Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 58071 invoked from network); 3 Jan 2007 21:46:31 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Jan 2007 21:46:31 -0000 Received: (qmail 94784 invoked by uid 500); 3 Jan 2007 21:46:27 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 94764 invoked by uid 500); 3 Jan 2007 21:46:27 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 94752 invoked by uid 99); 3 Jan 2007 21:46:27 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2007 13:46:27 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [207.106.84.159] (HELO atlas.jtan.com) (207.106.84.159) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2007 13:46:15 -0800 X-JTAN-Outgoing-From: sctemme@apache.org X-JTAN-Outgoing-To: X-JTAN-Received: c-24-5-108-151.hsd1.ca.comcast.net [24.5.108.151] X-JTAN-Recipient: X-JTAN-AntiSPAM: not spam, Outgoing not scanned X-JTAN-AntiVirus: Found to be clean, Outgoing not scanned Received: from [10.11.0.103] (c-24-5-108-151.hsd1.ca.comcast.net [24.5.108.151]) (authenticated bits=0) by atlas.jtan.com (8.12.8p1/8.12.8) with ESMTP id l03LjqgL012648 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Wed, 3 Jan 2007 16:45:53 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <304EC607-B0BE-486A-8570-0548AD65D873@headsprout.com> References: <304EC607-B0BE-486A-8570-0548AD65D873@headsprout.com> Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-3-574990552; protocol="application/pkcs7-signature" Message-Id: From: Sander Temme Date: Wed, 3 Jan 2007 13:45:51 -0800 To: users@httpd.apache.org X-Mailer: Apple Mail (2.752.2) X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] MITM apache config settings? --Apple-Mail-3-574990552 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Jan 3, 2007, at 11:51 AM, Robert Denton wrote: > Hi all, I hope someone here can point me in the right direction. > My apache server is dropping connections from a client that load > balances between 2 ISPs. I have been told that this may be a result > of some setting in the httpd.conf file that directs apache to drop > connections when there is a sudden change in destination IP > address. Supposedly this is to help prevent man-in-the-middle > attacks. I am fairly familiar with the httpd.conf contents (or so > I thought I was) and I cannot find anything in there related to > this phenomenon. Does anyone here have any idea what setting in > the config may contribute to this behavior? TIA. You mean the client-side IP address might change in mid-transaction? How would Apache learn of this when it occurs? When Apache receives a request from an IP address, it sends the response back to that IP address and no others. The way you describe it, this sounds severely broken. Imagine: Client sends TCP handshake followed by request from IP 1, server sends response back to IP 1; Client's connection changes, it sends subsequent request over existing connection (or so it thinks) but now the packets arrive from IP 2; Server (not even Apache, but the underlying OS) sees mid-connections packets from IP 2 that were not preceded by a TCP handshake, and sends an RST (or silently absorbs depending on configuration, firewalls, etc.). As I said, broken. If your client has an AS that may fail over to a different ISP, it's a different story. However, you should not even notice that when it happens. I'd say reduce the KeepAlive timeout or turn off KeepAlive alltogether to make sure Apache doesn't keep connections open across such router flaps. Or take the Clue bat to your client. S. -- sctemme@apache.org http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF --Apple-Mail-3-574990552 Content-Transfer-Encoding: base64 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGPDCCAvUw ggJeoAMCAQICEAIyF6zjtP6rQ//mXTcll14wDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDYxODE3MDYyMFoXDTA3MDYxODE3MDYy MFowWzEOMAwGA1UEBBMFVGVtbWUxDzANBgNVBCoTBlNhbmRlcjEVMBMGA1UEAxMMU2FuZGVyIFRl bW1lMSEwHwYJKoZIhvcNAQkBFhJzY3RlbW1lQGFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDJaqOD1gZ1Z4GW7jzLg192RRTnScJOrHlsHu0z4/BjTf+Zq4ziF8p0RZlJ vi8V8Dx4Xwl7osFrI081IuoZQnvbLZXIYsjPTFvg/yjEpp02QLTDpSAKxBniauQGIJPgEutDmb2u 7EAm9nHPKyeJ33PbmDYKQzjujnLW1Qx77GnyocKTqrZCcpaOCH08Vn7DZnYP8oAG9Zmgw8n4oLmw U0m5Sacj3EulCRTFS4acejaC7ZkNIXzS7CFrDukgxn6U99Xf2xoVrk9hXmCH62h1i4ItgWmFV1BS vsrgG/V1q+8SAjZrnMNXHsER4EEKp+hDBBFy2j6HABaGGUuS0gs4BqqrAgMBAAGjLzAtMB0GA1Ud EQQWMBSBEnNjdGVtbWVAYXBhY2hlLm9yZzAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GB AE5+/Xn03o51+851PNo/ydkgPd1QHu3d5PHTWeRUpRNbfEJgAcLFzyTAa+keWtK+xv1xB4SCUHKT FZxaxoySE78f/ldmfUqdgJNZjDP076aEpUPsfNQ8iD/eao6pehlYw6RNeejt+XWfkQlhPdkIZwUH L1ozjjzTVzSsSEPzakOVMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UE BhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQK ExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZp c2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkB FhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIz NTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0 ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph 8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4H v0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQI MAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQD ExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+ whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FX JY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAxAw ggMMAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkp IEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhACMhes 47T+q0P/5l03JZdeMAkGBSsOAwIaBQCgggFvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTA3MDEwMzIxNDU1MVowIwYJKoZIhvcNAQkEMRYEFA06fNNA1s89tfj+AMrc Dpq9uAX5MIGFBgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg SXNzdWluZyBDQQIQAjIXrOO0/qtD/+ZdNyWXXjCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNV BAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQAjIXrOO0/qtD/+ZdNyWXXjANBgkq hkiG9w0BAQEFAASCAQASO1sbYbGLmRwJHK65fq5jZcqJv8l6D0JmPENKlM6TmR1XVqbnR+2LTIIu x9uCOoJxLiUt4Vy73KFRY3Jy5DfdJocLNB1JLBTy6FY/mfAlygq8J4eoxvMXco3lxTf5JC1n5hTD LFJsIWHbi+sLGc447z3YRSZ9obQilJsE4SGE68dcknT4oq+nNxzZ72ALDbDa5+uEzdXlfdGc0jDM XLgjEYuvI+LUYd9pLVozaCEVdbKtEXHYarE2XuMZjdWQ0QBHr1aIu83o8ArTvrSYio7ahY0eZUrN VBYEyl/27WBVE4LjeWoAyyJsvWF2XYmW9wwpsV2sF1LPoYGcaFTOdb0RAAAAAAAA --Apple-Mail-3-574990552--