You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Filip Kolendo <fi...@primesoft.pl> on 2006/11/23 22:06:28 UTC
[users@httpd] Apache doesnt close the socket
Hello,
I notice strange (in my opinion erroneous and dangerous) behaviour of
Apache; very easily can be completely locked by wrong/malicious clients.
I think it can have something common with the situation discussed in the
thread I point below, although I'm not sure whether the reason is the
same.
[http://marc.theaimsgroup.com/?l=apache-httpd-users&m=116349385007435&w=2]
Configuration: win xp, apache 2.0.48
To make my tests simplier I set in httpd.conf: ThreadsPerChild 1
Using netcat I make the following call:
> nc server 80
...and nothing else...
netstat shows the connection is established...
Because I have only one child/thread no new request to Apache can be
fulfilled.
All the new requests (eg. from browser) also establishe the TCP
connection... they are queued(?)...
I guess they should be rejected (I think IIS makes it this way) and
client should get some information... now, no information is returned at
all... in browser, it looks like the HTML page is being prepared... what
makes users refresh the page and establish new connections...
The second issue, more serious, is that there is no timeout for the
connection made by netcat. If I disconnected the client computer from
the net (physically plug off the net cable) the server child was still
busy (waiting for some input...). The only way to make the Apache alive
was to restart it.
When I make the same trick with IIS, it closes such netcat connection
after a few seconds.
Is is Apache bug or I make some mistakes in my tests? Errors in
configuration?
How is it possible to kill the server so easily?
Regards,
Filip
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache doesnt close the socket
Posted by Joshua Slive <jo...@slive.ca>.
On 11/24/06, Filip Kolendo <fi...@primesoft.pl> wrote:
> I've found on [http://www.petefreitag.com/item/505.cfm] suggestion to
> lower value (45 sec).
> For me it sounds reasonably... Is it really a serious threat to set it
> lower ("odd places in the code")?
It is fine to set it down to a few seconds in most situations. The
only common issue is long-running CGI scripts, which will be
terminated if they don't return some content within the Timeout.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache doesnt close the socket
Posted by Filip Kolendo <fi...@primesoft.pl>.
Joshua Slive wrote:
> On 11/23/06, Filip Kolendo <fi...@primesoft.pl> wrote:
>> Hello,
>>
>> I notice strange (in my opinion erroneous and dangerous) behaviour of
>> Apache; very easily can be completely locked by wrong/malicious clients.
>> I think it can have something common with the situation discussed in the
>> thread I point below, although I'm not sure whether the reason is the
>> same.
>> [http://marc.theaimsgroup.com/?l=apache-httpd-users&m=116349385007435&w=2]
>>
>>
>> Configuration: win xp, apache 2.0.48
>> To make my tests simplier I set in httpd.conf: ThreadsPerChild 1
>>
>> Using netcat I make the following call:
>> > nc server 80
>>
>> ...and nothing else...
>> netstat shows the connection is established...
>>
>> Because I have only one child/thread no new request to Apache can be
>> fulfilled.
>>
>> All the new requests (eg. from browser) also establishe the TCP
>> connection... they are queued(?)...
>> I guess they should be rejected (I think IIS makes it this way) and
>> client should get some information... now, no information is returned at
>> all... in browser, it looks like the HTML page is being prepared... what
>> makes users refresh the page and establish new connections...
>>
>> The second issue, more serious, is that there is no timeout for the
>> connection made by netcat. If I disconnected the client computer from
>> the net (physically plug off the net cable) the server child was still
>> busy (waiting for some input...). The only way to make the Apache alive
>> was to restart it.
>>
>> When I make the same trick with IIS, it closes such netcat connection
>> after a few seconds.
>>
>> Is is Apache bug or I make some mistakes in my tests? Errors in
>> configuration?
>> How is it possible to kill the server so easily?
>
> There is indeed a Timeout. It is determined by the Timeout directive
> in httpd.conf. If it isn't working for you, you should first upgrade
> to a modern version (2.2.3) to see if that fixes the problem.
>
Thanks. I focused on KeepAliveTimeout directive and didn't notice the
Timeout. It works the way I expect.
According to the docs
[http://httpd.apache.org/docs/2.0/mod/core.html#timeout]:
"The timer used to default to 1200 before 1.2, but has been lowered to
300 which is still far more than necessary in most situations. It is not
set any lower by default because there may still be odd places in the
code where the timer is not reset when a packet is sent."
I've found on [http://www.petefreitag.com/item/505.cfm] suggestion to
lower value (45 sec).
For me it sounds reasonably... Is it really a serious threat to set it
lower ("odd places in the code")?
Filip
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache doesnt close the socket
Posted by Joshua Slive <jo...@slive.ca>.
On 11/23/06, Filip Kolendo <fi...@primesoft.pl> wrote:
> Hello,
>
> I notice strange (in my opinion erroneous and dangerous) behaviour of
> Apache; very easily can be completely locked by wrong/malicious clients.
> I think it can have something common with the situation discussed in the
> thread I point below, although I'm not sure whether the reason is the
> same.
> [http://marc.theaimsgroup.com/?l=apache-httpd-users&m=116349385007435&w=2]
>
> Configuration: win xp, apache 2.0.48
> To make my tests simplier I set in httpd.conf: ThreadsPerChild 1
>
> Using netcat I make the following call:
> > nc server 80
>
> ...and nothing else...
> netstat shows the connection is established...
>
> Because I have only one child/thread no new request to Apache can be
> fulfilled.
>
> All the new requests (eg. from browser) also establishe the TCP
> connection... they are queued(?)...
> I guess they should be rejected (I think IIS makes it this way) and
> client should get some information... now, no information is returned at
> all... in browser, it looks like the HTML page is being prepared... what
> makes users refresh the page and establish new connections...
>
> The second issue, more serious, is that there is no timeout for the
> connection made by netcat. If I disconnected the client computer from
> the net (physically plug off the net cable) the server child was still
> busy (waiting for some input...). The only way to make the Apache alive
> was to restart it.
>
> When I make the same trick with IIS, it closes such netcat connection
> after a few seconds.
>
> Is is Apache bug or I make some mistakes in my tests? Errors in
> configuration?
> How is it possible to kill the server so easily?
There is indeed a Timeout. It is determined by the Timeout directive
in httpd.conf. If it isn't working for you, you should first upgrade
to a modern version (2.2.3) to see if that fixes the problem.
As far as the other clients, they are queued by the OS, not by apache
(see the ListenBacklog directive). There is a chicken-egg problem,
since if you want them to receive an error message, the connection
needs to be processed by the server. But you've prevented the server
from processing any connections, so no error message is possible.
In general, you don't want to send the client's error messages. You
simply want to respond correctly to their requests. And you do this
by making enough threads available to server the clients. (In other
words, why waste resources sending error messages when you could
instead by serving the clients what they ask for.)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org