Open
Browse to "C:\Windows\System32\Drivers\etc"
Change the file filter drop down box from "Text Documents (*.txt)" to "All Files (*.*)"
Select "hosts" and click "Open"
Make the needed changes, save the file and close Notepad

The other solution is to

Create a new short cut pointing to: C:\Windows\System32\notepad.exe C:\Windows\System32\drivers\etc\hosts
Open the properties and click the Advanced button on the Shortcut tab and select Run As Administrator.

This second method will allow you to edit the file in place in Notepad and open the hosts file automatically.

Domain Names and IP Addresses

Knowing that I would need a name for my website I bought some from GoDaddy. I knew this because the computers use dynamic IP addresses, not static ones, so I needed a service that I could update the DNS (Domain Name Service) servers to redirect people to my computer.

When a computer is connected to the Internet it is given an IP address. This is a 32 bit address written as four decimal numbers separated by periods and uniquely identifies that computer on the Internet. Examples of IP address are 4.42.44.16 and 127.123.23.45. An ISP (Internet Service Provider) owns a block of IP addresses. When you sign onto the Internet your ISP assigns you one of the numbers from the block. When you sign back off, the number is free to be assigned to someone else. These are dynamic IP numbers. Using a dial-up modem means that these numbers change frequently and so isn't recommended for setting up a web server. DSL and other "always on" connections aren't too bad as the IP addresses only change when the computer is completely logged off.

A static IP address is one where the machine keeps the same IP number all the time. Some ISPs can arrange for you to have a static IP address. A domain name such as mine, brisray.com, is just for our convenience. The Internet doesn't use them. When you type brisray.com into the browser a message is passed to a DNS server and that resolves the domain name into the IP address of the computer that owns that name. GoDaddy has a free forwarding service, this means that when my IP address changes I let them know and this new address is sent to the DNS servers. Some sites provide small programs that do this automatically. It can take up to 72 hours for the IP address to be propagated throughout the Internet, but I usually find it's done in a couple of hours.

When you the machine that hosts brisray.com you'll find the URL in the address bar of the browser changes to the IP address of that machine. There is something called URL masking that keeps the human form of the name in the address bar. In April 2004, I changed to a Dynamic DNS server service which keeps HTP://brisray.com in the address bar.

There's a good basic tutorial on how web servers work, IP Address and the rest at How Stuff Works.

I use a number of utilities to watch Internet traffic, among these are utilities such as Sam Spade (Internet Archive) and traceroute. Although a search of Internet will show loads of traceroute utilities there is one already on your computer called tracert. Newer traceroute programs show the hops geographically, An Atlas of Cyberspace (Internet Archive) discusses many of these.

If you're running Windows 95, 98 or Me you can find your machines IP address by going to Start > Run and typing winipcnfg In Windows 2000 and XP you can open a DOS prompt and type ipconfig.

This will give you the IP address the machine has at that moment.

Windows 2000 ipconfig, ping and tracert commands

Windows 2000 ipconfig, ping and tracert commands

There are a couple of websites that give your IP address, such as whatismyip and checkip

Zone Alarm and Apache

I soon found that Zone Alarm will not let Apache 2 work properly. So I disabled Zone Alarm firewall and AVG antivirus on both machines and was truly sorry that I did.

To ensure that the machines could see each other I issued a ping command from both. This is a small program that sends small packets of information from one machine to another. The program returns the response times.

Unfortunately, what happened was that while the machines were unprotected both were infected with viruses and trojans. One of these completely destroyed the operating system and I had to reinstall it on both machines. This time I used Apache 1.3.28 which does work with Zone Alarm. The viruses I picked up were Valla.2048, Trojan.Dropper, Muma and Msmsgri32.exe but I wasn't able to see which was the most destructive.

Ensure the settings for Zone Alarm in the Firewall > Main tab are set to medium for both the Internet and Trusted Zone Security. In December 2004, I went back to Apache 2, but never could get it to work with Zone Alarm which I ended up removing from the server. Luckily, the router acts as a hardware firewall. Zone Alarm is installed on the other machines on my little network, but not on the web server.

Zone Alarm firewall settings

Zone Alarm firewall settings

Open to the World

Then, knowing the IP address of the host machine I made sure that I could view the pages myself on another machine by typing the IP address into the browser address bar.

Now I was ready to open the site up to the world. So I went to the GoDaddy site, logged in and opened the Domain Control Center page then chose Forwarding from the list, typed in the IP address of the host machine, saved the settings and about an hour later the site was open to the world.

GoDaddy Domain Control Center

GoDaddy Domain Control Center

GoDaddy Domain Name Forwarding page

GoDaddy Domain Name Forwarding page

Logs

While I was poking around in the Apache directories I found a subdirectory called logs. In there are two log files one called access.log and the other called error.log

The error.log appears to contain information that helps to track down server errors and security breaches whilst the access.log contains information about visitors to the site.

