da_kidd_er
01-24-2005, 03:06 AM
When using RHEL3 Apache as a forwarding proxy, Apache continues to download
files via http/ftp, when the client has aborted the download.
mod_cache is NOT used as caching is the job of the squid proxy in
chain with the apache.
When a user requests a huge download via http/ftp, e.g. a CD-ROM
ISO-Image and aborts this download soon after, the Apache server still
downloads the whole ISO-Image. If a user tries several time, you get
more apache-processes each downloading the whole image. This easily
leads to a DOS, because the utilization of the network connection to
the internet will go to 100% slowing down other connections (if the
line is billed by volume, it will result in higher costs, too).
You can check the running downloads e.g. with netstat.
Version-Release number of selected component (if applicable):
httpd-2.0.46-40.ent
How reproducible:
Always
Steps to Reproduce:
1. set up apache as forwarding proxy for http/ftp/ssl
2. start huge downloads via this proxy and abort them as soon as the
download starts
3. watch netstat for established connections and the utilization of
your outgoing network interface
Actual Results: all aborted downloads proceed
Expected Results: aborted downloads should have benn aborted by the
apache server, too
Additional info:
Relevant parts of the Apache configuration:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule cache_module modules/mod_cache.so
Listen 192.168.1.1:3128
<VirtualHost 192.168.1.1:3128>
ProxyRequests On
AllowCONNECT 443 873
<Proxy *>
<Limit CONNECT GET POST>
Order deny,allow
Allow from 192.168.0.0/16 127.0.0.1
</Limit>
<LimitExcept CONNECT GET POST>
Order deny,allow
Deny from all
</Limit>
....etc...
and help would be greatly appreciated. THanks
files via http/ftp, when the client has aborted the download.
mod_cache is NOT used as caching is the job of the squid proxy in
chain with the apache.
When a user requests a huge download via http/ftp, e.g. a CD-ROM
ISO-Image and aborts this download soon after, the Apache server still
downloads the whole ISO-Image. If a user tries several time, you get
more apache-processes each downloading the whole image. This easily
leads to a DOS, because the utilization of the network connection to
the internet will go to 100% slowing down other connections (if the
line is billed by volume, it will result in higher costs, too).
You can check the running downloads e.g. with netstat.
Version-Release number of selected component (if applicable):
httpd-2.0.46-40.ent
How reproducible:
Always
Steps to Reproduce:
1. set up apache as forwarding proxy for http/ftp/ssl
2. start huge downloads via this proxy and abort them as soon as the
download starts
3. watch netstat for established connections and the utilization of
your outgoing network interface
Actual Results: all aborted downloads proceed
Expected Results: aborted downloads should have benn aborted by the
apache server, too
Additional info:
Relevant parts of the Apache configuration:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule cache_module modules/mod_cache.so
Listen 192.168.1.1:3128
<VirtualHost 192.168.1.1:3128>
ProxyRequests On
AllowCONNECT 443 873
<Proxy *>
<Limit CONNECT GET POST>
Order deny,allow
Allow from 192.168.0.0/16 127.0.0.1
</Limit>
<LimitExcept CONNECT GET POST>
Order deny,allow
Deny from all
</Limit>
....etc...
and help would be greatly appreciated. THanks