[ale] apache wierdness
Yu, Jerry
Jerry.Yu at Voicecom.com
Thu Apr 14 13:26:23 EDT 2005
check out the returned ICMP packet. the MTU is somewhat odd. Note you
have <DF> set.
the 'need to frag' actually explain why error (404/403/500) can get
through, I think, because that they are small enough to pass w/o being
forced to frag (with one of the interface failed to frag) even with the
smallest MTU in the route.
# -----Original Message-----
# From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On
# Behalf Of James P. Kinney III
# Sent: Thursday, April 14, 2005 11:58 AM
# To: Atlanta Linux Enthusiasts
# Subject: RE: [ale] apache wierdness
#
# On Thu, 2005-04-14 at 10:30 -0400, Yu, Jerry wrote:
# > what's the results for /index.html and /cgi-bin/printenv
# when you try
# > it from
# > 1) from localhost
#
# works OK
# > 2) from DMZ or intranet, aka., behind the firewall which NATs the
# > apache
# works OK
# > 2) from outside
# Works OK on some ISP's. Speakeasy is NOT one that works.
# >
# > apache log: does access_log shows the hang request as an success?
# Log shows connection but no request.
#
#
# 216.27.162.82 is my machine, 172.16.10.2 is the DMX internal
# interface,
# 172.16.10.1 is the web server. 216.27.164.101 is the external
# interface.
# Here's a tcp dump of the DMZ interface:
#
# tcpdump: listening on eth1
# 09:19:44.310293 216.27.164.101.53964 > 172.16.10.1.https: S
# 865145535:865145535(0) win 5840 <mss 1460,sackOK,timestamp
# 150425947 0,nop,wscale 2> (DF)
# 09:19:44.310419 172.16.10.1.https > 216.27.164.101.53964: S
# 2810103798:2810103798(0) ack 865145536 win 5792 <mss
# 1460,sackOK,timestamp 129832767 150425947,nop,wscale 0> (DF)
# 09:19:44.329400 216.27.164.101.53964 > 172.16.10.1.https: .
# ack 1 win 1460 <nop,nop,timestamp 150425965 129832767> (DF)
# 09:19:44.338396 216.27.164.101.53964 > 172.16.10.1.https: P
# 1:121(120) ack 1 win 1460 <nop,nop,timestamp 150425965 129832767> (DF)
# 09:19:44.338556 172.16.10.1.https > 216.27.164.101.53964: .
# ack 121 win
# 5792 <nop,nop,timestamp 129832770 150425965> (DF)
# 09:19:44.339059 172.16.10.1.https > 216.27.164.101.53964: P
# 1:123(122) ack 121 win 5792 <nop,nop,timestamp 129832770
# 150425965> (DF)
# 09:19:44.364614 216.27.164.101.53964 > 172.16.10.1.https: .
# ack 123 win 1460 <nop,nop,timestamp 150426001 129832770> (DF)
# 09:19:44.392973 216.27.164.101.53964 > 172.16.10.1.https: P
# 121:645(524) ack 123 win 1460 <nop,nop,timestamp 150426002
# 129832770> (DF)
# 09:19:44.425129 172.16.10.1.https > 216.27.164.101.53964: .
# ack 645 win
# 6432 <nop,nop,timestamp 129832779 150426002> (DF)
# 09:19:44.453231 216.27.164.101.53964 > 172.16.10.1.https: P
# 645:816(171) ack 123 win 1460 <nop,nop,timestamp 150426081
# 129832779> (DF)
# 09:19:44.453388 172.16.10.1.https > 216.27.164.101.53964: .
# ack 816 win
# 7504 <nop,nop,timestamp 129832781 150426081> (DF)
# 09:19:44.458288 172.16.10.1.https > 216.27.164.101.53964: P
# 123:370(247) ack 816 win 7504 <nop,nop,timestamp 129832782
# 150426081> (DF)
# 09:19:44.465501 172.16.10.1.https > 216.27.164.101.53964: . 370:1818
# (1448) ack 816 win 7504 <nop,nop,timestamp 129832782 150426081> (DF)
# 09:19:44.465655 172.16.10.2 > 172.16.10.1: icmp:
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
# 09:19:44.531404 216.27.164.101.53964 > 172.16.10.1.https: .
# ack 370 win
# 1728 <nop,nop,timestamp 150426168 129832782> (DF)
# 09:19:44.531932 172.16.10.1.https > 216.27.164.101.53964: . 1818:3266
# (1448) ack 816 win 7504 <nop,nop,timestamp 129832789 150426168> (DF)
# 09:19:44.532048 172.16.10.2 > 172.16.10.1: icmp:
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
# 09:19:44.531943 172.16.10.1.https > 216.27.164.101.53964: P 3266:3681
# (415) ack 816 win 7504 <nop,nop,timestamp 129832789 150426168> (DF)
# 09:19:44.569365 216.27.164.101.53964 > 172.16.10.1.https: .
# ack 370 win
# 1728 <nop,nop,timestamp 150426206 129832782,nop,nop,sack sack
# 1 {3266:3681} > (DF)
# 09:19:45.545528 172.16.10.1.https > 216.27.164.101.53964: . 370:1818
# (1448) ack 816 win 7504 <nop,nop,timestamp 129832891 150426206> (DF)
# 09:19:45.545624 172.16.10.2 > 172.16.10.1: icmp:
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
# 09:19:47.585536 172.16.10.1.https > 216.27.164.101.53964: . 370:1818
# (1448) ack 816 win 7504 <nop,nop,timestamp 129833095 150426206> (DF)
# 09:19:47.585668 172.16.10.2 > 172.16.10.1: icmp:
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
