You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Webb, Eric" <Er...@CooperIndustries.com> on 2009/02/09 23:56:24 UTC

[users@httpd] ProxyPass and connection reset by peer

 

Hi all,

 

I am running httpd 1.3.37 on Linux 2.4.33.3 as a reverse proxy server
fronting a corporate web portal to the Internet.  Lately, I have seen a
rise in client complaints of web pages not loading completely, and when
I check Apache logs I see several messages like the following directly
tied to what the particular user was doing:

 

[Fri Feb  6 16:41:17 2009] [error] [client 11.222.333.444]
(104)Connection reset by peer: proxy: error r

eading from
https://www.someplace.com/irj/servlet/prt/portal/prtpos/com!252esap!252e
portal!252enavigation

!252eportallauncher!252edefault!7b!3b1!7d/prttarget/pcd!253aportal_conte
nt!252fcom!252ecooper!252efl_coo

per_internal!252fcom!252ecooper!252efl_cooper_internal_iviews!252fcom!25
2ecooper!252eCooperCustomerCente

r!252fcom!252ecooper!252eDesktop!252fcom!252ecooper!252eNewCCCDefaultDes
ktop!252fframeworkPages!252fcom!

252ecooper!252eportal!252eNew_CCC_Light_Framework_Page.com!252esap!252ep
ortal!252elightinnerpage.com!252

ecooper!252eCCCContentAreaLight.content/prteventname/HtmlbEvent/prtroot/
com.sap.portal.navigation.portal

launcher.default

 

The connection path is    Browser -> [SSL] -> ReverseProxy ->
[ProxyPass] -> [SSL] -> AppServer 

 

When the reverse proxy is bypassed (ie, accessed from internal network)
we don't see this issue at all.  Feedback I'm getting from the apps
people after comparing TCPDUMP traces is that the reverse proxy box is
resetting connections instead of going through the normal FIN/ACK
handshake process.  Although, from the above error log entry, it appears
that it is the app server which is resetting the connection.

 

My questions so far:

 

1)       What is the above error really telling me?  

2)       Am I correct that the connection which was reset was RP ->
appserver, and not browser -> RP?

3)       Who is really resetting the connection, the RP or the app
server?

4)       This issue has been seen off and on for the past year, but has
become worse in the past two months.  I theorize the problem to be
increased traffic / volume-related, as this reverse proxy also services
a few other domains.  Is there any information available on kernel (IP
stack) or HTTP parameter tuning for such a server?

5)       I see SSL config directives that allow me to limit which SSL
protocol I will allow from the client.  Is there any way to force the
SSL protocol (and even the encryption method) that I use when ProxyPass
opens the socket to my app server?

 

 

Thanks!

 

 

 

Eric C. Webb
Sr. Systems Analyst / Unix System Administrator


Cooper Industries IT Solutions & Services
(770) 486-4623   FAX: (770) 486-4677