Joshua Slive wrote:
> On 11/23/06, Filip Kolendo <[EMAIL PROTECTED]> wrote:
>> Hello,
>>
>> I notice strange (in my opinion erroneous and dangerous) behaviour of
>> Apache; very easily can be completely locked by wrong/malicious clients.
>> I think it can have something common with the situation discussed in the
>> thread I point below, although I'm not sure whether the reason is the
>> same.
>> [http://marc.theaimsgroup.com/?l=apache-httpd-users&m=116349385007435&w=2]
>>
>>
>> Configuration: win xp, apache 2.0.48
>> To make my tests simplier I set in httpd.conf: ThreadsPerChild 1
>>
>> Using netcat I make the following call:
>> > nc server 80
>>
>> ...and nothing else...
>> netstat shows the connection is established...
>>
>> Because I have only one child/thread no new request to Apache can be
>> fulfilled.
>>
>> All the new requests (eg. from browser) also establishe the TCP
>> connection... they are queued(?)...
>> I guess they should be rejected (I think IIS makes it this way) and
>> client should get some information... now, no information is returned at
>> all... in browser, it looks like the HTML page is being prepared... what
>> makes users refresh the page and establish new connections...
>>
>> The second issue, more serious, is that there is no timeout for the
>> connection made by netcat. If I disconnected the client computer from
>> the net (physically plug off the net cable) the server child was still
>> busy (waiting for some input...). The only way to make the Apache alive
>> was to restart it.
>>
>> When I make the same trick with IIS, it closes such netcat connection
>> after a few seconds.
>>
>> Is is Apache bug or I make some mistakes in my tests? Errors in
>> configuration?
>> How is it possible to kill the server so easily?
>
> There is indeed a Timeout.  It is determined by the Timeout directive
> in httpd.conf.  If it isn't working for you, you should first upgrade
> to a modern version (2.2.3) to see if that fixes the problem.
>
Thanks. I focused on KeepAliveTimeout directive and didn't notice the
Timeout. It works the way I expect.

According to the docs
[http://httpd.apache.org/docs/2.0/mod/core.html#timeout]:
"The timer used to default to 1200 before 1.2, but has been lowered to
300 which is still far more than necessary in most situations. It is not
set any lower by default because there may still be odd places in the
code where the timer is not reset when a packet is sent."

I've found on [http://www.petefreitag.com/item/505.cfm] suggestion to
lower value (45 sec).
For me it sounds reasonably... Is it really a serious threat to set it
lower ("odd places in the code")?

Filip

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to