mod_whatkilledus

Introduction

The purpose of mod_whatkilledus is to log as much information as possible about the crash in order to speed up diagnosis as well as to allow the triggers of different crashes to be easily compared in order to determine if they need to be investigated individually. The module is typically used in production while investigating unresolved crashes, or in development and test environments as a proactive measure.

The primary information created by mod_whatkilledus is a log of basic technical information about the crash and the original client request which triggered the crash. In addition, a backtrace showing the point of failure is included if mod_backtrace is enabled.

• Overview (read this first)
• mod_backtrace documentation

Supported platforms

• Windows Vista or Windows Server 2008 and newer
• any Unix or similar platform for which Apache httpd implements the exception hook (e.g., Linux, FreeBSD, Solaris, Mac OS X, AIX, HP-UX)

Building and enabling mod_whatkilledus

• Quick start guide

Important security considerations

In the event of a crash, much of the information that the client sent to the server can be logged by mod_whatkilledus. This may include very sensitive information such as passwords and session cookies and more, and the presence of that information in the log file is potentially harmful depending on who has access to the log file and how it is retained.

mod_whatkilledus provides mechanisms to obscure or omit most types of sensitive information, though this introduces a small chance that the missing information would have been needed to solve the crash.

The WKUObscureInRequest directive provides a mechanism for obscuring most sensitive information, and the basic configuration recommended in the quick start guide applies to some common scenarios. However, you are responsible for determining if this protection is sufficient and/or whether or not log files are protected appropriately for your applications and deployment environment.

• Further discussion about logging of such information on the Apache httpd developer's mailing list

The safest course of action is to:

• Enable mod_whatkilledus on production systems only while capturing information for problems being investigated.
• Use mod_whatkilledus features to obscure known sensitive information.
• Carefully handle the mod_whatkilledus log file:
  • Inspect the information logged to check for other sensitive information.
  • Ensure that access to the log file is restricted and is not retained longer than necessary.
  • Be aware of exactly what is in log files which are provided to vendors or other parties using the information for problem diagnosis.

mod_whatkilledus may be enabled permanently as a proactive measure in some environments, such as development, test, or production deployments without concerns about sensitive information.

Detailed configuration information

WKUObscureInRequest directive

Normally mod_whatkilledus will log the request line and all other request information other than the request body. This directive can be used to omit or obscure some of that information which may be sensitive. (Refer to the security notes above.)

Default value: none

Arguments:

user

Obscure the user field in the request URL, if present. The unparsed-line argument should also be specified.

password

Obscure the password field in the request URL, if present. The unparsed-line argument should also be specified.

query

Obscure the query argument in the request URL, if present. The unparsed-line argument should also be specified.

unparsed-line

Hide the original request line. unparsed-line must be specified if any of the fields in the URL are obscured.

parsed-line

Hide the parsed form of the request line. This should not be specified if any of the URL fields are being obscured.

hdr:request-header

Obscure the value of any arbitrary request headers by prefixing the header name with hdr:.

Example:

WKUObscureInRequest hdr:Authorization hdr:Cookie hdr:Proxy-Authorization query unparsed-line

In this example, the values of the Authorization, Cookie, and Proxy-Authorization request headers, if present, will be obscured with asterisks. Additionally, the query argument in the URL will be obscured with asterisks and the original, unparsed request line will be omitted.

WKULogfile directive (new in 2.01)

This overrides the default log file name for the whatkilledus log, discussed in the next section.

Example:

WKULogfile logs/whatkilledus-server2.log

WKUDisableWindowsErrorBox (Windows platform only, new in 2.01)

Setting this directive to On disables the system pop-up error handling dialog after a child process crash, which allows the server to automatically recover and handle new clients. (An alternative to this httpd-specific setting is a Windows registry setting; it has more capabilities, such as enabling a user dump, but it affects all applications.)

Example:

WKUDisableWindowsErrorBox On

Log file

In the event of a crash, the report will be written to the file whatkilledus_log (.log on Windows) in the server logs directory.

Refer to the quick start guide for an example report.