From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041104 Firefox/1.0RC2 Description of problem: When using Apache as a forwarding proxy, Apache continues to download files via http/ftp, when the client has aborted the download. mod_cache is NOT used as caching is the job of the squid proxy in chain with the apache. When a user requests a huge download via http/ftp, e.g. a CD-ROM ISO-Image and aborts this download soon after, the Apache server still downloads the whole ISO-Image. If a user tries several time, you get more apache-processes each downloading the whole image. This easily leads to a DOS, because the utilization of the network connection to the internet will go to 100% slowing down other connections (if the line is billed by volume, it will result in higher costs, too). You can check the running downloads e.g. with netstat. Version-Release number of selected component (if applicable): httpd-2.0.46-40.ent How reproducible: Always Steps to Reproduce: 1. set up apache as forwarding proxy for http/ftp/ssl 2. start huge downloads via this proxy and abort them as soon as the download starts 3. watch netstat for established connections and the utilization of your outgoing network interface Actual Results: all aborted downloads proceed Expected Results: aborted downloads should have benn aborted by the apache server, too Additional info: Relevant parts of the Apache configuration: LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule cache_module modules/mod_cache.so Listen 192.168.1.1:3128 <VirtualHost 192.168.1.1:3128> ProxyRequests On AllowCONNECT 443 873 <Proxy *> <Limit CONNECT GET POST> Order deny,allow Allow from 192.168.0.0/16 127.0.0.1 </Limit> <LimitExcept CONNECT GET POST> Order deny,allow Deny from all </LimitExcept> </Proxy> </VirtualHost>
Thanks for the report.
Experimental test packages are now available which contain fixes for the above issues. These packages are unsupported and have not gone through the Red Hat QA process; feedback from testing them out is very welcome. http://people.redhat.com/jorton/Taroon-httpd Any feedback from testing these packages out is very welcome.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-224.html