FAQ: General

Third-party module FAQs

Does IHS support mod_security?

This module is not included with any products that bundle IHS, therefore no customer or product support from IBM is available for it. No testing of third-party Apache HTTP Server modules is performed by IBM.

The general IHS guidance on third-party code is available here.

IBM support currently has no reason to believe that the two are not interoperable, other than performance warnings about the version of PCRE used in IHS.

At the time of this writing (2013), commercial support for mod_security was available from the vendor. See http://www.modsecurity.org/projects/commercial/support/

Does IHS support mod_spdy?

This module is not included with any products that bundle IHS, therefore no customer or product support from IBM is available for it. No testing of third-party Apache HTTP Server modules is performed by IBM.

The general IHS guidance on third-party code is available here.

mod_spy has dependencies on relatively new mod_ssl features that are not yet available in mod_ibm_ssl.

Migration FAQS

  1. Migrating 32-bit IHS 9.0 for windows to 64-bit

  2. In-place migration of IHS 8.5.5 to IHS 9.0

Support and Maintenance FAQs

Are interim fixes not available for older fix packs?

For IBM HTTP Server (IHS), interim fixes will generally not be made available for anything but the two latest IBM Installation Manager fix packs, or the latest available IHS Archive (zip-only install) or SMP/E (z/OS) fix pack.

While it is common for WebSphere interim fixes to be provided with more initial fix pack coverage or additional fix pack coverage on demand, there are some important differences between the two offerings that make it untenable to provide interim fixes in a similar way for IHS.

  1. IHS has much coarser grained shipped files eligible to be updated relative to the individual class files in WebSphere.

  2. Each IHS fix pack has an order of magnitude fewer fixes than a corresponding websphere fix pack, so having the last two fix packs as a prerequisite is not as onerous.

  3. Since bin/httpd must be updated for every vulnerability to update the bundled CVE list and version string, each IHS interim fix is cumulative. Taken together with other bullets, older fix packs with a long string of superceded interim fixes would closely resemble the recent fix packs that could have been applied as prerequisites.

IBM is already selective in the fixes that go into IHS fix packs. The service strategy described above is similar to most distributions of Apache HTTP Server. Due to the effort, complexity, and urgency in delivering security fixes, the permutations must be kept to a minimum.

How do I upgrade IHS to Apache 2.4.xx?

The operative part of this question is the "Apache 2.4.xx". It is not possible/meaningful to "upgrade" IHS to any specific release of Apache HTTP Server, for the reasons below:

  • IHS is versioned and serviced completely differently

    • The Apache HTTP Server API provides the API level from the last major release IHS was forked from, corresponding to the API from 2.2.8 and 2.4.12 depending on IHS version. These do not change.

    • On Windows, the executables carry a "2.4.12" or "2.2.8" version, depending on IHS version. These do not change.

  • IHS selectively backports individual fixes from Apache when needed

Most people asking this question are being encouraged by a scanner to upgrade to a particular version of Apache HTTP Server because the scanner has either spotted a potential vulnerability or spotted "2.4.12" or "2.2.8" in the Windows binaries. The solution here is to validate the vulnerability affects IHS and obtain the appropriate IHS maintenance, not upgrade any Apache HTTP Server version.

  • If an Apache vulnerabity affects IHS, we will publish a security bulletin and list it here

  • If an Apache vulnerabilty is not listed in the document above, open a case with support to determine if you are affected. Provide a list of CVE identifiers.

    • If it's a recent vulnerability, we may have not yet released a bulletin and fixes.

    • If it's an older vulnerability, it may not affect IBM HTTP Server so no corrective maintenance is needed.

What can be done about the default/splash shipped index page?

In IHS 8.0 and later, the shipped splash page cannot be removed, due to a quirk in how the IIM based installer behaves: A deleted file under the htdocs/ directory will be restored, but a replaced file will remain replaced.

  • Ignore the shipped files. If you overwrite files with files of the same name, your changes will be preserved. This does leave one method that a server can be fingerprinted with.

  • If you don't need to serve any static files, you can make a minor change to the configuration to simply reject access to the default DocumentRoot.

    • In 9.0, change require all granted to require all denied in the Directory section for htdocs/.

    • In earlier releases, change Allow from all to Deny from all in the Directory section for htdocs/.

  • To change the DocumentRoot, append a DocumentRoot directive and a <Directory> section based on those in the default configuration pointing to your alternate document root. The first DocumentRoot will be overridden by the appended one and the shipped files will not be accessible. For completeness, remove the original directive and configuration section.

Is IBM HTTP Server release supported on platform X?

Can IBM HTTP Server release x be used with WebSphere release y, or with plugin from WebSphere release y?

There are two issues of compatibility:

  • The WebSphere plug-in used in the web server must be compatible with the release of WebSphere. A table is provided in the Web server plug-in policy technote.

  • The WebSphere plug-in must be compatible with the release of IBM HTTP Server. The best way to accomplish this is by using the plug-in from the same WebSphere release as IBM HTTP Server.

Refer to this documentation: Web server plug-in policy for WebSphere Application Server

As an example, if you need to support versions 5.1, 6.0, and 6.1 of the application server, you should use IBM HTTP Server 6.1 and the WebSphere 6.1 plugin. (According to the web server plug-in policy, the 6.1 plugin is the only version which supports all three application server versions.

Can more than one version of the WebSphere plugin be loaded into IBM HTTP Server?

No; only one WebSphere plugin can be configured and loaded in a single web server configuration.

Is IBM HTTP Server installed with WebSphere?

IBM HTTP Server is installed separately

What are the product lifecycle dates for IBM HTTP Server?

Generally, they are tied to the matching WebSphere release. If you obtain IHS as part of a non-WebSphere product bundle, IHS should be listed in the Supporting Programs section of the license and is supported as long as the licensed program.

Note: It is possible that a product bundling one release of IHS moves to bundling a later release of IHS, especially under continous delivery lifecycles.

What release of Apache is IBM HTTP Server based on?

  • 6.0, 6.1: 2.0.47

  • 7.0, 8.0, 8.5: 2.2.8

  • 9.0: 2.4.12

Note: Fixes from later levels of Apache are also included. The Apache releases above should be referred to for the purposes of third-party module compatibility as well as determining the base level of Apache fixes included, before additional fixes were incorporated to resolve specific customer problems.

Is a specific Apache fix in my level of IBM HTTP Server?

First, check the previous table which lists the level of Apache on which your level of IBM HTTP Server is based.

  • If the fix was included in the same or earlier level of Apache, your level of IBM HTTP Server contains the fix.

  • If the fix was included in a later level of Apache, refer to the IBM HTTP Server fix list document or /readme/CHANGES_HTTPD in the latest fixpack.

Is IBM HTTP Server 32-bit or 64-bit? Will 32-bit IBM HTTP Server run on my 64-bit OS?

  • IHS 8.5.5

    • 32-bit only: Windows

    • 64-bit only: Solaris/x64, HP-UX/IA64

    • 64-bit installed by default on 64-bit OS: Linux, AIX, Solaris/SPARC, z/OS

  • IHS 9.0:

    • 64-bit only: Solaris/x64, HP-UX/IA64

    • 64-bit installed by default on 64-bit OS: Windows, Linux, AIX, Solaris/SPARC, z/OS

      • Windows is 64-bit if:

        • Installed from the IHS archive installation: (9.0.0.6 and later)

        • IIM installs directly to 9.0.5.4 or later: PH23893

There is never any requirement to use a 32-bit or 64-bit IHS based on using a 32-bit or 64-bit WebSphere.

