Running Apache w/o nginx? Beware!
 

The killapache.pl launches in a few threads the following simple request:

And if there is no nginx installed your Apache server will be easily laid down.

http://habrastorage.org/storage1/431...5/03bcfdce.png

Here is a simple command to check if your server is vulnerable:

If you received 206 Partial Content, you are in big trouble.

Looks like many of mine are vulnerable. On my dev server I get the message "Host does not seem vulnerable" after disabling mod_deflate.


Edit: nevermind...looks like a fluke. Still vulnerable.

What is this "apache" you speaking of :1orglaugh

Haha just crashed my dev server with the tool.

http://i282.photobucket.com/albums/k...ection_002.png

Huh,some of largest tube sites still running on apache....Makes me wonder....

After checking a few of them I am 100% confident that I could drop them all within a couple of minutes.

Can you do it just for fun :1orglaugh

haha no way, I never mess with someone else's stuff. :1orglaugh

If they had ever stolen content from me and if I couldn't be prosecuted where I live...maybe.

Workaround:

That will break streaming, won't it?

Yes I suppose it could. My streaming is done via lighttpd, so it doesn't bother me.

It works on the domains I don't stream on and that's what really matters to me. My low-traffic, high income sites aren't vulnerable anymore. I have some blogs that stream from media.domain.com but as long as nobody targets the server those subdomains are on I guess I am ok. :1orglaugh

This hack freaks me out. This is the first one I have been vulnerable to EVER.:(

Feel free to send me your domains if you want me to test are they vulnerable or not :1orglaugh

A working patch is already available, though it will be improved in the next few days.

I gotta chuckle at the nginx fanboy who's never heard of noatime using this to pitch nginx.
It's a little like suggesting that people avoid the latest Vista bug by running Windows 95, isn't it.

Not at all. The wise ppl. using Apache as a main server. nginx should be used for static content only.

It is common recommendation,but there is simply no need for it since nginx can do almost anything what apache do,including CGI.Plus it do even some non-optimization related things better then apache.

Just for the record,i using noatime along with nginx plus many other optimization methods for which you clueless noob probably never heard.

Why do you think you need nginx?

It's simply my personal choice,and also way way easier to manage then apache.While you can by stripping apache modules and it's configuration reduce load,on nginx it's enough to install it and it already work better then optimized apache,not the mention you can optimize it further then too.I mean seriously,why i would bother with apache if on nginx i have everything what i need,everything works there and never having any problem unlike on apache which was constant issue till i went to nginx before 4 years.Also,currently nginx is not champion when it comes to load optimization there is one even better solution but for my traffic levels nginx do the job.

if gzip is disabled it doesnt effect it

Digging through the nginx code and testing, I found the apparent advantage for nginx was simply that it basically forces noatime as one of it's bugs.
iIn our testing, Apache beats nginx + Apache as long as you use noatime. Just as you'd expect from profiling either, the time is spent on io, so Apache by itself is just as fast as nginx by itself. Neither can magically make the disks faster. Alternatively, if you don't want noatime, nginx is a non-starter because it skips atime updates whether you like it or not.