httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <scte...@apache.org>
Subject Re: [users@httpd] MITM apache config settings?
Date Wed, 03 Jan 2007 21:45:51 GMT

On Jan 3, 2007, at 11:51 AM, Robert Denton wrote:

> Hi all,  I hope someone here can point me in the right direction.   
> My apache server is dropping connections from a client that load  
> balances between 2 ISPs. I have been told that this may be a result  
> of some setting in the httpd.conf file that directs apache to drop  
> connections when there is a sudden change in destination IP  
> address.  Supposedly this is to help prevent man-in-the-middle  
> attacks.  I am fairly familiar with the httpd.conf contents (or so  
> I thought I was) and I cannot find anything in there related to  
> this phenomenon.  Does anyone here have any idea what setting in  
> the config may contribute to this behavior?  TIA.

You mean the client-side IP address might change in mid-transaction?   
How would Apache learn of this when it occurs?  When Apache receives  
a request from an IP address, it sends the response back to that IP  
address and no others.

The way you describe it, this sounds severely broken. Imagine:

Client sends TCP handshake followed by request from IP 1, server  
sends response back to IP 1; Client's connection changes, it sends  
subsequent request over existing connection (or so it thinks) but now  
the packets arrive from IP 2; Server (not even Apache, but the  
underlying OS) sees mid-connections packets from IP 2 that were not  
preceded by a TCP handshake, and sends an RST (or silently absorbs  
depending on configuration, firewalls, etc.).  As I said, broken.

If your client has an AS that may fail over to a different ISP, it's  
a different story.  However, you should not even notice that when it  
happens.

I'd say reduce the KeepAlive timeout or turn off KeepAlive  
alltogether to make sure Apache doesn't keep connections open across  
such router flaps.  Or take the Clue bat to your client.

S.

-- 
sctemme@apache.org            http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



Mime
View raw message