How do I determine which fixpack to download (32-bit, 64-bit?)

This is a historical issue. For IBM Installation Manager based installations you don't need to consider it.

How do I determine which WASSDK fixpack to download (32-bit, 64-bit?)

This is a historical issue. For IBM Installation Manager based installations you don't need to consider it.

How do I determine which IHS IFIX to download (32-bit, 64-bit?)

This is a historical issue. For IBM Installation Manager based installations you don't need to consider it.

Background on IIM fixes:

  • A single ifix valid for all installations of IHS such as '8.0.0.0-WS-WASIHS-MultiOS-IFPM46234.zip'. In this case, even a manual download does not need to worry about the OS or architecure.

  • An ifix generated for a particular OS and architecture that can service any IHS installable on that OS and architecture. On platforms where IHS includes both a 32-bit and 64-bit choice on a given operating system, the ifix will be named after the 32-bit architecture but contain an update for whichever architecture was chosen at install time.

    • For example, 8.0.0.0-WS-WASIHS-SolarisSparc-IFPM46234.zip contains updates to both 32-bit and 64-bit IHS on Solaris/SPARC, and 8.0.0.0-WS-WASIHS-LinuxX32-IFPM46234.zip contains fixes for both IA32 and X64 Linux.

      Net: The "bitness" selected at IHS installation time is not a factor in selecting which fix to download, and there will never be an AIX, Solaris/SPARC, or Linux download that displays a 64-bit architecture in the filename.

    • For help determining which architecture of Linux is installed, consult the IHS 7.0 section above.

How do I download/install IBM HTTP Server?

There are several ways to perform the initial download/installation of IBM HTTP Server. Most require IBM Installation Manager (IIM). IIM installs and updates IBM software from online and offline repositories.

Beginning in 9.0.0.6, an archive based installation that does not require IBM Installation Manager is available. It includes the WAS Plug-in, but does not include Java nor Ikeyman. The archive install is documented in detail in the IHS Knowledge Center

This table summarizes which components of WebSphere Application Server are available from Product Media, Passport Advantage, and Web repositories.

For complete repository details, see the IBM HTTP Server entries see the online product repositories for WebSphere Application Server offerings

Installing or updating IBM HTTP Server 9.0 from an archive (No IIM)

Beginning in 9.0.0.6, an archive based installation that does not require IBM Installation Manager is available. The archive install is documented in detail in the IHS Knowledge Center

The archive install can be used directly from Fix Central and bundles the WAS WebServer Plug-in. No passport advantage access is needed.

Installing or updating IBM HTTP Server 9.0 online

IHS, the WAS WebServer Plug-in, and WCT are available in this IIM repository: https://www.ibm.com/software/repositorymanager/V9WASSupplements

Example:

imcl install com.ibm.websphere.IHS.v90 com.ibm.java.jdk.v8 -repositories https://www.ibm.com/software/repositorymanager/V9WASSupplements -id /opt/IHS9054 ...

Notes:

  • No separate/original media is needed.

  • The contents of any IM repository can be mirrored with the IBM Packaging Utility, a complementary tool to IBM Installation Manager.

  • This repository can be used for both full installations and fixpack updates.

  • Fixpacks released in 2021 and later require that your IBM ID pass entitlement checks. See https://www.ibm.com/support/pages/node/6398736 for more details. If you request a non-specific version (like 'com.ibm.websphere.IHS.v90') and your ID is not entitled to download WAS/IHS, IBM installation manager may report the following:

    CRIMA1246E ERROR: The com.ibm.websphere.IHSILAN.v90 package has already been added to the command. You cannot add another package with the same ID.

Installing or updating IBM HTTP Server 9.0 offline

This section discusses installation via IBM Installation Manager (IIM) when the online repository is not reachable and has not been mirrored with the IBM packaging utility.

Multiple artifacts will have to be downloaded from Passport Advantage and Fix Central using the process that follows. The first IIM installation of IHS 9.0 on a system requires the original media to be present in the IIM repository search path. The latest full media image published to passport advantage is 9.0.5.1. The original media is CC3NPML (and CC3NQML for the WAS Plug-in and CC3NRML for PCT).

Part numbers for the original GA offline media are listed here.

  1. Prior to 9.0.5.8: Obtain the original media as described above

  2. Find the fixpack download page, for example 9.0.5.4

    Fixpacks released in 2021 and later require that your IBM ID pass entitlement checks. See https://www.ibm.com/support/pages/node/6398736 for more details.

  3. Download the offline repository labeled "IBM HTTP Server and Web Server Plugin", which has a filename like "9.0.5-WS-IHSPLG-FP004.zip". Unfortunately it is very large since it contains content for every OS/architecture combination

  4. Download a Java SDK repository from here which has a filename like "ibm-java-sdk-8.0-6.15-linux-x64-installmgr.zip"

  5. Configure the downloaded zips as repositories:

    • If using the IBM Installation Manager GUI, configure both of the above zips as repositories in the preferences.

    • If using imcl on the command line, pass the two repositories separated by a comma and the two package names such as:

      # 9.0.5.7 and earlier
      imcl install com.ibm.websphere.IHS.v90 com.ibm.java.jdk.v8 -repositories was.repo.90501.ihs.zip,/tmp/9.0.5-WS-IHSPLG-FP004.zip,/tmp/ibm-java-sdk-8.0-6.15-linux-x64-installmgr.zip -id /opt/IHS9054 ...
      # 9.0.5.8 and later 
      imcl install com.ibm.websphere.IHS.v90 com.ibm.java.jdk.v8 -repositories /tmp/9.0.5-WS-IHSPLG-FP008.zip,/tmp/ibm-java-sdk-8.0-6.15-linux-x64-installmgr.zip -id /opt/IHS9058 ...
      

Notes:

  • There is no separate ILAN or "trial" offering. The provided offerings can be used under both the included ILAN license, or under the terms of a product license which has listed IHS as a supporting program.

Installing or updating IBM HTTP Server 8.5.5 online

IHS, the WAS WebServer Plug-in, and WCT are available in both of the following IIM repositories.

# Requires entitlement
https://www.ibm.com/software/repositorymanager/com.ibm.websphere.IHS.v85
# Requires entitlement for fixpacks released in 2021 and later
https://www.ibm.com/software/repositorymanager/com.ibm.websphere.IHSILAN.v85
# Note: No JDK package as used in V9
# Note: The -properties is mandatory.
imcl install com.ibm.websphere.IHS.v85 -repositories https://www.ibm.com/software/repositorymanager/com.ibm.websphere.IHS.v85 -id /opt/IHS855 -acceptLicense -prompt -showProgress -properties user.ihs.httpPort=80
  • For entitled users, no separate/original media is needed for either IPLA or ILAN repositories above.

  • For all users, the ILAN offering can be installed directly from the ILAN repository.

  • The contents of any IM repository can be mirrored with the IBM Packaging Utility, a complementary tool to IBM Installation Manager.

  • Part numbers for offline media are listed here: http://www-01.ibm.com/support/docview.wss?uid=swg27038625. This media should be available if your Passport Advantage ID is entitled to any product that bundles IBM HTTP Server. These downloads are cross platform and very large.

  • On ppc64le, separate URL's must be used for IHS, the WAS Plugin, and PCT as listed in the knowledge center.

