On 11/23/06, Filip Kolendo <filip.kolendo@xxxxxxxxxxxx> wrote:
Hello, I notice strange (in my opinion erroneous and dangerous) behaviour of Apache; very easily can be completely locked by wrong/malicious clients. I think it can have something common with the situation discussed in the thread I point below, although I'm not sure whether the reason is the same. [http://marc.theaimsgroup.com/?l=apache-httpd-users&m=116349385007435&w=2] Configuration: win xp, apache 2.0.48 To make my tests simplier I set in httpd.conf: ThreadsPerChild 1 Using netcat I make the following call: > nc server 80 ...and nothing else... netstat shows the connection is established... Because I have only one child/thread no new request to Apache can be fulfilled. All the new requests (eg. from browser) also establishe the TCP connection... they are queued(?)... I guess they should be rejected (I think IIS makes it this way) and client should get some information... now, no information is returned at all... in browser, it looks like the HTML page is being prepared... what makes users refresh the page and establish new connections... The second issue, more serious, is that there is no timeout for the connection made by netcat. If I disconnected the client computer from the net (physically plug off the net cable) the server child was still busy (waiting for some input...). The only way to make the Apache alive was to restart it. When I make the same trick with IIS, it closes such netcat connection after a few seconds. Is is Apache bug or I make some mistakes in my tests? Errors in configuration? How is it possible to kill the server so easily?
There is indeed a Timeout. It is determined by the Timeout directive in httpd.conf. If it isn't working for you, you should first upgrade to a modern version (2.2.3) to see if that fixes the problem. As far as the other clients, they are queued by the OS, not by apache (see the ListenBacklog directive). There is a chicken-egg problem, since if you want them to receive an error message, the connection needs to be processed by the server. But you've prevented the server from processing any connections, so no error message is possible. In general, you don't want to send the client's error messages. You simply want to respond correctly to their requests. And you do this by making enough threads available to server the clients. (In other words, why waste resources sending error messages when you could instead by serving the clients what they ask for.) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|