# 09:19:51.665535 172.16.10.1.https > 216.27.164.101.53964: . 370:1818
# (1448) ack 816 win 7504 <nop,nop,timestamp 129833503 150426206> (DF)
# 09:19:51.665681 172.16.10.2 > 172.16.10.1: icmp:
# 216.27.162.82 unreachable - need to frag (mtu 1465) [tos 0xc0]
#
# 25 packets received by filter
# 0 packets dropped by kernel
#
# >
# > # -----Original Message-----
# > # From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On
# # Behalf
# > Of James P. Kinney III # Sent: Thursday, April 14, 2005
# 8:12 AM # To:
# > rsj at radio.org; Atlanta Linux Enthusiasts # Subject: Re:
# [ale] apache
# > wierdness # # On Wed, 2005-04-13 at 21:27 -0400, Randal
# Jarrett wrote:
# > # > Since the IP address has changed have you made sure that # you
# > flushed # > all the caches on your browser?
# > # >
# > # Tried from a freshly built machine (2 actually, a linux
# box and an
# > XP # Pro) with the same results.
# > # >
# > # > On Wed, 2005-04-13 at 16:46 -0400, James P. Kinney III wrote:
# > # > > Scenario:
# > # > >
# > # > > apache server behind nat firewall.
# > # > > Network changes just occurred.
# > # > > Nat reconfigured to accept new external IP and
# redirect to DMZ #
# > > > apache server.
# > # > >
# > # > > Situation:
# > # > >
# > # > > _partial_ connections. If login to web script with bad # user
# > name or # > > password, system returns the correct "bad username or
# > password.
# > # > > Login failed" error message from the login script.
# > # > >
# > # > > Using a good combination, I get no response. It looks
# # like a
# > server # > > hung on connect. wget eventually times out. BUT! The
# > person who # > > wrote the app on the server connects just
# fine with
# > the # SAME LOGIN # > > THAT FAILS WITH ME?!?!?!
# > # > >
# > # > > Both of us see the same IP address. No errors in the
# log files.
# > # > >
# > # > > If I try and access a perl script in cgi-bin called printenv
# > with # > > the perms set to no execute, I get an apache arror #
# > message telling # > > me it can't be execute. If the perms
# are fixed,
# > the # server just sits # > > and does NOTHING.
# > # > >
# > # > > I have never seen something like this before and am #
# comletely
# > perplexed.
# > # > >
# > # > > The firewall now has old and new connections on it (i.e.
# > # old IP and
# > # > > new
# > # > > IP) We are in the process of migrating to a new
# ISP/data # line
# > provider.
# > # > >
# > # > > If everything failed to go through, I could understand it #
# > being the # > > network change. But some stuff comes
# through. Static #
# > pages don't happen.
# > # > > Error messages happen.
# > # > >
# > # > >
# > # > > _______________________________________________
# > # > > Ale mailing list
# > # > > Ale at ale.org
# > # > > http://www.ale.org/mailman/listinfo/ale
# > # --
# > # James P. Kinney III \Changing the mobile computing world/
# > # CEO & Director of Engineering \ one Linux user /
# > # Local Net Solutions,LLC \ at a time. /
# > # 770-493-8244 \.___________________________./
# > # http://www.localnetsolutions.com
# > #
# > # GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) #
# > <jkinney at localnetsolutions.com> Fingerprint = 3C9E 6366 54FC # A3FE
# > BA4D 0659 6190 ADC3 829C 6CA7 #
# >
# > This email and any attached files herein contain
# information that is intended only for the use of the
# individual or entity to whom it is addressed and may contain
# information that is legally privileged, confidential or
# otherwise exempt from disclosure under applicable laws. If
# the reader of this message is not the recipient, any
# disclosure, dissemination, distribution, copying or other use
# or retention of this communication or its substance is prohibited.
# >
# >
# > _______________________________________________
# > Ale mailing list
# > Ale at ale.org
# > http://www.ale.org/mailman/listinfo/ale
# --
# James P. Kinney III \Changing the mobile computing world/
# CEO & Director of Engineering \ one Linux user /
# Local Net Solutions,LLC \ at a time. /
# 770-493-8244 \.___________________________./
# http://www.localnetsolutions.com
#
# GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
# <jkinney at localnetsolutions.com> Fingerprint = 3C9E 6366 54FC
# A3FE BA4D 0659 6190 ADC3 829C 6CA7
#
More information about the Ale
mailing list