Bug#846288: apache2: Directory indexes painfully slow when using basic auth
Package: apache2
Version: 2.4.23-8
Severity: normal
Dear Maintainer,
I am using apache2 on a NAS with a very weak CPU. I have storing roughly
1000 images and subfolders in a folder, and am using Options +Indexes to
read the list of files / directories. Getting the list up is painfully
slow, and eventually fails if the folder is large enough.
Apache config, edited to remove domain name:
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost *:80>
ServerName foo.example.com
ServerAdmin webmaster@example.com
DocumentRoot /srv
ErrorLog ${APACHE_LOG_DIR}/foo.error.log
CustomLog ${APACHE_LOG_DIR}/foo.access.log combined
DirectoryIndex index.html
<Directory /srv/>
Options Indexes FollowSymlinks
AllowOverride None
Require all granted
</Directory>
<Location />
AuthType Basic
AuthName "Access to top secret foo"
AuthUserFile /etc/apache2/htpasswd
Require valid-user
</Location>
</VirtualHost>
I tried doing a strace on the apache process while the page was loading.
Excerpt, censoring actual username, password hash:
stat64("/srv/Images/IMG_20161013_082911/index.html", 0xbeea5408) = -1 ENOENT (No such file or directory)
lstat64("/srv", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/srv/felles", {st_mode=S_IFDIR|S_ISGID|0775, st_size=4096, ...}) = 0
lstat64("/srv/felles/Bilder", {st_mode=S_IFDIR|S_ISGID|0775, st_size=4096, ...}) = 0
lstat64("/srv/Images", {st_mode=S_IFDIR|S_ISGID|0755, st_size=69632, ...}) = 0
lstat64("/srv/Images/IMG_20161013_082911", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/srv/Images/IMG_20161013_082911/index.html", 0xbeea5408) = -1 ENOENT (No such file or directory)
open("/etc/apache2/htpasswd", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 19
fstat64(19, {st_mode=S_IFREG|0640, st_size=313, ...}) = 0
read(19, "foo:$6$XXXXXXXX$XXXXXXXXXXXXXXX"..., 4096) = 313
close(19) = 0
lstat64("/srv/Images/IMG_20161014_173243.jpg", {st_mode=S_IFREG|0755, st_size=4159526, ...}) = 0
lstat64("/srv/Images/IMG_20161014_173243.jpg", {st_mode=S_IFREG|0755, st_size=4159526, ...}) = 0
open("/etc/apache2/htpasswd", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 19
fstat64(19, {st_mode=S_IFREG|0640, st_size=313, ...}) = 0
read(19, "foo:$6$XXXXXXXX$XXXXXXXXXXXXXXX"..., 4096) = 313
close(19) = 0
lstat64("/srv/Images/IMG_20160920_172913.jpg", {st_mode=S_IFREG|0755, st_size=3290253, ...}) = 0
lstat64("/srv/Images/IMG_20160920_172913.jpg", {st_mode=S_IFREG|0755, st_size=3290253, ...}) = 0
open("/etc/apache2/htpasswd", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 19
fstat64(19, {st_mode=S_IFREG|0640, st_size=313, ...}) = 0
read(19, "foo:$6$XXXXXXXX$XXXXXXXXXXXXXXX"..., 4096) = 313
i.e. it's reading the htpasswd file for every file and subfolder in the
folder, and probably doing the password check for each of them. It's
also looking for an index.html under each subfolder, but that's probably
a separate issue and/or configurable.
-- Package-specific info:
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: armhf (armv7l)
Kernel: Linux 4.7.0-1-armmp (SMP w/1 CPU core)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2 depends on:
ii apache2-bin 2.4.23-8
ii apache2-data 2.4.23-8
ii apache2-utils 2.4.23-8
ii dpkg 1.18.15
ii init-system-helpers 1.46
ii lsb-base 9.20161101
ii mime-support 3.60
ii perl 5.24.1~rc3-3
pn perl:any <none>
ii procps 2:3.3.12-3
Versions of packages apache2 recommends:
ii ssl-cert 1.0.38
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin depends on:
ii libapr1 1.5.2-4
ii libaprutil1 1.5.4-2
ii libaprutil1-dbd-sqlite3 1.5.4-2
ii libaprutil1-ldap 1.5.4-2
ii libc6 2.24-5
ii libldap-2.4-2 2.4.44+dfsg-1
ii liblua5.2-0 5.2.4-1.1+b1
ii libnghttp2-14 1.16.0-1
ii libpcre3 2:8.39-2
ii libssl1.0.2 1.0.2j-4
ii libxml2 2.9.4+dfsg1-2.1
pn perl:any <none>
ii zlib1g 1:1.2.8.dfsg-2+b3
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 is related to:
ii apache2 2.4.23-8
ii apache2-bin 2.4.23-8
-- Configuration Files:
/etc/apache2/sites-available/000-default.conf changed [not included]
-- no debconf information
Reply to: