для зеркалирования трафика при помощи iptables можно использовать правила следующей конструкции
iptables -t mangle -I FORWARD -j ROUTE –tee –gw XX.XX.XX.XX
при таком правиле весь трафик, проходящий цепочку FORWARD (т.е. маршрутизирумый через эту машинку) будет копироваться (tee) на ip (XX.XX.XX.XX) удалённой машину (gw).
единственный минус – удалённая машина должны быть в той-же подсети что и эта машинка.
Proc:daemon – демонизация процесса, вызов Proc::Daemon::Init
модуль apache-mpm-itk
The new configuration settings compared to the prefork MPM are:
AssignUserID: Takes two parameters, uid and gid (or really, user name and group name); specifies what uid and gid the vhost will run as (after parsing the request etc., of course). Note that if you do not assign a user ID, the default one from Apache will be used.MaxClientsVHost: A separate MaxClients for the vhost. This can be useful if, say, half of your vhosts depend on some NFS server (like on our setup); if the NFS server goes down, you do not want the children waiting forever on NFS to take the non-NFS-dependent hosts down. This can thus act as a safety measure, giving «server too busy» on the NFS-dependent vhosts while keeping the other ones happily running. (Of course, you could use it to simply keep one site from eating way too much resources, but there are probably better ways of doing that.)NiceValue: Lets you nice some requests down, to give them less CPU time.AssignUserID and NiceValue can be set wherever you’d like in the Apache configuration, except in .htaccess. MaxClientsVHost can only be set inside a VirtualHost directive.
Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities where possible) until the request is parsed and the vhost determined. This means that any security hole before the request is parsed will be a root security hole. (The most likely place is probably in mod_ssl.) This is not going to change in the near future, as the most likely alternative solution (socket passing and its variants) is very hard to get to work properly in a number of common use cases, like SSL.
The lack of socket passing also leads to another minor quirk: if you connect to httpd, make a request and then make a request on the same connection that gets handled by a different uid, mpm-itk simply shuts down the connection. This is perfectly legal according to RFC2616, and all major clients seem to handle it well; the web server simply simulates a timeout, and the client just opens a new connection and retries the request. However, there is a small performance hit, and thus you should avoid including content from multiple uids in the same page.
Note that mpm-itk is experimental software; and we’ve done a fair amount of stress testing, but it’s nowhere as tested as, say, prefork. That being said, it’s being run in production at several sites in the world, both hobbyist and commercial, some as large as ~10 million hits a day.
People have reported issues with mpm-itk and mod_python, mod_ruby and FastCGI. I believe the mod_python and FastCGI problems have been largely solved by updates to those packages, but as I use neither, I can’t really guarantee anything. YMMV, test before use.