You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mike Peachey <mi...@port.im> on 2015/04/14 12:49:55 UTC
[users@httpd] httpd 2.4.12 ignoring net.ipv4.ip_local_port_range
Hi all,
Will try to be concise:
OS: Amazon Linux 2015.03 x86_64
Precise package: httpd24-2.4.12-1.60.amzn1.x86_64
Apache httpd 2.4 in use as SSL proxy.
$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768 61000
One remote client was unable to connect. Amazon subnet ACL in place
permitting response communication with the ephemeral port rage 32768-61000
as defined in /proc/sys/net/ipv4/ip_local_port_range and confirmed as above
by sysctl. Client successfully connected after enlarging subnet ACL to
permit responses on 1025-65536.
Once client connected (<remote ipv4 addr 1>); the following shows in netstat
tcp 0 0 ::ffff:<local ipv4 addr>:443 ::ffff:<remote ipv4
addr 1>:63158 TIME_WAIT -
tcp 0 0 ::ffff:<local ipv4 addr>:443 ::ffff:<remote ipv4
addr 1>:63156 TIME_WAIT -
tcp 0 0 ::ffff:<local ipv4 addr>:443 ::ffff:<remote ipv4
addr 1>:63157 TIME_WAIT -
tcp 0 0 ::ffff:<local ipv4 addr>:443 ::ffff:<remote ipv4
addr 2>:42875 TIME_WAIT -
tcp 0 0 ::ffff:<local ipv4 addr>:443 ::ffff:<remote ipv4
addr 1>:63159 TIME_WAIT -
This client is getting responses from httpd on ports 63156+
As far as I understand it this should not be permitted as the maximum local
port is set to 61000.
Bug? Feature?
Thanks in advance.
--
Mike Peachey
mike.peachey@port.im
Re: [users@httpd] httpd 2.4.12 ignoring net.ipv4.ip_local_port_range
Posted by Mike Peachey <mi...@port.im>.
Of course you are right. I considered the client would be the issue and do
not now remember why I discounted it. Thank you.
On 14 April 2015 at 17:00, Eric Covener <co...@gmail.com> wrote:
> On Tue, Apr 14, 2015 at 6:49 AM, Mike Peachey <mi...@port.im>
> wrote:
> > This client is getting responses from httpd on ports 63156+
>
> The server side of the connection uses a well-known listening port,
> 443. Clients use those high ephemeral ports. I don't think tuning an
> ephemeral port range on the server does anything unless you use
> mod_proxy for outbound connections.
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Mike Peachey
mike.peachey@port.im
Re: [users@httpd] httpd 2.4.12 ignoring net.ipv4.ip_local_port_range
Posted by Eric Covener <co...@gmail.com>.
On Tue, Apr 14, 2015 at 6:49 AM, Mike Peachey <mi...@port.im> wrote:
> This client is getting responses from httpd on ports 63156+
The server side of the connection uses a well-known listening port,
443. Clients use those high ephemeral ports. I don't think tuning an
ephemeral port range on the server does anything unless you use
mod_proxy for outbound connections.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org