Re: Apache doesnt close the socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/23/06, Filip Kolendo <filip.kolendo@xxxxxxxxxxxx> wrote:
Hello,

I notice strange (in my opinion erroneous and dangerous) behaviour of
Apache; very easily can be completely locked by wrong/malicious clients.
I think it can have something common with the situation discussed in the
thread I point below, although I'm not sure whether the reason is the
same.
[http://marc.theaimsgroup.com/?l=apache-httpd-users&m=116349385007435&w=2]

Configuration: win xp, apache 2.0.48
To make my tests simplier I set in httpd.conf: ThreadsPerChild 1

Using netcat I make the following call:
> nc server 80

...and nothing else...
netstat shows the connection is established...

Because I have only one child/thread no new request to Apache can be
fulfilled.

All the new requests (eg. from browser) also establishe the TCP
connection... they are queued(?)...
I guess they should be rejected (I think IIS makes it this way) and
client should get some information... now, no information is returned at
all... in browser, it looks like the HTML page is being prepared... what
makes users refresh the page and establish new connections...

The second issue, more serious, is that there is no timeout for the
connection made by netcat. If I disconnected the client computer from
the net (physically plug off the net cable) the server child was still
busy (waiting for some input...). The only way to make the Apache alive
was to restart it.

When I make the same trick with IIS, it closes such netcat connection
after a few seconds.

Is is Apache bug or I make some mistakes in my tests? Errors in
configuration?
How is it possible to kill the server so easily?

There is indeed a Timeout.  It is determined by the Timeout directive
in httpd.conf.  If it isn't working for you, you should first upgrade
to a modern version (2.2.3) to see if that fixes the problem.

As far as the other clients, they are queued by the OS, not by apache
(see the ListenBacklog directive).  There is a chicken-egg problem,
since if you want them to receive an error message, the connection
needs to be processed by the server.  But you've prevented the server
from processing any connections, so no error message is possible.

In general, you don't want to send the client's error messages.  You
simply want to respond correctly to their requests.  And you do this
by making enough threads available to server the clients.  (In other
words, why waste resources sending error messages when you could
instead by serving the clients what they ask for.)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux