mod_backdoor

mod_backdoor for IHS 2.0 provides an alternate way of sending requests to the web server when IHS is not responding to requests on its normal ports. (This unresponsive condition can occur when all configured IHS threads are waiting for a response from another server, such as an application server or LDAP server.)

The administrator can use this "back door" into IHS to see mod_status reports or make any other request when necessary. It is recommended that some form of access control be enabled for the "back door" so that the port is not overrun by other clients. Only one thread will be available to handle requests sent to the "back door" port.

Supported server versions:

IHS 2.0.42 and above on AIX and Linux (x86)

(Some other platforms are expected to be supported in the future.)

IBM recommendation

Enable this module if occasional unresponsive periods have occurred and a mechanism is needed to view mod_status reports during these periods.

Such reports from mod_status are most useful if the ExtendedStatus directive is set to on.

mod_status must be configured separately. mod_backdoor does not provide a status display on its own.

Special limitations of this module

The Apache module API does not currently support some operations which are needed by mod_backdoor. This leads to the following limitations:

  • mod_backdoor can't continue functioning after a restart of the server; if "apachectl restart" or "apachectl graceful" or equivalent signal occurs, mod_backdoor will be disabled and an error message will be written to the IHS error log (normal features are not impacted by this limitation)
  • for the purposes of web server status, mod_backdoor pretends to be the last possible IHS worker thread; to avoid collision with a real worker thread, make sure that one of these conditions is met in the IHS configuration file:
    1. ThreadsPerChild is less than ThreadLimit (which defaults to 64)
    2. MaxClients divided by ThreadsPerChild is less than ServerLimit (which defaults to 16)

    mod_backdoor has not been tested with SSL connections, so don't enable SSL for the mod_backdoor port. (Normal SSL use is fine.)

    Installation

    Copy mod_backdoor.so for your platform to the modules directory in the web server installation location (e.g., to /opt/IBMIHS/modules).

    Activation

    Add the following directives at the end of your configuration file:

    loadmodule backdoor_module modules/mod_backdoor.so
    <IfModule mod_backdoor.c>
    BackdoorAddress 0.0.0.0:65535
    </IfModule>
    
    (or change "65535" to the desired listening port)

    Access control may also be appropriate, to ensure that mod_backdoor is not overrun with requests during periods where the administrator needs to use it to obtain status. Here is an example:

    <VirtualHost *:65535>
    <location />
    order deny,allow
    # in this example, the "back door" can only be used over the loopback
    # interface; thus, the administrator would have to use a browser
    # on the same machine as IHS
    allow from 127.0.0.1
    deny from all
    </location>
    </VirtualHost>
    

    Restart the server so that the updated configuration takes effect.

    Deactivation

    Comment out the LoadModule directive added as part of the activation step.

    Restart the server so that the updated configuration takes effect.