RE: Data Center QoS equipment breaking http 1.1?

[Ivan Pepelnjak]

Facts first: name-based virtual hosts depend on the HOST header in the
HTTP/1.1 request to select the virtual web server.

 I poured over my configs (I've done this config countless 
 times), and saw this in the apache docs:
 
 http://httpd.apache.org/docs/2.2/vhosts/name-based.html
 
  Some operating systems and network equipment implement 
 bandwidth management techniques that cannot differentiate 
 between hosts unless they are on separate IP addresses.

Thanslated into networking engineerese: since the QoS equipment (including
routers unless you use HTTB NBAR) cannot peer into contents of the TCP
session, it cannot find the HOST header and thus cannot decide which virtual
host the traffic belongs to, making it impossible to enforce
per-virtual-host QoS policies.

 So, I installed lynx on the server, and sure enough, it 
 worked perfectly fine there, just not from anywhere outside 
 eSecuredata's network that I could see.
 
 Can anyone shed any light on this particular practice, of 
 this company in particular?

What you're experiencing usually means only one thing: they're using a box
that messes with HTTP headers. It could be a misconfigured DPI box, a
transparent (broken) HTTP proxy or a custom-developed wizardry.

Configure the Apache logs (http://httpd.apache.org/docs/2.2/logs.html) to
log the virtual host name in the HTTP request (the %{host}i directive) or
use Wireshark on your client and the server to inspect it. If you find out
they're messing with the HOST header (as suspected) switch the provider
immediately.

Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/

Re: Data Center QoS equipment breaking http 1.1?

[up]

Please disregard this idiocy of mine...it appears that the Apache 
UseCanonicalName directive selectively breaks some NameVirtualHosts, while 
leaving others unscathed, but turning it off fixed it anyway.


On Fri, 31 Jul 2009, u...@3.am wrote:



Sorry if this is a little OT, but we're seeing a serious problem and was 
wondering if it is what I think it is.


In short: I have been moving services off of our servers in a data center 
onto a server at eSecuredata, who rents dedicated servers.  The idea is to 
lower costs and eliminate having to deal with hardware.


The advertise unmetered bandwidth, but mention QoS measure to control 
bandwidth hogs.


One of my customers, whose site I just moved from a unique IP virtual host on 
my old server onto an Apache NameVirtualHost on the new one, worked fine at 
first.  Then today, they started complaining about getting one of our home 
pages.  I figured DNS or web caching issues, until I started seeing it for 
myself.  It was no caching issue, it was NameVirtualHost breaking.


I poured over my configs (I've done this config countless times), and saw 
this in the apache docs:


http://httpd.apache.org/docs/2.2/vhosts/name-based.html

 Some operating systems and network equipment implement bandwidth management 
techniques that cannot differentiate between hosts unless they are on 
separate IP addresses.


So, I installed lynx on the server, and sure enough, it worked perfectly fine 
there, just not from anywhere outside eSecuredata's network that I could see.


Can anyone shed any light on this particular practice, of this company in 
particular?


thanks

James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am   http://3.am
=



James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am   http://3.am
=