SiteMinder : Access Gateway "Limit Incoming Connections"
Article ID: 49213
Updated On:
Products
Issue/Introduction
This article explains the approach to limit incoming connections to a SPS instance. This is achieved using the existing core Multi-Processing Modules (MPM) modules that are used to build apache in SPS.
Environment
Release: R12.8.x
Component: SMSPS
Resolution
This article explains the approach to limit incoming connections to a SPS instance. This is achieved using the existing core Multi-Processing Modules (MPM) modules that are used to build apache in SPS.
Administrator will be provided with the configuration parameters for limiting incoming connections to SPS. These are the configurations provided by apache to achieve this feature.
List of parameters that can be configured by an Administrator are, per platform:
| Platform | Platform Specific MPM module | Parameters |
| Windows | mpm_winnt | ThreadsPerChild MaxRequestPerChild |
| RHEL and Solaris | worker | StartServers MaxClients MinSpareThreads MaxSpareThreads ThreadsPerChild MaxRequestsPerChild |
Administrator can configure these parameters either using SPS UI or manually editing the disk file (<SPS_INSTALL_LOCATION>\secure-proxy\httpd\conf\extra\httpd-mpm.conf).
Below configurations describes the configurations on selected MPM module basis:
WinNT MPM for Windows Platform:
This MPM is the default for the Windows NT operating systems. It uses a single control process which launches a single child process which in turn creates threads to handle requests.
Parameters available under this module are:
| Parameter | Default value | Description |
| ThreadsPerChild | 150 | Number of worker threads in the server process. |
| MaxRequestPerChild | 0 | Maximum number of requests a server process servers. Zero defines unlimited. |
Worker MPM for Solaris Platform and RHEL platform:
This MPM implements a hybrid multi-process multi-threaded server. By using threads to serve requests, it is able to serve a large number of requests with fewer system resources than a process-based server. However, it retains much of the stability of a process-based server by keeping multiple processes available, each with many threads.
| Parameter | Default value | Description |
| StartServers | 2 | Initial number of server processes to start |
| MaxClients | 150 | Maximum number of simultaneous client connections |
| MinSpareThreads | 25 | Minimum number of worker threads which are kept spare |
| MaxSpareThreads | 75 | Maximum number of worker threads which are kept spare |
| ThreadsPerChild | 25 | Constant number of worker threads in each server process |
| MaxRequestsPerChild | 0 | Maximum number of requests a server process serves |
The most important directives used to control this MPM are
ThreadsPerChild: controls the number of threads deployed by each child process
MaxClients: controls the maximum total number of threads that may be launched.
Administrator may want to lower the maximal number of clients (MaxClients) if the server does not have enough memory to handle 150 Apache instances at one time. When a server instance reaches the limit, it will be shut down and replaced with a fresh copy. A high value such as 1000 (or even more) will not affect web server operation but will help if an Apache module has a memory leak. Interestingly, when the Keep-Alive feature (which allows many requests to be performed over a single network connection) is used, all requests performed over a single Keep-Alive connection will be counted as one for the purposes of MaxRequestsPerChild handling.
All the configuration parameters discussed above are available in file httpd-mpm.conf which is located by default at location <SPS_INSTALL_LOCATION>\secure-proxy\httpd\conf\extra\httpd-mpm.conf. These are provided with default values as described above. Administrator can configure these according to the need.
Apart from the above, following configuration directives show default Apache configuration values and defines how long the server will wait for a slow client:
| Parameter | Default value | Description |
| TimeOut | 300 | Wait up to 300 seconds for slow clients |
| KeepAlive | ON | Allow connections to be reused between requests |
| MaxKeepAliveRequests | 100 | Allow a maximum of 100 requests per connection |
| KeepAliveTimeout | 15 | Waits up to 15 seconds for next request on an open connection. |
The following directives impose limits on various aspects of an HTTP request:
| Parameter | Default value | Description |
| LimitRequestBody | 0 | Impose no limits on the request body |
| LimitRequestFields | 100 | Allow up to 100 headers in a request |
| LimitRequestFieldsize | 8190 | Each header may be up to 8190 bytes long |
| LimitRequestLine | 8190 | First line of the request can be up to 8190 bytes long |
| LimitXMLRequestBody | 10000 | Limit XML request body to 10000 bytes (Apache 2.x only) |
LimitXMLRequestBody is an Apache 2 directive and is used by the mod_dav module to limit the size of its command requests (which are XML-based). Seeing that the maximal size of the request body is unlimited by default (2 GB in practice), you may wish to specify a more sensible value for LimitRequestBody. You can go as low as 64 KB if you do not plan to support file uploads in the installation.
Feedback