  • These repositories can be used for both full installations and fixpack updates

  • Fixpacks released in 2021 and later require that your IBM ID pass entitlement checks. See https://www.ibm.com/support/pages/node/6398736 for more details. If you request a non-specific version (like 'com.ibm.websphere.IHS.v85') and your ID is not entitled to download WAS/IHS, IBM installation manager may report the following:

    CRIMA1246E ERROR: The com.ibm.websphere.IHSILAN.v85 package has already been added to the command. You cannot add another package with the same ID.

These repositories can be used for install and update.

Installing IBM HTTP Server 8.5.5 offline

Full installs require the original media from passport advantage: CI6X0ML, CI6X1ML and CI6X2ML. These images contain the GA IBM Installation Manager repositories. Fixpack repositories discussed below can be combined at initial install to install directly to the fixpack level.

# Note: No JDK package as used in V9
# Note: The -properties is mandatory.
imcl install com.ibm.websphere.IHS.v85 -repositories /tmp/CI6X0ML-CI6X1ML-CI6X2ML-unpacked  -id /opt/IHS855 -acceptLicense -prompt -showProgress -properties user.ihs.httpPort=80

Updating IBM HTTP Server 8.5.5 offline

This section discusses applying fixpacks via IBM Installation Manager (IIM) when the online repository is not reachable and has not been mirrored with the IBM packaging utility.

Once you have an installation, IHS fixpacks can be obtained and installed several ways. The latest fixpacks for IHS can be viewed here

  1. Find the fixpack download document such as 8.5.5.17

    Fixpacks released in 2021 and later require that your IBM ID pass entitlement checks. See https://www.ibm.com/support/pages/node/6398736 for more details.

  2. Download the set of files titled "Supplements local repository ZIP files containing Application Client, Web server plug-ins, Pluggable Application Client, IBM HTTP Server"

  3. Extract the downloaded files and use them as IBM Installation Manager repositories.

# Note: No JDK package as used in V9
# Note: The -properties is mandatory.
# Note: The "install" action looks unusual but it's how fixpacks are applied.
imcl install com.ibm.websphere.IHS.v85 -repositories /tmp/8.5.5-WS-WASSupplements-zip-unpacked -id /opt/IHS855 -acceptLicense -prompt -showProgress -properties user.ihs.httpPort=80

Does IBM HTTP Server support HTTP/2 or SPDY?

IBM HTTP Server does not support the HTTP/2 (nor SPDY, QUIC...) protocol and no such support is planned for the future.

IBM HTTP Server is an included HTTP/1.1 gateway to WAS to provide security, caching, and high availability in front of IBM products like WebSphere Application Server.

An HTTP/2 solution can be used either in place of of IBM HTTP Server or in conjunction with it (closer to the client, where its benefits will be more significant). Complimentary or alternate options include IBM DataPower, Apache HTTP Server (other distributions that include mod_http2), nginx, HAProxy (standalone or as included in Red Hat OpenShift Container Platform), Apache Traffic Server, or any number of commercial dedicated proxy server, ADC, or CDN frontent.

Runtime Behavior FAQS

How does IHS use the PidFile/httpd.pid?

At startup, the IHS parent process writes its own process ID to the file identified by the PidFile directive. This file is used by most other apachectl commands to identify whether IHS is already running (start), or to identify the currently running IHS process to operate on it (stop, restart).

The file is removed when IHS is stopped via apachectl or any platform-service specific mechanism like Windows Services or the z/OS sample jobs, but not if the operating system is abruptly stopped or the individual IHS processes are directly killed.

If you attempt to start IHS and a PidFile already exists, it is replaced if its contents do not match any running process. If its contents do match a running process ID, regardless of what that process is, it requires a manual recovery (removal of PidFile by the admin) to recover. The server does not try to determine what kind of process matches the process ID, because this is not something easily/portably done from the native runtime. Wrappers around the apachectl script, or modifications to it, could probe with ps in environments where stale PidFiles are a problem.

What is the difference between WebSphere keep-alive settings and IHS keep-alive settings?

IHS keepalive settings affect connections between IHS and the web
client. WebSphere settings affect connections between the WebSphere
plug-in (running in IHS) and WebSphere. The connections are
independent and the settings are independent.

When does KeepAliveTimeout period start, relative to sending the response to the previous request to the client?

Does it start counting when IHS sent a response back to the client, or does the timeout period start when client ACKed the response?

It could be at either point, depending on the situation. IHS will start measuring the KeepAliveTimeout as soon as it successfully queues all of the previous HTTP response to the TCP layer. The operating system TCP layer sits between IHS and the network (client). IHS isn't aware of if or when the host OS can deliver the data or have it acknowledged.

If you are reading this answer, you may think that browsers care about the advertised length of the timeout specified in the Keep-Alive response header. While this is true for the connection pooling used by Java, for chrome-based browsers connections are eligible for reuse for 5 minutes regardless of what Keep-Alive timeout is advertised in the Keep-Alive response header. To avoid a race with chrome-based browsers, use a KeepAliveTimeout greater than 300 seconds.

Can IBM HTTP Server serve files larger than 2GB?

IBM HTTP Server version Platform Can files larger than 2GB be served?
6.0.x, 6.1.x Windows, HP-UX/ia64, Solaris/x64, z/OS (only provided for 6.1.x) Yes
6.0.x, 6.1.x AIX, Linux, HP-UX/PA-RISC, Solaris/SPARC No
7.0.x and later All Platforms yes

Supporting files larger than 2GB is theoretically possible on other version/platform combinations, but it breaks binary compatibility with plug-in modules, so the change cannot be made. 64-bit versions of IBM HTTP Server support files larger than 2GB.

I don't want anybody to know what server I'm running. What can I do?

In IHS 7.0 and later, the directive AddServerHeader can suppress the default Server: HTTP response header.

See also the ServerSignature directive for controlling whether information about the server is included in certain error messages.

Even without the standard Server header field in the response:

  • any attacker would simply try to exploit vulnerabilities that have affected the software used by the majority of the servers on the Internet (Apache and IIS), to see if they are effective

  • it is expected that the the response of the server to various test requests could be analyzed to determine which web server software is in use, at least to the point of narrowing it down to some web server based on Apache.

Why do I see more httpd processes than my configured ServerLimit/MaxClients?

  • An additional process is created for mod_cgid, mod_mpmstats, and mod_ibm_ssl (SSL Session Cache daemon, sidd), if enabled.

  • After a graceful restart, the children that are waiting to complete their work and exit are not counted against ServerLimit/MaxClients.

  • If a child process has begun exiting due to a non-zero MaxRequestsPerChild, it is not counted against ServerLimit/MaxClients and may be replaced before it exits.

    • Setting MaxRequestsPerChild to zero prevents this occurence.

    • There is no impact to server operation due to processes exiting in this way.
      The most common cause of threads taking too long to complete is a large (or zero) ServerIOTimeout in the WAS WebServer Plug-in.

  • If a child process has begun exiting due to MaxSpareThreads being reached it is not counted against ServerLimit/MaxClients and may be replaced before it exits.

    • Setting MaxSpareThreads equal to MaxClients prevents this occurence.

    • There is no impact to server operation due to processes exiting in this way.
      The most common cause of threads taking too long to complete is a large (or zero) ServerIOTimeout in the WAS WebServer Plug-in.

Two useful diagnostics are available in this area.

  • View the number of threads in the "extra" processes using ps.
    Normal processes have just more than ThreadsPerChild number of threads, while processes trying to exit usually only have several remaining threads.

  • Linux: ps -A -o pid,ppid,cmd,nlwp,args | grep httpd

  • AIX: ps -A -o pid,ppid,comm,thcount,args | grep httpd

  • Run the GatherHangDoc collector in ihsdiag. The report file generate will annotate each thread and process to tell you if it's exiting, and what the threads are busy doing.

