Description of problem:
mod_auth_pgsql does not release database connections each time a
browser hits a page protected by it. The result is an eventual
consumption of concurrently open database connections.
Version-Release number of selected component (if applicable):
Always reproducable and resulting in an http DoS of web directories
protected by mod_auth_pgsql.
Steps to Reproduce:
1. password protect a directory via mod_auth_pgsql
2. authenticate a browser into the directory
3. reload the page lots of times
4. even with the database backend configured to handle many
connections (say, 128 or more), mod_auth_pgsql keeps opening new
connections until it maxes out at 64 similtanious connections.
Many, many idle processes representing unclosed database connections
are created, e.g:
postgres 9397 0.0 0.3 12360 3644 pts/1 S 16:32 0:00
postgres: postgres hpgrants 127.0.0.1 idle
Apache begins to log messages like this:
[Fri Feb 13 16:58:40 2004] [error] [client 22.214.171.124]
mod_auth_pgsql database connection error reset failed FATAL: Sorry,
too many clients already!
Browsers attempting to access mod_auth_psql protected pages get
"Internal Server Error" from Apache.
The overall result is that mod_auth_pgsql on RHE3 causes a delayed
DoS. RHE2.1 does not have this problem.
Obviously, the server should continue to serve protected pages after
the first 64 hits.
Reading in the mod_auth_pgsql source/docs in the version used in RHE3,
an experimental method reusing open database connections was
implemented but had some problems. It's possible (likely?) that the
source snapshot in RHE3 not only attempts to use this experimental
optimization, but is using a broken version of it.
Downloading mod_auth_pgsql-2.0.2b1 and installing it via this seems to
fix the problem:
# apxs -i -a -c -lpq mod_auth_pgsql.c
Thanks for the report, apologies for the delay in response. The fix
from 2.0.2b1 to disable connection reuse has been integrated for the
next update, along with other fixes. Test packages are available here:
An errata has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.