Return-Path: 
 <bugs-return-27987-apmail-httpd-bugs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-bugs-archive@www.apache.org
Received: (qmail 4371 invoked from network); 11 Oct 2007 11:49:14 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 11 Oct 2007 11:49:14 -0000
Received: (qmail 20036 invoked by uid 500); 11 Oct 2007 11:49:01 -0000
Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org
Received: (qmail 19985 invoked by uid 500); 11 Oct 2007 11:49:01 -0000
Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:bugs@httpd.apache.org>
List-Help: <mailto:bugs-help@httpd.apache.org>
List-Unsubscribe: <mailto:bugs-unsubscribe@httpd.apache.org>
Reply-To: "Apache HTTPD Bugs Notification List" <bugs@httpd.apache.org>
List-Id: <bugs.httpd.apache.org>
Delivered-To: mailing list bugs@httpd.apache.org
Received: (qmail 19972 invoked by uid 99); 11 Oct 2007 11:49:01 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Oct 2007 04:49:01 -0700
X-ASF-Spam-Status: No, hits=-99.1 required=10.0
	tests=ALL_TRUSTED,NORMAL_HTTP_TO_IP,URIBL_RHS_DOB
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Oct 2007 11:49:04 +0000
Received: by brutus.apache.org (Postfix, from userid 33)
	id 4505971420E; Thu, 11 Oct 2007 04:48:43 -0700 (PDT)
From: bugzilla@apache.org
To: bugs@httpd.apache.org
Subject: DO NOT REPLY [Bug 43598]  New:  - The ProxyTimeout setting does not
 affect ReverseProxy Timeout settings on Apache 2.0.61
Message-ID: <bug-43598-7868@http.issues.apache.org/bugzilla/>
X-Bugzilla-Reason: AssignedTo
Date: Thu, 11 Oct 2007 04:48:43 -0700 (PDT)
X-Virus-Checked: Checked by ClamAV on apache.org

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43598>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43598

           Summary: The ProxyTimeout setting does not affect ReverseProxy
                    Timeout settings on Apache 2.0.61
           Product: Apache httpd-2
           Version: 2.0.61
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: christian.folini@post.ch


I came accross a timeout issue in a reverse proxy setting and
after running multiple tests and asking the httpd-user mailinglist [1][2],
I believe this is a bug. It could also be a missing functionality
and a documentation problem, but Josua Slive suggested I submit
a bug report [3].

Details:

	client:
		netcat localhost 80 < /tmp/get-request

		file /tmp/get-request:
			line 1: GET / HTTP/1.1
			line 2: Host: 127.0.0.1
			line 3:

			Note the empty line.

	apache reverse proxy
		Server version: Apache/2.0.61
		Server built:   Sep 27 2007 13:36:58
		Custom compilation of native sourcecode
		apache config (stripped down test config):
		  Timeout		10
		  <VirtualHost *:80>
		    Timeout		20
		    ProxyPass	/	http://127.0.0.1:8080/
		    ProxyTimeout	30
		  </Virtualhost>

	backend application:
		netcat -l -p 8080
		  -> output:
		     GET / HTTP/1.1
		     Host: 127.0.0.1:8080
		     Max-Forwards: 10
		     X-Forwarded-For: 127.0.0.1
		     X-Forwarded-Host: testhost
		     X-Forwarded-Server: testhost.myhome.net

		Note that the backend does not write a response. It
		just accepts the request and waits.
		
	error-log:
	[Thu Oct 11 10:35:39 2007] [debug] proxy_http.c(67): proxy: HTTP:
canonicalising URL //127.0.0.1:8080/
	[Thu Oct 11 10:35:39 2007] [debug] mod_proxy.c(454): Trying to run scheme_handler
	[Thu Oct 11 10:35:39 2007] [debug] proxy_http.c(1723): proxy: HTTP: serving URL
http://127.0.0.1:8080/
	[Thu Oct 11 10:35:39 2007] [debug] proxy_http.c(186): proxy: HTTP connecting
http://127.0.0.1:8080/ to 127.0.0.1:8080
	[Thu Oct 11 10:35:39 2007] [debug] proxy_util.c(1097): proxy: HTTP: fam 2
socket created to connect to 127.0.0.1
	[Thu Oct 11 10:35:39 2007] [debug] proxy_http.c(336): proxy: socket is connected
	[Thu Oct 11 10:35:39 2007] [debug] proxy_http.c(370): proxy: connection
complete to 127.0.0.1:8080 (127.0.0.1)
	[Thu Oct 11 10:35:59 2007] [error] [client 127.0.0.1] proxy: error reading
status line from remote server 127.0.0.1
	[Thu Oct 11 10:35:59 2007] [error] [client 127.0.0.1] proxy: Error reading from
remote server returned by /

	tcpdump:
	root@testhost ~>/usr/sbin/tcpdump -i lo -s 0 -A port 80
	tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
	listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
	10:35:39.094093 IP localhost.58354 > localhost.www: S 2639151242:2639151242(0)
win 32792 <mss 16396,sackOK,timestamp 2344522 0,nop,wscale 7>
	E..<..@.@..............P.N@...............@....

		        .#.J........
	10:35:39.094459 IP localhost.www > localhost.58354: S 2632084042:2632084042(0)
ack 2639151243 win 32768 <mss 16396,sackOK,timestamp 2344522 2344522,nop,wscale 7>
	E..<..@.@.<..........P....jJ.N@.....9p....@....

		        .#.J.#.J....
	10:35:39.094100 IP localhost.58354 > localhost.www: . ack 1 win 257
<nop,nop,timestamp 2344522 2344522>
	E..4..@.@..............P.N@...jK....!......

		        .#.J.#.J
	10:35:39.094250 IP localhost.58354 > localhost.www: P 1:33(32) ack 1 win 257
<nop,nop,timestamp 2344522 2344522>
	E..T..@.@..............P.N@...jK.....H.....
			.#.J.#.JGET / HTTP/1.1
			Host: 127.0.0.1


	10:35:39.094258 IP localhost.www > localhost.58354: . ack 33 win 256
<nop,nop,timestamp 2344522 2344522>
	E..4..@.@............P....jK.N@.....!u.....

			        .#.J.#.J
	10:35:59.096004 IP localhost.www > localhost.58354: P 1:511(510) ack 33 win 256
<nop,nop,timestamp 2349523 2344522>
	E..2..@.@............P....jK.N@......'.....
			.#...#.JHTTP/1.1 502 Proxy Error
			Date: Thu, 11 Oct 2007 08:35:39 GMT
			Content-Length: 379
			Content-Type: text/html; charset=iso-8859-1

			<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
			<html><head>
			<title>502 Proxy Error</title>
			</head><body>
			<h1>Proxy Error</h1>
			<p>The proxy server received an invalid
			response from an upstream server.<br />
			The proxy server could not handle the request <em><a
href="/">GET&nbsp;/</a></em>.<p>
			Reason: <strong>Error reading from remote server</strong></p></p>
			</body></html>

	10:35:59.096015 IP localhost.58354 > localhost.www: . ack 511 win 265
<nop,nop,timestamp 2349523 2349523>
	E..4..@.@..............P.N@...lI...     .[.....

		        .#...#..


	Interpretation:
	The client->RP->backend connection works as expected. As the
	backend is not responding, the RP cuts the connection after a
	certain timeout.
	
	The configuration sets three timeouts:
		- Server Timeout (10)
		- Virtual Host Timeout (20)
		- Proxy Timeout (30)

	As visible in the tcpdump above, the timeout occurrs after twenty
	seconds and not after 30 seconds as defined by the ProxyTimeout
	statement.

	Timeout documentation says [4]:
			
	> The TimeOut directive currently defines the amount of time Apache will wait
for three things:
	>
	>   1. The total amount of time it takes to receive a GET request.
	>   2. The amount of time between receipt of TCP packets on a POST or PUT request.
	>   3. The amount of time between ACKs on transmissions of TCP packets in
responses.

	It does not say anything about the proxy timeout, despite affecting that
	one as well.

	The ProxyTimeout documentation says:
	> This directive allows a user to specifiy a timeout on proxy requests. 
	> This is useful when you have a slow/buggy appserver which hangs, and 
	> you would rather just return a timeout and fail gracefully instead of 
	> waiting however long it takes the server to return.

	As its names implies, this is the configuration option that should
	be used to affect the proxy connection timeout. But as the test
	above demonstrated, this is not the case.

	So this looks like a bug. Either in the documentation or in the
	apache (proxy?) code. I would rather have a fixed apache, than
	only a documentation update. The ability to control the proxy timeout
	independently from the client timeout is important in many setups.
	I can elaborate on this issue. It has to do with certain DoS/DDoS
	attacks where a very low timeout becomes very important.


	I have tested the ProxyTimeout setting on Apache 2.2 as well. It works
	as advertised on 2.2.6. The Apache 2.2 is thus not affected from this
	bug. However, updating to Apache 2.2 will take time for my
        organisation.


	References:
	[1] http://marc.info/?l=apache-httpd-users&m=119088062412991&w=2
	[2] http://marc.info/?l=apache-httpd-users&m=119140647214662&w=2
	[3] http://marc.info/?l=apache-httpd-users&m=119141830917372&w=2
	[4] http://httpd.apache.org/docs/2.0/mod/core.html#timeout
	[5] http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxytimeout

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org