How can I disable the HTTP TRACE method?

Refer to this document.

How can I downgrade the server response to HTTP/1.0 for certain requests?

<Location /some/url>
SetEnv downgrade-1.0 1                                                  
</Location>

How can I configure IBM HTTP Server to serve filename.html when the browser requests filename?

The mod_negotiation MultiViews feature can automatically select a file with appropriate extension when the browser does not provide a file extension.

LoadModule negotiation_module modules/mod_negotiation.so
...
<Directory /<em>prefix-for-multiviews</em>/>
Options +MultiViews
</Directory>

I have the LockFile directive specified, but I can't see the lock file in the filesystem. Why not?

Short answer: This is working as designed; the lock file doesn't show up in directory listing except for a brief moment during IHS initialization.

Long answer: When IHS initializes an fcntl accept mutex during startup, it opens/creates the lock file, retains the file descriptor, but "unlinks" the lock file so that it is removed from the system just in case IHS exits abnormally and is unable to run its normal cleanup code. This procedure is a standard technique to avoid leaving dangling files after process termination, but it results in the file being invisible to the ls command. This means that other applications can't mess with the file, accidentally or not, since they can never open the same lock file used by IHS.

If you really want to see the lock file working, you can pick an IHS child process and run truss against it. ("truss -p PID") At the end of processing one client, a call like this will appear:

kfcntl(19, F_SETLKW, 0x2000AEE0) (sleeping...)

So file descriptor 19 is the lock file. (This actual number will almost certainly be different in your environment.) lsof when run against an httpd process ("lsof -p PID") would display that file descriptor as follows:

httpd   23104 root  19w  VREG    10,8   0 2261678 /home (/dev/hd1)

The size (7th column) should be 0 and the filesystem (two last columns) should match the filesystem used by your LockFile directive.

Why do I get 403 Forbidden trying to view server-status reports?

There are two common problems.

  • The server status page is protected, and the client doesn't meet the authorization criteria. For example, there may be an allow from directive for <Location /server-status> which is not working.

  • The configured DocumentRoot directory isn't readable by the web server user id (e.g., nobody). If this is the cause, the error log will have a message like the following:

[Sat Mar 12 06:36:21 2005] [error] [client 127.0.0.1] (13)Permission denied: access to /server-status/ denied

My request failed with status nnn. How do I find out why?

Generally speaking, requests can fail in one of the following functional areas:

  • IBM HTTP Server core features (e.g., access was denied, file was not found, etc.)

  • WebSphere plug-in (e.g., communication error occurred trying to contact the application server)

  • WebSphere Application Server (e.g., customer application returned a failure due to database problem)

  • third-party module loaded into IBM HTTP Server failed the request (e.g., couldn't contact LDAP server)

Finding the root cause requires finding which functional area failed the request.

  • By default, mod_status is loaded and 'ExtednedStatus ON' is set. Confirm your configuration supports it:

LoadModule status_module modules/mod_status.so
ExtendedStatus On
  • Add the RH variable to the information logged in access log:

LogFormat "%h %l %u %t \"%r\" %>s %b %{RH}e" common
  • Recreate the request and check the access log for the failing component:

127.0.0.1 - - [23/Jan/2006:08:09:51 -0500] "GET /foo.html HTTP/1.1" 404 317 (core.c/404/handler)
127.0.0.1 - - [23/Jan/2006:08:10:45 -0500] "GET /testcount.jsp HTTP/1.1" 500 644 (mod_was_ap20_http.c/500/handler)
127.0.0.1 - - [23/Jan/2006:08:11:19 -0500] "GET /cgi-bin/printenv HTTP/1.1" 404 322 (mod_cgid.c/404/handler)
If the module name is... This component failed to handle the request...
core.c internal web server handling of static files
mod_was_ap20_http.c WebSphere plug-in
mod_cgid.c web server support for CGI scripts
mod_sm.c SiteMinder

Check the log files of the failing component for more information.

Does IHS support byte range requests, and byte serving of PDF files?

Yes, IHS can satisfy limited byte range requests for static content but cannot do so for content delivered via the WebSphere Plugin (due to the particular way the response is forwarded by the WebSphere Plugin). An enterprise application is free to parse the Range hader and issue its own 206 response, and it is forwarded unchanged by IHS and the WAS Webserver Plug-in.

What are the limitations of the MaxClients directive on Unix and Linux systems?

IBM HTTP Server 2.0 and above is essentially limited by the amount of memory. You can configure up to 20,000 threads per child process, and configure up to 20,000 child processes, for an overall limit of 400,000,000. However, the address space of an individual child process may be exceeded with that many threads, and system memory may be exceeded with that many child processes.

What are the limitations of the ThreadLimit directive on Windows systems?

IBM HTTP Server 2.0 and above on Windows has a built-in limit of 15,000 threads, but practical limits around 2500 or 5000 on 64-bit and 32-bit operating systems, respectively.

How can I recompile IBM HTTP Server?

A customer cannot recompile or relink IBM HTTP Server.

If instructions for a third-party module mention recompiling the web server for integration of the third-party module, consult with the provider of that third-party module to find out how to load it into the web server dynamically (using the LoadModule directive).

If the customer requires that they be able to recompile or relink the web server, we recommend using the Apache web server, for which a plug-in is provided by WebSphere. The Apache web server is not supported by IBM, but the customer will be able to use it with WebSphere Application Server using the WebSphere plug-in.

How can I use suexec with IBM HTTP Server?

example suexec implementation

Can IHS be run in a chroot environment?

IHS running in a chroot environment is untested and unsupported. IHS support cannot assist with the configuration of such an environment and may require customer to reproduce defects in a traditional environment.

Authentication / Authorization / Access Control FAQs

Why does the web browser present an authentication prompt twice when loading the same page?

Watch out for redirections which make the web browser think it is contacting a different web server. Here is an example of this type of problem, where the web browser has to authenticate over non-SSL only to find out that it has been redirected to an SSL port. The browser assumes that it is a different server and will prompt again.

<Location /protected.html>
RewriteEngine on
RewriteCond %{SERVER_PORT} =80
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI}
Satisfy all
AuthUserFile /etc/webusers
AuthName Intranet
AuthType basic
Require valid-user
</Location>

In this type of situation, the redirection to SSL should be unauthenticated. Then, the authentication should happen once the request has been issued to the SSL port. Here is a solution:

\# when request for the protected resource is received over non-SSL, redirect to SSL without authenticating
<VirtualHost *:80>
...       (existing configuration for this vhost)
<Location /protected.html>
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI}
</Location>
</VirtualHost>

\# when request for the protected resource is received over SSL, authenticate
<VirtualHost *:443>
...       (existing configuration for this vhost)
<Location /protected.html>
Satisfy all
AuthUserFile /etc/webusers
AuthName Intranet
AuthType basic
Require valid-user
</Location>
</VirtualHost>

Header FAQs

Does WebSphere Application Server or IBM HTTP Server support HSTS / HTTP Strict Transport Security?

HSTS is supported several ways.

WebSphere Application Server supports setting HSTS headers via server or application level configuration. See https://www.ibm.com/support/pages/apar/PI67099 for details. Note that configuring HSTS requires that clients use port 443, even if the application server uses a different port.

WebSphere Application Server and Java EE support setting custom HTTP response headers from applications (including filters). See HTTPServletResponse.setHeader().

IBM HTTP Server (IHS) has basic support for HSTS via a configuration that uses generic HTTP response manipulation by using the mod_headers module.