Apache error log

Error.log

The format of this file cannot be changed and shows

Date / time when the server finished the file request - day month date hour:minute:second year
Severity of fault
IP address of client computer
Error message
File path to the requested file that produced the error on the server

The format of the log file is controlled by the httpd.conf file in the Apache conf subdirectory. The default is the common format which appears below.

Apache access.log - Common format

Access.log - Common format

This shows the...

IP address of the client computer
ID of the client computer (not available in the above example)
UserID of the client computer (not available in the above example)
Date / time when the server finished the file request - day/month/year:hour:minute:second zone
Method used for the file request
File requested
Protocol used for the request
Status returned from server to client
File size returned to client (some not available in the above example)

By changing the line CustomLog logs/access.log common in httpd.conf to CustomLog logs/access.log combined the access log now looks like this ...

Apache access log - Combined format

Access.log - Combined format

The log now shows the

IP address of the client computer
ID of the client computer (not available in the above example)
UserID of the client computer (not available in the above example)
Date / time when the server finished the file request - day/month/year:hour:minute:second zone
Method used for the file request
File requested
Protocol used for the request
Status returned from server to client
File size returned to client (some not available in the above example)
File referrer - This gives the site that the client reports having been referred from
User agent - This is the identifying information that the client browser reports about itself.

Full information can be found about the log files at http://httpd.apache.org/docs/logs.html

You can create custom log files, the codes to do this can be found at http://httpd.apache.org/docs/mod/mod_log_config.html#formats

It all seems pretty straightforward but I had a look around and there are log file analyzers that can read and produce statistics on these logs. The main ones seem to be Analog (Internet Archive), AWStats and Webalizer (Internet Archive). The server files can be "rotated" - split into smaller segments - using Cronolog (Internet Archive), which is useful as the server files can reach many megabytes in length very quickly.

Note: These programs are mostly still available but some have not been updated for years. Analog, AWStats, Webalizer.

I don't look at the error logs as much as perhaps I should, but in February 2005, I had a good look through them. The server logs show periods when it appears that people are trying to run scripts or otherwise trying to break out of the web site directories.

The section of the error log below appears to be someone trying to get into the Windows directory and running cmd.exe...

[Wed Aug 20 13:17:32 2003] [error] [client 4.42.112.221] File does not exist: c:/program files/apache group/apache/htdocs/scripts/..?/winnt/system32/cmd.exe
[Wed Aug 20 13:17:45 2003] [error] [client 4.42.112.221] File does not exist: c:/program files/apache group/apache/htdocs/scripts/..?/winnt/system32/cmd.exe
[Wed Aug 20 13:17:48 2003] [error] [client 4.42.112.221] File does not exist: c:/program files/apache group/apache/htdocs/scripts/..?/winnt/system32/cmd.exe
[Wed Aug 20 13:17:59 2003] [error] [client 4.42.112.221] File does not exist: c:/program files/apache group/apache/htdocs/scripts/..%5c/winnt/system32/cmd.exe
[Wed Aug 20 13:18:02 2003] [error] [client 4.42.112.221] File does not exist: c:/program files/apache group/apache/htdocs/scripts/..%2f/winnt/system32/cmd.exe

This section of the error log below appears to be someone looking for what "goodies", like FrontPage Extensions, PHP and Perl, are loaded onto the server, and what the server itself is doing...

[Thu May 06 20:42:16 2004] [error] [client 83.146.28.254] File does not exist: c:/program files/apache group/apache/htdocs/brisusa/modules/mod_mainmenu.php
[Thu May 06 20:42:16 2004] [error] [client 83.146.28.254] File does not exist: c:/program files/apache group/apache/icons/_vti_inf.html
[Thu May 06 20:42:16 2004] [error] [client 83.146.28.254] File does not exist: c:/program files/apache group/apache/htdocs/web_store/web_store.cgi
[Thu May 06 20:42:16 2004] [error] [client 83.146.28.254] File does not exist: c:/program files/apache group/apache/htdocs//sql.php
[Thu May 06 20:42:16 2004] [error] [client 83.146.28.254] File does not exist: c:/program files/apache group/apache/htdocs/brisusa/metadot/index.pl

Entries like those below seem to be someone trying be take advantage of a long-known long address line buffer overflow vulnerability. One reason why you should always keep your computer up to date.

[Thu May 06 20:42:11 2004] [error] [client 83.146.28.254] Filename is not valid: c:/program files/apache group/apache/htdocs//////////[...]//////////index.html
[Thu May 06 20:42:17 2004] [error] [client 83.146.28.254] File does not exist: c:/program files/apache group/apache/htdocs/brisusa/w3msql/XXXXXXXXXX[...]XXXXXXXXXX

What happens is that if an unusually long address line is supplied to the HTTP port of the server, a buffer overflow could occur. As a result, it is possible to overwrite the memory stack variables, including the return address, and allow the execution of malicious code.

