Bug 115496

Summary: connection reuse issues
Product: Red Hat Enterprise Linux 3 Reporter: Philip Edelbrock <phil>
Component: mod_auth_pgsqlAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 3.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-02 03:14:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Philip Edelbrock 2004-02-13 01:09:49 UTC 
Description of problem:

mod_auth_pgsql does not release database connections each time a
browser hits a page protected by it.  The result is an eventual
consumption of concurrently open database connections.

Version-Release number of selected component (if applicable):

mod_auth_pgsql-2.0.1-3.ent

How reproducible:

Always reproducable and resulting in an http DoS of web directories
protected by mod_auth_pgsql.

Steps to Reproduce:
1. password protect a directory via mod_auth_pgsql
2. authenticate a browser into the directory
3. reload the page lots of times
4. even with the database backend configured to handle many
connections (say, 128 or more), mod_auth_pgsql keeps opening new
connections until it maxes out at 64 similtanious connections. 

Actual results:

Many, many idle processes representing unclosed database connections
are created, e.g:

postgres  9397  0.0  0.3 12360 3644 pts/1    S    16:32   0:00
postgres: postgres hpgrants 127.0.0.1 idle

Apache begins to log messages like this:
[Fri Feb 13 16:58:40 2004] [error] [client 206.228.191.7]
mod_auth_pgsql database connection error reset failed FATAL:  Sorry,
too many clients already!

Browsers attempting to access mod_auth_psql protected pages get
"Internal Server Error" from Apache.

The overall result is that mod_auth_pgsql on RHE3 causes a delayed
DoS.  RHE2.1 does not have this problem.


Expected results:

Obviously, the server should continue to serve protected pages after
the first 64 hits.


Additional info:

Reading in the mod_auth_pgsql source/docs in the version used in RHE3,
an experimental method reusing open database connections was
implemented but had some problems.  It's possible (likely?) that the
source snapshot in RHE3 not only attempts to use this experimental
optimization, but is using a broken version of it.
Comment 1 Philip Edelbrock 2004-02-13 19:35:51 UTC 
Downloading mod_auth_pgsql-2.0.2b1 and installing it via this seems to
fix the problem:

# apxs  -i -a -c -lpq mod_auth_pgsql.c

 -Phil
Comment 2 Joe Orton 2004-06-25 13:17:51 UTC 
Thanks for the report, apologies for the delay in response.  The fix
from 2.0.2b1 to disable connection reuse has been integrated for the
next update, along with other fixes.  Test packages are available here:

http://people.redhat.com/jorton/Taroon-map/
Comment 3 Jay Turner 2004-09-02 03:14:24 UTC 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-317.html