  • Decide if you want the semantics specified by the Strict-Transport-Security

  • Decide how long you'd like browsers to cache this information

  • Decide how you'd like sub-domains to be treated.

  • Decide if this domain will consent to be listed in a preloaded HSTS list.

  • Enable the mod_headers module in your IHS configurationf file by making sure the LoadModule directove for mod_headers is un-commented.

  • Use the Header directive in each SSL virtual host that requires a HTTP Strict Transport Security policy

For the example below, do not copy and paste the directive verbatim without first understanding HTTP Strict Transport Security.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  • Configure your non-SSL virtual hosts to redirect to their SSL counterparts:

# In each HTTP virtual host and once in the httpd.conf globally:
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]

How can I add the client IP address to a request header??

In WebSphere, applications access the client IP address using the HTTPServletRequest API and no configuration is needed. If you still want to copy the client IP into a request header, here is one basic recipe that replaces any incoming X-Forwarded-For header with the clients IP address.

SetEnvIf Remote_Addr (.*) client-ip=$1
RequestHeader set X-Forwarded-For %{client-ip}e

Can IBM HTTP Server set the X-Forwarded-User header from the logged in user?

Not directly, and copying it around is difficult due to the timing and interactions of multiple modules.

<VirtualHost *:80>
  RequestHeader set X-Forwarded-User %{my-remote-user}e env=my-remote-user
  # This makes mod_rewrite run late enough to see the result of authentication
  <Location />
    RewriteEngine on
    # %{REMOTE_USER} below does not depend on an environment variable
    RewriteRule .* - [E=my-remote-user:%{REMOTE_USER}]
  </Location>
</virtualhost>

How do I set a header only if two conditions are both true?

The last argument of the Header directive takes an environment variable which, if unset, prevents the header from being added. You can use this in conjunction with the SetEnvIf directive to set headers on basic conditions. However, only one envvar is accepted, and there is no support for logical expressions. This makes it somewhat difficult to add headers only if two conditions are met.

One specific way to bypass this limitation is to look for another directive that covers one of your conditions. For example, if you don't want to cache requests for a specific directory from a specific browser, you can use the LocationMatch directive in conjunction with SetEnvIf:

<LocationMatch /dont/cache/.*>
    BrowserMatch MSIE is_msie
    Header set Cache-Control "no-cache" env=is_msie
</LocationMatch>

Another (more general) way is to use the RewriteRule and RewriteCond directives. Be wary of using this trick in conjunction with virtualhosts - they do not inherit the RewriteRule.

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} MSIE
RewriteCond %{REQUEST_URI} ^/dont/cache/
RewriteRule ^/ - [E=nocache:1]
Header set Cache-Control "no-cache" env=nocache

If neither of the above two works for your situation, the most general and most verbose way is to construct a logical "and" expression from SetEnvIf directives:

\# We would use SetEnv here, but it always runs after SetEnvIf; just use a catch-all SetEnvIf instead
SetEnvIf Request_URI "^/" nocache_uri=0 nocache_browser=0 nocache=1

SetEnvIf Request_URI "^/dont/cache/" nocache_uri=1
SetEnvIf User-Agent MSIE nocache_browser=1
SetEnvIf nocache_uri "0" nocache=0
SetEnvIf nocache_browser "0" nocache=0
SetEnvIf nocache "1" set_nocache

Header set Cache-Control "no-cache" env=set_nocache

Can IBM HTTP Server modify Cookie or other request header fields?

mod_headers is provided and allows some limited request header modification. It can:

  • add an additional request header field

  • remove an existing request header field

  • append data to an existing request header field

No other manipulation is provided.

A custom plug-in module would have to be used if a different type of manipulation is required within IBM HTTP Server, including removing individual cookies from a Cookie header field.

Logging FAQs

How accurate is %t?

  • When %t is used, fractional seconds are discarded (in other words, rounded down to the last whole second). A cache is used to avoid constant calls to localtime_r.

  • When %{format}t is used, no cache in IHS is used, and any precision available in the systems strftime() function can be used.

How can I log a response header field such as Set-Cookie?

This is with the LogFormat directive. The format string to use is "%{header-name}o", or "%{Set-Cookie}o".

Simple example for this existing access log configuration:

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log common

Add "%{Set-Cookie}o" to the format string on the LogFormat directive, resulting in:

LogFormat "%h %l %u %t \"%r\" %>s %b %{Set-Cookie}o" common
CustomLog logs/access_log common

(There may be a number of different LogFormat directives... the one of interest is the one whose format name (e.g., "common") is actually referenced on your CustomLog directive.)

Can IBM HTTP Server write to log files over 2GB?

Web server writing directly to log files

In 7.0 and later, IHS and rotatelogs can both write log files greater than 2GB.

Are there tools to analyze IBM HTTP Server access logs?

IHS doesn't include any such tools, but there are numerous third-party solutions for log file analysis. Search for "Apache log file analyzer" using your favorite Internet search engine.

We are aware that some IHS customers are successfully using Webalizer, a freely-distributed application available from http://www.mrunix.net/webalizer/.

How can I save mod_status page at intervals?

  • It can be queried via any command-line HTTP client.

  • If all you want is to know how many threads are busy and in what state, see mod_mpmstats.

How can I rotate (switch) log files?

Piped log programs

Refer to the Piped Logs section of the documentation for more information. See also common questions about rotatelogs.

Renaming log files and restarting

On linux and unix, an alternate method renames log files while the web server is running and still writing to the old files then restarts the web server to open files under the normal name again.

Refer to the Log Rotation section of the documentation for more information.

What are these requests for file favicon.ico in my logs?

Requests for favicon.ico are unavoidable. Internet Explorer and some other browsers will blindly request favicon.ico in case the web site has that file. You may have noticed that on some web sites, there is a cute icon in the URL box on your web browser; favicon.ico from that web site is the cute icon. Most web sides don't have that file, so there will be a 404 in the web site's access log and the browser will use the default icon.

The customer is not in control of whether or not the browser issues that request. They can have their site designer provide a favicon.ico file or they can ignore the entries in the access log. We do not recommend that they filter out the entries from the access log, because if there is ever a question of what requests are hitting the server, then the access log wouldn't be able to answer that question.

How can I avoid writing access log records for images?

Set a variable called image-request when the request is for certain filenames. Then, update the CustomLog directive to indicate that requests should not be logged when the image-request variable is set.

SetEnvIf Request_URI \.gif$ image-request
SetEnvIf Request_URI \.jpg$ image-request
# add another SetEnvIf directive for other file extensions to be skipped
CustomLog logs/access_log common env=!image-request

The mod_log_config documentation has an example showing how to put image requests in one access log and non-image requests in another access log.

How do I determine which vhost is selected when the request is received?

Add an indication of the selected vhost to your access log format, and then retry the testcase.

  • Add SetEnv vhostname MAIN to the main scope of httpd.conf.

  • Add SetEnv vhostname UNIQUE-NAME to each VirtualHost container. Make sure UNIQUE-NAME is unique for each virtual host.

  • Add the vhostname (%{vhostname}e) to the access log format.

  • Add the target IP address (%A) to the access log format.

  • Add the value of the ServerName associated with the virtual host which served the request (%v) to the access log format.

