You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Sander Temme <sc...@apache.org> on 2006/12/21 11:15:30 UTC

[users@httpd] Aggressively timing out proxy connections?

All,

I am using 2.2.3 on Windows 2003, running a reverse proxy to IIS 5.0  
on Win2k.  The Win2k box is hiding behind a Symantec firewall.   
Several locations proxied with ProxyPass and ProxyPassReverse to http  
port 80 on the IIS.  None of this is my fault except for the Apache  
configuration.

The symptom is an excessive amount of 502 responses, and the failing  
request seems to never make it to the IIS server (at least not to  
such an extent that it shows up in the IIS log). I have Windump  
running on the Apache box.

It looks like mod_proxy is setting up persistent connections, which  
are dropped by the firewall. The result is an RST from the firewall  
when mod_proxy tried to re-use an open backend connection.

I can mitigate 99% of this behaviour by using keepalive=On in the  
ProxyPass directives, but I'm still getting some drops. One such  
looks in the Ethereal trace like it sat idle for 17 minutes before  
mod_proxy tried to re-use it.

Can I configure the proxy so that it kills back-end connections  
faster than the firewall drops them? How would that work? smax=0  
ttl=60 (or some other value that won't trigger the firewall)?

Or, alternatively, can I turn off connection re-use altogether? I  
don't know that our traffic level needs persistent connections.

Thanks,

Sander

-- 
sctemme@apache.org            http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

Re: [users@httpd] Aggressively timing out proxy connections?

Posted by Sander Temme <sc...@apache.org>.

On Dec 21, 2006, at 2:15 AM, Sander Temme wrote:

> Or, alternatively, can I turn off connection re-use altogether? I  
> don't know that our traffic level needs persistent connections.

OK, I believe I got it... no 502s in the past half hour. I added a

SetEnv proxy-nokeepalive 1

to the <Location> blocks that were proxied through the offending  
firewall.

This is even documented (blush):

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#envsettings

It seems to be working great: connections to the back-end are sent  
with the Connection: close header and immediately torn down after the  
request with a FIN sequence. Connections between the Application  
Router and the client remain full HTTP/1.1, with Keepalive.

Neat.

S.

-- 
sctemme@apache.org            http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF