138359 – mod_proxy ignores abortion of downloads.

Bug 138359 - mod_proxy ignores abortion of downloads.

Summary: mod_proxy ignores abortion of downloads.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	httpd
Sub Component:
Version:	3.0
Hardware:	s390
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Joe Orton
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-08 16:11 UTC by Martin Grimm
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-05-19 13:01:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2005:224	0	normal	SHIPPED_LIVE	httpd bug fix update	2005-05-19 04:00:00 UTC

Description Martin Grimm 2004-11-08 16:11:06 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041104 Firefox/1.0RC2

Description of problem:
When using Apache as a forwarding proxy, Apache continues to download
files via http/ftp, when the client has aborted the download.

mod_cache is NOT used as caching is the job of the squid proxy in
chain with the apache.

When a user requests a huge download via http/ftp, e.g. a CD-ROM
ISO-Image and aborts this download soon after, the Apache server still
downloads the whole ISO-Image. If a user tries several time, you get
more apache-processes each downloading the whole image. This easily
leads to a DOS, because the utilization of the network connection to
the internet will go to 100% slowing down other connections (if the
line is billed by volume, it will result in higher costs, too).

You can check the running downloads e.g. with netstat.

Version-Release number of selected component (if applicable):
httpd-2.0.46-40.ent

How reproducible:
Always

Steps to Reproduce:
1. set up apache as forwarding proxy for http/ftp/ssl
2. start huge downloads via this proxy and abort them as soon as the
download starts
3. watch netstat for established connections and the utilization of
your outgoing network interface
    

Actual Results:  all aborted downloads proceed

Expected Results:  aborted downloads should have benn aborted by the
apache server, too

Additional info:

Relevant parts of the Apache configuration:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule cache_module modules/mod_cache.so

Listen 192.168.1.1:3128
<VirtualHost 192.168.1.1:3128>
    ProxyRequests On
    AllowCONNECT 443 873
    <Proxy *>
        <Limit CONNECT GET POST>
            Order deny,allow
                Allow from 192.168.0.0/16 127.0.0.1
        </Limit>
        <LimitExcept CONNECT GET POST>
            Order deny,allow
            Deny from all
        </LimitExcept>
    </Proxy>
</VirtualHost>

Comment 1 Joe Orton 2004-11-10 09:27:56 UTC

Thanks for the report.

Comment 2 Joe Orton 2005-03-02 18:49:35 UTC

Experimental test packages are now available which contain
fixes for the above issues.  These packages are unsupported
and have not gone through the Red Hat QA process; feedback
from testing them out is very welcome.

http://people.redhat.com/jorton/Taroon-httpd

Any feedback from testing these packages out is very welcome.

Comment 3 Dennis Gregorovic 2005-05-19 13:01:35 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-224.html

Note You need to log in before you can comment on or make changes to this bug.