Example log format with these changes made:

LogFormat "%h %l %u %t \"%r\" %>s %b %A %v %{vhostname}e" common

Example setting of vhostname:

SetEnv vhostname MAIN
<VirtualHost *something*>>
...
SetEnv vhostname vhost8443
</VirtualHost>

<VirtualHost *something-else*>
...text
SetEnv vhostname vhost443
</VirtualHost>

Now restart the web server and try the request again. Check the access log for the destination IP address and the vhost name:


127.0.0.1 - - [26/Apr/2005:07:10:36 -0400] "GET /file.html HTTP/1.1" 200 1647 9.42.114.51 myhost.example.com MAIN
                                                                               |                 |            |
                                           IP address connected to by client---+                 |            |
                                           ServerName for selected vhost-------------------------+            |
                                           label for selected vhost-------------------------------------------+

Check if the vhost name logged (e.g., "MAIN") is the expected one. If an unexpected vhost name is logged, that would explain why your vhost-specific configuration is not applied to the processing of the request. The IP address and ServerName value which were logged can provide further hints.

How can I log the TCP port a request was received on?

The format %{local}p can be logged in IHS 7.0 and later.

Please explain the %D and %T access log formats.

What operations do these log formats measure?

These formats show the time to serve the request, from the time that the web server reads the first line of the request from the client to the time the web server processes the %D or %T format string while logging the results of the request. This logging (and resolution of %D/%T) occurs after WebSphere Application Server has written the entire response to the WebSphere Plugin, and the entire response has been queued to the TCP layer by IHS (:see Special considerations below).

%D formats the time in microseconds and %T formats the time in seconds.

Special considerations:

  • The time does not cover the interval where the new connection is queued by the system TCP layer, before the web server begins processing the connection. Ordinarily this interval is very brief, and the web server will start processing the connection as soon as the 3-way TCP handshake completes. But if no available web server thread is available at the time the 3-way TCP handshake completes, the uncounted time where the request is not being processed could be considerable.

  • The time does not cover the SSL handshake, which occurs before the web server reads the first line of the request.

  • If there is a subsequent request sent on the same TCP connection before the entire response has been sent (pipelining), the time may not cover the end of the last buffer of the response. This is an optimization which results in higher network utilization, but the logging of a request to access log, and thus the calculation of response time, can occur prior to the last byte of the response being transmitted.

  • Even when there is no subsequent request, the response time only covers the interval up through when all response bytes have been passed to the TCP layer on the web server system. There may be significant delays before the web client has read the entire response from the TCP layer on the client system.

Why do I sometimes see 0 for the %D access log value on Windows?

IHS on Windows uses a system call to obtain two timestamps, one just after the request line is read and the second when the access log entry is made. Although the Operating System returns a value that has microsecond granularity, the timer is only updated once every OS timer tick, that is, 64 times per second. Thus if IHS processes a request in less than 15 milliseconds it is possible that 0 will be logged for the time taken to serve the request.

URL Rewriting

mod_rewrite: a character in my new URL is being escaped as %nn. How can I avoid that?

This answer has been moved here.

mod_rewrite: My rules are ignored. Nothing is written to the rewrite log.

This answer has been moved here.

Caching Questions

Why do I only see 304 responses when I hit the application server directly?

  • Some browsers send Cache-Control: max-age=0 when you request resources via IHS because an untrusted certificate is presented.

  • Some third-party modules, like Siteminder, might strip out If-Modified-Since request headers when loaded, preventing 304 responses (see 'preserveHeaders AllowCacheHeaders siteminder' on a web search).

How can mod_cache purge a cache entry at runtime?

If a request arrives with the header max-age=0 Cache-Control header, mod_cache will refresh the cache entry. It is not safe to call htcacheclean with a running server.

Can mod_expires be used with the WAS Plugin?

Yes, both ExpiresDefault and ExpiresByType can add expiration data to requests served by the WAS Plugin. Generally, we expect the generator of the content (the customer's application) to set these headers intelligently, because IHS as a gateway is taking a wild guess as to how long a response remains cacheable.

Note that if the application does set the Expires header, mod_expires will not override it.

Can RequestHeader rewrite request headers before the WAS Plugin sees them?

Yes

Can mod_deflates INFLATE filter compress a request before the WAS Plugin forwards it?

No, because the size of the body will be transformed, and the WAS plugin will have sent the size to WAS before mod_deflate can change it.

How can I disable caching in Internet Explorer?

Use mod_headers with the following configuration:

  Header set Pragma "no-cache"
  Header set Cache-Control "no-cache"
  Header set Expires "-1"

If you don't want every resource on your webserver to be uncacheable, you have to determine which resources the rules should apply to and add them to a more specific configuration section:

  • If you want this to apply to specific types of content served locally from IBM HTTP Server, surround this with containers such as , , , or

Example if your URLs ending in ".pdf" or ".php" should not be cached:

    <FilesMatch \.(pdf|php)$>
      Header set Pragma "no-cache"
      Header set Cache-Control "no-cache"
      Header set Expires "-1"
    <FilesMatch>
  • If you want this to apply to specific file extensions served by WebSphere Application Server, surround this recipe with a container.

Example if your URLs ending in ".pdf" should not be cached:

    <LocationMatch \.pdf$>
      Header set Pragma "no-cache"
      Header set Cache-Control "no-cache"
      Header set Expires "-1"
    <LocationMatch></code>

For more information about how configuration sections / containers work, see The IBM HTTP Server information center.

For more information about mod_headers, see the mod_headers documentation.

How can I tell if my cache-related headers are being set by mod_headers?

If you don't know where or not your mod_headers rules are working inside of IBM HTTP Server, you can log their values by adding the following stanza to the LogFormat directive that is in use by your CustomLog directives:

%{Pragma}o %{Expires}o %{Cache-Control}o

Other alternatives include wireshark, mod_net_trace, or the Web Browser developer tools.

How can I tell if mod_cache is working?

UPDATE: You can log a cache miss by using SetEnv CACHE_MISS 1 and adding %{CACHE_MISS}e in your LogFormat directive. Modules such as mod_env are skipped when a response is served from the cache, so the CACHE_MISS environment variable can only be set when the cache is not used.

If you are logging the Request Handler you will see the request handler change from the content generator (mod_cgid, mod_proxy_http, mod_was_ap20_http, mod_core) to an empty value. Under some circumstances this will happen on the third, not the second, request for cacheable content.

Alternatively with LogLevel debug set, the following message is issued when mod_cache has served the request:     cache: serving /foo

Finally, if the "Age" header isn't being set by the content generator or some intermediate cache/proxy, the presence of the Age header in the response indicates that the file is being served from the cache. You can log the outgoing Age: header in the access log by adding %{Age}o to your LogFormat directive.

How does mod_cache interact with the WebSphere Plugin?

mod_cache can cache content generated by the WebSphere Plugin if it has the appropriate HTTP headers in the response, however this cache does not interact with the Plugin ESI cache. When mod_cache is cacheing content generated by the WebSphere Plugin you will not see evidence of the WebSphere Plugin being called for the cached request.

What content is cacheable?

See sections 13 of RFC2616, notably the presence of the E-Tag, Last-Modified, or Expires headers

Why do I see duplicate content added to mod_mem_cache?

IHS creates up to MaxClients / ThreadsPerChild child processes, and each maintains its own memory cache. The default httpd.conf is poorly tuned for mod_mem_cache, because it uses a low value for both ThreadsPerchild and MaxSpareServers. Using many child processes, or a variable number, will decrease the cache hit ratio.

Tuning suggestions for mod_mem_cache

  • High ThreadsPerChild allows the cache to be duplicated across fewer child processes and increases cache hit percentage.

  • MaxRequestsPerChild 0 (default) prevents graceful child termination, which throws away anything in a child processes cache.

