Re: MITM apache config settings?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hm. Well, I certainly see the logic in your explanation, however, the client claims to have encountered this before and is confident it is an apache config error. I will look into the keepalive. Would you agree with this statement:
"apache servers check to see if the the databits coming are coming through different subnets."
If the above statement is true, then what does apache do if it detects different subnets?? 

R


On Jan 3, 2007, at 4:45 PM, Sander Temme wrote:



On Jan 3, 2007, at 11:51 AM, Robert Denton wrote:
Hi all, I hope someone here can point me in the right direction. My apache server is dropping connections from a client that load balances between 2 ISPs. I have been told that this may be a result of some setting in the httpd.conf file that directs apache to drop connections when there is a sudden change in destination IP address. Supposedly this is to help prevent man-in-the-middle attacks. I am fairly familiar with the httpd.conf contents (or so I thought I was) and I cannot find anything in there related to this phenomenon. Does anyone here have any idea what setting in the config may contribute to this behavior? TIA.
You mean the client-side IP address might change in mid- transaction? How would Apache learn of this when it occurs? When Apache receives a request from an IP address, it sends the response back to that IP address and no others. 

The way you describe it, this sounds severely broken. Imagine:
Client sends TCP handshake followed by request from IP 1, server sends response back to IP 1; Client's connection changes, it sends subsequent request over existing connection (or so it thinks) but now the packets arrive from IP 2; Server (not even Apache, but the underlying OS) sees mid-connections packets from IP 2 that were not preceded by a TCP handshake, and sends an RST (or silently absorbs depending on configuration, firewalls, etc.). As I said, broken.
If your client has an AS that may fail over to a different ISP, it's a different story. However, you should not even notice that when it happens.
I'd say reduce the KeepAlive timeout or turn off KeepAlive alltogether to make sure Apache doesn't keep connections open across such router flaps. Or take the Clue bat to your client. 

S.

--
sctemme@xxxxxxxxxx            http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux