httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@decus.org (Rodent of Unusual Size)
Subject Re: Apache PR#190: IdentyCheck and server accessibility
Date Mon, 24 Feb 1997 22:16:15 GMT
>From the fingers of Jerry Morrison flowed the following:
>
>I turned on the IdentityCheck feature make server logs more informative.
>(The identity info has a place in the standard server log format.)
>
>This worked fine on our server that's inside our firewall. But it made our
>server that's outside our firewall inaccessible, at least from inside
>the firewall. E.g. it didn't answer requests for server info.

    Are you sure it didn't answer, or just took a very long time to do
    so?  If you enable IdentityCheck, the server contacts the client
    system on port 113 to determine who's making the request.  The
    server will wait for 60 seconds to get an answer.  If the client
    system doesn't have a listener on that port (i.e., isn't running
    [p]identd or a friend), the request will block for that duration.
    If the page actually results in lots of separate requests, it may
    appear that the server isn't answering.

    One key to detecting this is that the browser will probably display
    a status resembling, "server foo contacted, waiting for response."
    If you wait long enough (up to N minutes for N requests), the page
    will probably come through, and your access_log will show "unknown"
    for the remote-user field.

>Perhaps the IdentityCheck feature makes it wait forever on some info that's
>blocked by the firewall.

    In your particular case, the problem is almost certainly that a)
    your client isn't running an RFC1413 listener, and/or b) your
    firewall is blocking outbound connects to port 113.  Since it works
    when the firewall isn't in the path, the latter sounds likely. ;->

>I'd have been happy with a bold note in the documentation on IdentityCheck. I
>have no idea if the software could be changed to log the identity info when
>available and not get stuck on it when not available

    The problem is that the information isn't "available" per se - the
    server has to go out and get it.  It isn't included in any manner as
    part of the request.

    We'll look into this.  Thank you for this report, and for using Apache!

    #ken    :-)}

Mime
View raw message