All,I am using 2.2.3 on Windows 2003, running a reverse proxy to IIS 5.0 on Win2k. The Win2k box is hiding behind a Symantec firewall. Several locations proxied with ProxyPass and ProxyPassReverse to http port 80 on the IIS. None of this is my fault except for the Apache configuration.
The symptom is an excessive amount of 502 responses, and the failing request seems to never make it to the IIS server (at least not to such an extent that it shows up in the IIS log). I have Windump running on the Apache box.
It looks like mod_proxy is setting up persistent connections, which are dropped by the firewall. The result is an RST from the firewall when mod_proxy tried to re-use an open backend connection.
I can mitigate 99% of this behaviour by using keepalive=On in the ProxyPass directives, but I'm still getting some drops. One such looks in the Ethereal trace like it sat idle for 17 minutes before mod_proxy tried to re-use it.
Can I configure the proxy so that it kills back-end connections faster than the firewall drops them? How would that work? smax=0 ttl=60 (or some other value that won't trigger the firewall)?
Or, alternatively, can I turn off connection re-use altogether? I don't know that our traffic level needs persistent connections.
Thanks, Sander -- sctemme@xxxxxxxxxx http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
|