You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rainer Jung <ra...@kippdata.de> on 2011/06/18 21:57:36 UTC
Re: [users@httpd] Apache returns 200 to client in case of proxytimeout
On 16.06.2011 08:35, Moshe Ben-Shoham wrote:
> But this is not the case - the request was perfectly OK, just took the backend server too long to handle (note that I am less worried about bogus requests because this Apache is behind firewall and only serves requests coming from another component in the system, which is under our control).
>
> I would like to focus on my original question: Why did Apache return 200 to the client in case of proxy timeout?
It could be because of CVE-2010-2068, which was fixed in 2.2.16. Please
try again with 2.2.latest.
You should also fix your configuration before restesting. Read the most
recent online docs about workers in mod_proxy carefully.
I expect that your ProxySet seetings are not functional the way you
configured them.
Regards,
Rainer
> From: Jeroen Geilman [mailto:jeroen@adaptr.nl]
> Sent: Wednesday, June 15, 2011 10:19 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Apache returns 200 to client in case of proxy timeout
>
> On 06/15/2011 09:32 AM, Moshe Ben-Shoham wrote:
> Hi,
>
> Thanks for the comment about the ProxyMatch syntax. I will look into it, although it works.
>
> Regarding the proxy hit, I know for sure that the request should be proxied because is usually does. It matches the following rewrite rule (again, URL was changed):
>
> RewriteRule ^/x/y(.*) http://localhost:9003$1 [P]
>
> In addition, every time the timeout occurs, I see the following message in the Apache error log, exactly 300 seconds after the request arrives:
>
> [Sat Jun 11 09:00:54 2011] [error] [client 192.168.131.11] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : proxy: error reading status line from remote server localhost
>
>
> It means what it says.
>
> Your rule allows bogus constructions like http://localhost:9003002001/foobar/.
>
> ALWAYS include slashes at ambiguous locations!
>
>
>
>
> Thanks,
> Moshe Ben Shoham
> Perfecto Mobile
>
> From: Jeroen Geilman [mailto:jeroen@adaptr.nl]
> Sent: Wednesday, June 15, 2011 10:18 AM
> To: users@httpd.apache.org<ma...@httpd.apache.org>
> Subject: Re: [users@httpd] Apache returns 200 to client in case of proxy timeout
>
> On 06/15/2011 08:52 AM, Moshe Ben-Shoham wrote:
> Hi,
>
> We're using Apache 2.2.15, with mod_proxy_http for proxying requests to backend processes.
>
> Here's the relevant configuration we use:
>
> <ProxyMatch http://localhost:9001>
>
> That is not valid syntax for ProxyMatch, which requires a regular expression.
> Please see http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxymatch for details.
>
>
> ProxySet smax=5 max=20 ttl=120 keepalive=On
> </ProxyMatch>
>
> Hence, the value of "timeout" is 300 seconds. When the timeout occurs, we see Apache returning 200 to the client (just changed the URL):
>
> 1181: 192.168.131.11 - - [11/Jun/2011:10:58:53 +0100] "POST /x/y/z HTTP/1.1" 200 - 300515625
>
>
> No way to know that the proxy is being hit.
>
>
>
>
>
> Is that the expected behavior? I would expect an error code, maybe 504.
>
> Thanks,
> Moshe Ben Shoham
> Perfecto Mobile
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache returns 200 to client in case of proxytimeout
Posted by Rainer Jung <ra...@kippdata.de>.
On 18.06.2011 21:57, Rainer Jung wrote:
> On 16.06.2011 08:35, Moshe Ben-Shoham wrote:
>> But this is not the case - the request was perfectly OK, just took the backend server too long to handle (note that I am less worried about bogus requests because this Apache is behind firewall and only serves requests coming from another component in the system, which is under our control).
>>
>> I would like to focus on my original question: Why did Apache return 200 to the client in case of proxy timeout?
>
> It could be because of CVE-2010-2068, which was fixed in 2.2.16. Please
> try again with 2.2.latest.
Forgot to ask: what's your platform? Windows?
> You should also fix your configuration before restesting. Read the most
> recent online docs about workers in mod_proxy carefully.
>
> I expect that your ProxySet seetings are not functional the way you
> configured them.
>
> Regards,
>
> Rainer
>
>> From: Jeroen Geilman [mailto:jeroen@adaptr.nl]
>> Sent: Wednesday, June 15, 2011 10:19 PM
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] Apache returns 200 to client in case of proxy timeout
>>
>> On 06/15/2011 09:32 AM, Moshe Ben-Shoham wrote:
>> Hi,
>>
>> Thanks for the comment about the ProxyMatch syntax. I will look into it, although it works.
>>
>> Regarding the proxy hit, I know for sure that the request should be proxied because is usually does. It matches the following rewrite rule (again, URL was changed):
>>
>> RewriteRule ^/x/y(.*) http://localhost:9003$1 [P]
>>
>> In addition, every time the timeout occurs, I see the following message in the Apache error log, exactly 300 seconds after the request arrives:
>>
>> [Sat Jun 11 09:00:54 2011] [error] [client 192.168.131.11] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : proxy: error reading status line from remote server localhost
>>
>>
>> It means what it says.
>>
>> Your rule allows bogus constructions like http://localhost:9003002001/foobar/.
>>
>> ALWAYS include slashes at ambiguous locations!
>>
>>
>>
>>
>> Thanks,
>> Moshe Ben Shoham
>> Perfecto Mobile
>>
>> From: Jeroen Geilman [mailto:jeroen@adaptr.nl]
>> Sent: Wednesday, June 15, 2011 10:18 AM
>> To: users@httpd.apache.org<ma...@httpd.apache.org>
>> Subject: Re: [users@httpd] Apache returns 200 to client in case of proxy timeout
>>
>> On 06/15/2011 08:52 AM, Moshe Ben-Shoham wrote:
>> Hi,
>>
>> We're using Apache 2.2.15, with mod_proxy_http for proxying requests to backend processes.
>>
>> Here's the relevant configuration we use:
>>
>> <ProxyMatch http://localhost:9001>
>>
>> That is not valid syntax for ProxyMatch, which requires a regular expression.
>> Please see http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxymatch for details.
>>
>>
>> ProxySet smax=5 max=20 ttl=120 keepalive=On
>> </ProxyMatch>
>>
>> Hence, the value of "timeout" is 300 seconds. When the timeout occurs, we see Apache returning 200 to the client (just changed the URL):
>>
>> 1181: 192.168.131.11 - - [11/Jun/2011:10:58:53 +0100] "POST /x/y/z HTTP/1.1" 200 - 300515625
>>
>>
>> No way to know that the proxy is being hit.
>>
>>
>>
>>
>>
>> Is that the expected behavior? I would expect an error code, maybe 504.
>>
>> Thanks,
>> Moshe Ben Shoham
>> Perfecto Mobile
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org