Luckily, these all appear in the error log not the access.log and so no breach of security seems to have occurred. The access.log doesn't seem to contain anything malicious like these entries in the error.log.

More confusing are entries like these...

[Sat Jan 29 15:18:40 2005] [notice] Parent: Created child process 576
[Sat Jan 29 15:18:40 2005] [notice] Child 576: Child process is running
[Sat Jan 29 15:18:40 2005] [notice] Child 576: Acquired the start mutex.
[Sat Jan 29 15:18:40 2005] [notice] Child 576: Starting 250 worker threads.

[Mon Jan 31 19:15:38 2005] [warn] (OS 121)The semaphore timeout period has expired. : winnt_accept: Asynchronous AcceptEx failed.

[Mon Jan 31 20:58:43 2005] [warn] (OS 64)The specified network name is no longer available. : winnt_accept: Asynchronous AcceptEx failed.

[Mon Jan 31 22:38:18 2005] [error] [client 66.196.101.98] File does not exist: D:/brisrayweb/robots.txt

First of all what is a mutex? This comes from Webopedia...

Short for mutual exclusion object. In computer programming, a mutex is a program object that allows multiple program threads to share the same resource, such as file access, but not simultaneously. When a program is started, a mutex is created with a unique name. After this stage, any thread that needs the resource must lock the mutex from other threads while it is using the resource. The mutex is set to unlock when the data is no longer needed or the routine is finished.

So, the lines...

[Sat Jan 29 15:18:40 2005] [notice] Parent: Created child process 576
[Sat Jan 29 15:18:40 2005] [notice] Child 576: Child process is running
[Sat Jan 29 15:18:40 2005] [notice] Child 576: Acquired the start mutex.
[Sat Jan 29 15:18:40 2005] [notice] Child 576: Starting 250 worker threads.

just seem to mean that multiple threads using the same files are starting. Nothing to worry about then?

The lines ...

[Mon Jan 31 19:15:38 2005] [warn] (OS 121)The semaphore timeout period has expired. : winnt_accept: Asynchronous AcceptEx failed.

[Mon Jan 31 20:58:43 2005] [warn] (OS 64)The specified network name is no longer available. : winnt_accept: Asynchronous AcceptEx failed.

seem more dangerous. Whilst poking around on the web I found a posting on Apache's Bugzilla site...

I would like to report that this problem(s) has resolved for me.

No more Acceptex or Sephamore timeout errors in the error log. No more random instances of super-slow server performance.

To reiterate - this is a Win 2K Pro machine that ran Apache 1.3 and then 2.0.4x just great for about 2 years. Then the semaphore and acceptex errors started appearing in the log, and sporadically the server would slow to a crawl. The errors in the log did not appear to coincide with the bouts of slow server performance. Eventually, the server was crawling many many times a day and was almost unusable.

Upgrading Apache to 2.0.52 made the server useable again, but still struggled with random occurrences where the server would slow to a crawl for no apparent reason and remain like that for minutes at a time, then magically fix itself. Adding Win32DisableAcceptEx removed the error messages from the log, but did not improve performance.

After adding the following to my conf file, the problems are now gone. Apache is now running perfectly again:

EnableSendfile Off
enablemmap Off

I did not upgrade any hardware. I did not find any spyware or viruses or change any settings with my virus software. The only thing I did was add the two lines above.

I understand that these two lines are only useful for Apache installed on Windows machines. I have little clue why the server ran super for 2 years without these lines, why adding these lines fixed the problem, or why the above two lines helped now - maybe my Windows 2K just got glitchy over time, or maybe one of the Microsoft patches affected some network setting somewhere.

Any apache/windows gurus want to offer some insight?

Regardless, the Apache problem is gone and I'm a happy camper again.

Following finding that post, I've changed my httpd.conf to include the lines...

Win32DisableAcceptEx
EnableSendfile Off
EnableMMAP Off

For more information on the use of these directives on the Apache site see Win32DisableAcceptEx, EnableSendfile and EnableMMAP

The line...

[Mon Jan 31 22:38:18 2005] [error] [client 66.196.101.98] File does not exist: D:/brisrayweb/robots.txt

is easier to understand. Especially when a tool like WHOIS Lookup gives 66.196.101.98 as Inktomi (now owned by Yahoo) which is a major search engine database provider. What's happening is that the search engine's bots are trying to find robots.txt which tells them what files NOT to include in the spidering process. See Web Robots for how to use this file.

This page created August 16, 2003; last modified October 29, 2022