  • MaxSpareThreads = MaxClients prevents graceful child termination, which throws away anything in a child processes cache.

See IBM HTTP Server Performance Tuning for details on adjusting ThreadsPerChild.

Why don't some static files have a Last-Modified header?

URLs configured for mod_include (Server-Side Includes) do not include a Last-Modified header, because the ultimate response is not necessarily related to the modification of the time passing through the INCLUDES filter.

Java questions

Can the bundled Java be removed from IHS?

Installs of IHS and the WAS Plug-in using IBM Installation Manager contain an embedded/bundled IBM Java. This java is NOT used at runtime, but is used for several other purposes:

  1. To run Ikeyman and gskcmd and scripts such as versionInfo.{sh|bat}

  2. For actions driven after installing/uninstalling fixpacks

While removing or replacing the bundled IBM java has no affect on the runtimes, applying maintenance in this configuration is neither tested nor supported. An alternative to manipulating the IBM Installation Manager based installation is to use the IHS Archive Install documented here which contains no bundled IBM Java runtime.

How does Java SDK maintenance work in IHS?

  • In V7, WASSDK fixpacks must be used to update the bundled Java. Java is never updated by an IHS fixpack.

  • In V8 and later, Java updates come with most IHS fixpacks, and WASSDK interim fixes can be used to upgrade java in advance of a fixpack.

  • In V9 and later, the JDK is once again separately updateable, directly with IIM maintenance from the JDK team. It does not follow IHS/WAS schedules.

Can the bundled Java 6 in IHS/Plug-in V8 be replaced/updated with Java 7 or 8?

  • Prior to 8.5.5.11, Java 6 was the only JDK available with these installables.

  • Fixpack installs at 8.5.5.11 and later warn about upcoming EOL for Java 6 .

  • Full intstalls of 8.5.5.11 and later bundle Java 8 instead.

  • 8.5.5.14 (and later) forcibly updates the embedded Java to Java 8 (even for fixpack installs).

Misc. questions that don't fit anywhere else

How much memory does IHS need?

This will vary based on configuration and workload, but IBM HTTP Server uses very little memory. A configuration with SSL and 40 concurrent requests was measured to use less than 100MB of resident memory. apache.org's webserver uses only around 1GB of memory.

How high can I set LimitRequestFieldSize?

Performance-wise, as high as you want; the server will only allocate as much memory while reading the header as it needs to.

However, if you can estimate the largest header you're likely to receive, you might want to just set LimitRequestFieldSize somewhat larger than that, rather than to some really huge value. That will offer some protection in case a garbage request comes in that looks like it has a really long header, keeping the server from continuing to read and allocate memory and maybe running out.

Why does IHS ignore LimitRequestFieldSize?

VirtualHosts will inherit the current value of LimitRequestFieldSize when reading the configuration. This means that if LimitRequestFieldSize is set below a vhost configuration, the vhost will not inherit the new value.

Move the LimitRequestFieldSize directive to be above any vhosts config stanzas that you want to use the new value.

Does IHS support NTLM or Kerberos?

For the Windows platform, this may also be known by other terms such as 'Integrated Windows Authentication' (IWA), 'Windows Integrated Authentication', 'Windows Authentication', or 'Windows NT Challenge/Response authentication'.

No support is provided for these authentication protocols in IBM HTTP Server. Customers requiring this functionality should configure the corresponding technologies in the application server (e.g. SPNEGO TAI).

How do I turn off automatic directory listings?

By default, if IHS maps a request to a directory name rather than a filename (e.g. /var/htdocs/images) and there's not an index.html file in the directory, IHS will return an HTML page listing the files in that directory. You might wish to disable this as a security measure.

Directory listings are generated by the mod_autoindex module. To disable all directory listings, you can remove the Loadmodule line for mod_autoindex and any occurrences of configuration directives that mod_autoindex implements (see the mod_autoindex documentation).

If mod_autoindex is loaded, whether a directory listing will be generated for a particular request is configured using the Options directive.

To disable directory listings for a specific directory and its subdirectories, turn off the Indexes option in that directory:

    <Directory /var/htdocs/images>
      Options -Indexes
    </Directory>

You can disable all directory listings by default:

    <Directory />
      Options -Indexes
    </Directory>

But note that a more specific section can turn indexes back on:

    <Directory /var/htdocs/images/foo>
      Options Indexes
    </Directory>

so search your configuration files for "Indexes" to verify that directory listings aren't re-enabled anywhere that you don't want them.

A .htaccess file in a subdirectory can also turn on directory listings. You can prevent that by configuring AllowOverride at the server level and omitting the Options argument, e.g.:

 AllowOverride AuthConfig FileInfo

Summary: Either remove mod_autoindex completely from the configuration, or use Options and AllowOverride to disable listings in specific directories.

Links:

How can I run more than one instance of IBM HTTP Server from the same installation directory?

This question covers distributed platforms only. On the z/OS platform, the install_ihs command creates a separate directory for each instance without creating another copy of the product.

Operational requirements

These are the minimal requirements that allow multiple web server instances to run from the same installation directory.

configuration files

A different main configuration file (normally httpd.conf) is needed for each instance. Common directives can be stored in common files and included from the different main configuration files.

ports

A combination of listen port and listen IP address cannot be used by more than one instance. This is primarily configured with the Listen directive, but interfaces and ports may also show up in other directives (VirtualHost, Redirect...)

log and other special files

Anything normally stored in the install_root/logs directory cannot be shared between instances. So each instance must have unique values for these directives:

  • PidFile (applicable to all configurations)

  • ErrorLog (applicable to all configurations)

  • CustomLog (applicable to all configurations)

  • SSLCachePortFilename (applicable to all non-Windows configurations with SSL enabled)

  • SSLCachePath (applicable when ALL of the conditions below are true)

    • Platform is not Windows.

    • SSL is enabled.

    • SSLCacheDisable directive is not configured.

    • bin/apachectl has been modified to specify a different -d flag, or bin/apachectl is launched with an explicit -d flag.

    • The directory specified by the -d flag does not contain the file bin/sidd.

starting and stopping
  • On Unix systems, you ultimately have to pass the -f parameter to apachectl to select your alternate configuration file. It's simplest to wrap apachectl with a short shell script that always passes all arguments but sets the customized -f parameter.

  • On Windows systems, where IHS is typically started as a service, you must create one service per instance. The configuration file (-f parameter) is specified at service creation time and remembered when the named service is started.

Service install/create

cd \<em>install_dir</em>
bin\Apache.exe -f conf/<em>this_instance</em>.conf -k install -n <em>IHS6-this_instance</em>

Service start (pick one)

  • net start IHS6-this_instance

  • install_dir\bin\Apache.exe -k start -n IHS6-this_instance

  • Find IHS6-this_instance in the Microsoft Windows "services" GUI.

Functional requirements

The functional requirements are the configuration differences which make different web server instances behave differently, and are in addition to the operational requirements above. You may wish to have different plug-in configuration files for the different instances (WebSpherePluginConfig), or serve different static files for the different instances (DocumentRoot). Different ports or IP addresses will be used for the different instances.

AIX: Can xlC.rte V7 be used?

IBM HTTP Server readmes and supporting software lists typically specify that xlC.rte 6.0 or higher must be used on AIX V5. xlC.rte V7 is upwardly compatible and can also be used. The specific V7 xlC.rte that has been tested with IBM HTTP Server is xlC.rte 7.0.0.1.

LoadModule order - When/why is it important?

