Mailing List Archive

[Bug 65079] SSL Handshake failure causes requests to not be sent to load balanced application
https://bz.apache.org/bugzilla/show_bug.cgi?id=65079

David Betterton <dbetterton@agileassets.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Hardware|PC |Other

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65079] SSL Handshake failure causes requests to not be sent to load balanced application [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65079

--- Comment #1 from David Betterton <dbetterton@agileassets.com> ---
This bug has the effect of creating a DoS situation from the attack, so it
appears to be a security vulnerability

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65079] SSL Handshake failure causes requests to not be sent to load balanced application [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65079

--- Comment #2 from Yann Ylavic <ylavic.dev@gmail.com> ---
Aren't you looking for the proxy worker/BalancerMember parameter "retry=" (or
eventually "status=+i") described in [1]?

[1] https://httpd.apache.org/docs/2.4/en/mod/mod_proxy.html#proxypass

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65079] SSL Handshake failure causes requests to not be sent to load balanced application [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65079

--- Comment #3 from David Betterton <dbetterton@agileassets.com> ---
(In reply to Yann Ylavic from comment #2)
> Aren't you looking for the proxy worker/BalancerMember parameter "retry="
> (or eventually "status=+i") described in [1]?
>
> [1] https://httpd.apache.org/docs/2.4/en/mod/mod_proxy.html#proxypass

This is what we have -

<Proxy balancer://mybalancer>
BalancerMember https://ukuappc1.agileassets.com:8443 route=worker1
redirect=worker2 timeout=3600 retry=900
BalancerMember https://ukuappc2.agileassets.com:8443 route=worker2
redirect=worker1 timeout=3600 retry=900
</Proxy>

Would using forcerecovery=On be a better option ?

I don't see an option to "try to recover immediately, but only once (or a small
number)"

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65079] SSL Handshake failure causes requests to not be sent to load balanced application [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65079

--- Comment #4 from Yann Ylavic <ylavic.dev@gmail.com> ---
(In reply to David Betterton from comment #3)
>
> <Proxy balancer://mybalancer>
> BalancerMember https://ukuappc1.agileassets.com:8443 route=worker1
> redirect=worker2 timeout=3600 retry=900
> BalancerMember https://ukuappc2.agileassets.com:8443 route=worker2
> redirect=worker1 timeout=3600 retry=900
> </Proxy>

This configuration implies that when any BalancerMember is in error state (like
after the error from comment 1), it won't be retried/reused before 15 minutes.
I don't know your environment but it's quite a high value for me, aren't those
errors transient (how long)?
If the other BalancerMember also encounters an error during these 15 minutes
than "All workers are in error state" and your service bacomes unavailable.

>
> Would using forcerecovery=On be a better option ?

This would try to recover if all the workers are in error state, thus never
fail without having tried. It can be used in addition to your existing
configuration.
(Note that forcerecovery=on goes on the ProxyPass line or with a ProxySet in
the above <Proxy> block, not with each BalancerMember.)

If you don't want forcerecovery, you should consider lowering retry= at least.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65079] SSL Handshake failure causes requests to not be sent to load balanced application [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65079

--- Comment #5 from David Betterton <dbetterton@agileassets.com> ---
(In reply to Yann Ylavic from comment #4)
> (In reply to David Betterton from comment #3)
> >
> > <Proxy balancer://mybalancer>
> > BalancerMember https://ukuappc1.agileassets.com:8443 route=worker1
> > redirect=worker2 timeout=3600 retry=900
> > BalancerMember https://ukuappc2.agileassets.com:8443 route=worker2
> > redirect=worker1 timeout=3600 retry=900
> > </Proxy>
>
> This configuration implies that when any BalancerMember is in error state
> (like after the error from comment 1), it won't be retried/reused before 15
> minutes.
> I don't know your environment but it's quite a high value for me, aren't
> those errors transient (how long)?
> If the other BalancerMember also encounters an error during these 15 minutes
> than "All workers are in error state" and your service becomes unavailable.
>
> >
> > Would using forcerecovery=On be a better option ?
>
> This would try to recover if all the workers are in error state, thus never
> fail without having tried. It can be used in addition to your existing
> configuration.
> (Note that forcerecovery=on goes on the ProxyPass line or with a ProxySet in
> the above <Proxy> block, not with each BalancerMember.)
>
> If you don't want forcerecovery, you should consider lowering retry= at
> least.

Thanks - we'll try lowering this and report back here

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65079] SSL Handshake failure causes requests to not be sent to load balanced application [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65079

--- Comment #6 from Ruediger Pluem <rpluem@apache.org> ---
(In reply to Yann Ylavic from comment #4)
> (In reply to David Betterton from comment #3)

> >
> > Would using forcerecovery=On be a better option ?
>
> This would try to recover if all the workers are in error state, thus never
> fail without having tried. It can be used in addition to your existing
> configuration.

Isn't forcerecovery=on the default?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65079] SSL Handshake failure causes requests to not be sent to load balanced application [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65079

--- Comment #7 from Ruediger Pluem <rpluem@apache.org> ---
(In reply to David Betterton from comment #0)

> 140712548968192] [client 90.248.114.57:52517] AH01167:
> balancer://mybalancer: All workers are in error state for route (worker2),
> referer:

This error messages can only appear if nofailover is set to on either in the
ProxyPass for this balancer or via ProxySet in the Proxy block. It does not
show up in the Proxy block configuration below. What are your ProxyPass
directives?
Do you use
BalancerPersist on
somewhere in your configuration or do you have the balancer manager enabled
(http://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html#balancer_manager)
and an admin set nofailover dynamically?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org