On Jan 3, 2007, at 11:51 AM, Robert Denton wrote:
Hi all, I hope someone here can point me in the right direction. My apache server is dropping connections from a client that load balances between 2 ISPs. I have been told that this may be a result of some setting in the httpd.conf file that directs apache to drop connections when there is a sudden change in destination IP address. Supposedly this is to help prevent man-in-the-middle attacks. I am fairly familiar with the httpd.conf contents (or so I thought I was) and I cannot find anything in there related to this phenomenon. Does anyone here have any idea what setting in the config may contribute to this behavior? TIA.
You mean the client-side IP address might change in mid-transaction? How would Apache learn of this when it occurs? When Apache receives a request from an IP address, it sends the response back to that IP address and no others.
The way you describe it, this sounds severely broken. Imagine:Client sends TCP handshake followed by request from IP 1, server sends response back to IP 1; Client's connection changes, it sends subsequent request over existing connection (or so it thinks) but now the packets arrive from IP 2; Server (not even Apache, but the underlying OS) sees mid-connections packets from IP 2 that were not preceded by a TCP handshake, and sends an RST (or silently absorbs depending on configuration, firewalls, etc.). As I said, broken.
If your client has an AS that may fail over to a different ISP, it's a different story. However, you should not even notice that when it happens.
I'd say reduce the KeepAlive timeout or turn off KeepAlive alltogether to make sure Apache doesn't keep connections open across such router flaps. Or take the Clue bat to your client.
S. -- sctemme@xxxxxxxxxx http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Attachment:
smime.p7s
Description: S/MIME cryptographic signature