LoadModule order in IBM HTTP Server 2.0 and above

The Apache 2.0 API allows modules to implement one or more hooks to perform initialization or request processing. Here are a few of the hooks which modules can implement:

  • post-read-request (run as soon as the client request has been read)

  • validate user id from request

  • determine MIME type

  • generate the response

  • log the transaction

Occasionally, there are requirements that one module's hook runs before another module's hook. The Apache 2.0 module API allows modules to indicate, for each request processing phase, whether the module should be called first or last, or before or after another specific module. The hook order is defined separately for each hook. For example, a module could indicate that its transaction logger has to run before the transaction logger of other modules, and that its validate-user-id hook must run before that of mod_auth.

When modules don't have specific requirements, or when modules declare when they should run relative to other modules, the LoadModule order is not important. In fact, the LoadModule order can almost always be ignored with IBM HTTP Server 2.0 or above.

When modules have specific requirements for the order in which they run, but they fail to use the proper API to declare the required order to the web server, the user may be able to work-around problems by reversing the LoadModule order. There is no clear rule for the specific order of the LoadModule directives for module A and module B in order to make module A's hooks run before those of module B's. On some platforms the LoadModule for module A must come first; on other platforms, the LoadModule for module B must come first. There is no guarantee that reversing the LoadModule directives is a permanent change. If the system qsort() implementation in libc changes with system software maintenance or other changes are made to the configuration file, the LoadModule directive might have to be reversed again.

AIX: Why am I unable to unmount filesystem containing files served by IHS (affects HACMP environments)? (IHS 2.0 and above)

IHS 2.0 on AIX normally serves files using the send_file() API. This results in the files being stored in the AIX Network Buffer Cache. This leaves the files open as long as they are in the cache, preventing the underlying filesystem from being cleanly unmounted.

To clear files from the cache and unmount the filesystem:

  • set the size of the network buffer cache to zero temporarily to clear the cache

The old cache size can be displayed by no -o nbc_limit. The cache size can be set to zero by no -o nbc_limit=0.

  • unmount the filesystem

  • restore the previous cache size

no -o nbc_limit=<em>old_value</em>

An important IHS configuration directive which relates to this the EnableSendfile directive. By setting EnableSendfile Off in the IHS configuration file, IHS
won't use the AIX send_file() API, and thus static files served by IHS won't possibly be added to the network buffer cache.

In newer IHS sample configuration files (starting with PQ85834), send_file() is disabled by default to eliminate the possibility that customers may encounter occasional sendfile nuances unless they choose to actually use it.

IHS itself is not aware of which objects are in the network buffer
cache and can't remove such objects. Subject to the constraints of the network buffer cache (smallest/largest cacheable object, total size), objects (files) are sometimes added to the cache by the AIX kernel as a side-effect of IHS invoking the AIX send_file() API.

An infrequently used IHS module for AIX is the AFPA cache module. It also interacts with the network buffer cache and should be disabled if
the customer does not wish to empty the network buffer cache prior to
unmounting a filesystem containing files which were cached.

What about MPM selection and prefork vs. worker? (IHS 2.0 and above)

IBM HTTP Server 2.0 and above uses the worker MPM on Unix and Linux systems, and it cannot be replaced. Any information about Apache that suggests recompiling the web server for a different MPM does not apply to IHS, as the MPM is pre-selected and IHS cannot be recompiled by customers.

In other words, the prefork MPM cannot be used with IBM HTTP Server.

IHS 9.0 and later includes both Event and Worker on Linux. They are dynamically loadable. IHS 8.5 and later on z/OS includes the Event MPM on z/OS.

Why can't root install GSKit on Solaris?

There are multiple causes for this symptom.

  • cannot open: pkgadd: ERROR: checkinstall script did not complete successfully

    • The IHS server root, or some parent of it, is not world-executable (searchable).
      Solaris runs a packages scripts as the "noaccess" user, and needs to be able to search all directories between the root of the filesystem and the IHS server root.

  • pkgadd: ERROR: checkinstall script did not complete successfully Installation of <gsk7bas> failed (internal error)

    • If a third-party security product (such as eTrust) restricts what root can do, consult the vendor of the security product if the GSKit installation fails.

How can I script the use of the ldapstash command?

ldapstash returns 1 for success and 0 for failure (this is counter to normal conventions).

The stash files created by ldapstash can be transferred between systems using any binary-safe transfer method.

Is mod_proxy_balancer supported?

mod_proxy_balancer is not supported when IHS is licensed/entitled via WebSphere Application Server.

This module is distributed alongside IHS on some platforms for use by WebSphere Community Edition only. It is intentionally excluded from the list of supported Apache modules in the IHS 7.0/8.0/8.5 infocenter

Note that WebSphere Application Server customers are licensed to use IHS in support of their WebSphere Application Server and not for any other purpose. The WebSphere plugin provides the corresponding function for this purpose, and for other purposes customer should use a dedicated load balancer, caching proxy, or Apache HTTP Server.

Since CE is no longer marketed, releases of IHS after V8R5 are not expected to include this code in any form.

Can IHS use SHA-2 (sha224, sha256, sha384, sha512) digest algorithms?

Refer to this document.

Why won't my IBM HTTP Server service start/stop in my Microsoft Cluster Server (MSCS) environment?

IBM makes no claims of support for the IBM HTTP Server service running in an MSCS environment. The IBM HTTP Server service is a 'generic' service that is unaware of MSCS, and no testing with this environment has taken place. However, Microsoft apparently claims that MSCS will support generic MSCS-unaware services (such as the IHS service) in a limited way.

Any customers attempting to run the IBM HTTP Server service within an MSCS environment should contact Microsoft if they experience problems.

We are aware of one instance of a customer attempting to run the generic IHS service in this environment. In this case the customer had some problems which Microsoft identified as a known defect in the customer's version of Windows 2008 Cluster Service. The MS Cluster Service was mistakenly taking the startup parameter as the service name. Microsoft claims this has since been fixed in the Windows 2008 R2 version of the code. We are unaware of what other versions may have the same issue. Microsoft was able to provide a workaround solution that seemed to resolve this particular customer's problem. This workaround solution was to clear out the startup parameters.
For this customer, the command to do this was similar to:
Cluster res "IBM HTTP Server 6.1" /priv startupparameters=""

Any direct support for the MSCS environment by IBM HTTP Server would be a new requirement.

IM: Do I need to uninstall interim fixes before applying fixpack maintenance?

Interim fixes do not need to be uninstalled prior to applying fixpack maintenance. The IBM Installation Manager will display a warning at the top of the window if it will uninstall any interim fixes. The warning that is displayed below:

_images/ifix-removal-warning.png

Example: Applying an interim fix for PI31516 on versions 8.5.5.2 - 8.5.5.5

There are two interim fixes for PI31516:

  • 8.5.5.2-WS-WASIHS-MultiOS-IFPI31516: covers IHS fixpacks 8.5.5.2 and 8.5.5.3

  • 8.5.5.4-WS-WASIHS-MultiOS-IFPI31516: covers IHS fixpacks 8.5.5.4

The fix for PI31516 also went into IHS fixpack 8.5.5.5.

ScenarioUser Action
Installing the iFix on 8.5.5.2 and then upgrading to 8.5.5.3iFix was automatically reinstalled; no action needed
Installing the iFix on 8.5.5.3 and then upgrading to 8.5.5.4iFix was uninstalled; iFix needs to be applied again
Installing the iFix on 8.5.5.4 and then upgrading to 8.5.5.5iFix was uninstalled; no action needed since fix is available in 8.5.5.5