Ssh – Apache2 reverse proxy connections staying persistent, filling ssh channels

apache-2.2port-forwardingreverse-proxyssh

I have a webserver (Amazon Linux EC2 instance running Apache2), let's call it "server A", on which I have set up reverse proxy using:

# (All the appropriate modules are loaded higher up in the conf file)
# ...
ProxyRequests off
ProxyPass /booth5/ http://localhost:8005/
ProxyHTMLURLMap http://localhost:8005 /booth5

<location /booth5/>
ProxyPassReverse /
SetOutputFilter  proxy-html
ProxyHTMLURLMap  /        /booth5/
ProxyHTMLURLMap  /booth5  /booth5
RequestHeader    unset  Accept-Encoding
</location>

Where localhost:8005 is a forwarded port over an ssh connection to a server sitting behind a firewall.

This setup works well and runs for a while, but after some time server A doesn't send any new requests to the proxied server.

The server connections to the proxied server are staying up:

# netstat -napt | grep 8005
tcp        0      0 127.0.0.1:8005              0.0.0.0:*                   LISTEN      22675/sshd          
tcp        1      0 127.0.0.1:38860             127.0.0.1:8005              CLOSE_WAIT      28910/httpd         
tcp        1      0 127.0.0.1:39453             127.0.0.1:8005              CLOSE_WAIT  28548/httpd         
tcp        1      0 127.0.0.1:44596             127.0.0.1:8005              CLOSE_WAIT  28542/httpd         
tcp        1      0 127.0.0.1:38774             127.0.0.1:8005              CLOSE_WAIT  28549/httpd         
tcp        1      0 127.0.0.1:39997             127.0.0.1:8005              CLOSE_WAIT  29889/httpd         
tcp        1      0 127.0.0.1:39135             127.0.0.1:8005              CLOSE_WAIT  28544/httpd         
tcp        0      0 ::1:8005                    :::*                        LISTEN      22675/sshd

I believe this is "using up" all the channels on the ssh tunnel and I want server A to behave in a way that it sends http requests to the proxied server as necessary, but then clears the connections.

Initially I suspected this was due to Apache on the proxied server doing persistent connections, so I updated the config there to include:

    # Timeout: The number of seconds before receives and sends time out.
    # Timeout 300
    Timeout 30

    # KeepAlive: Whether or not to allow persistent connections (more than
    # one request per connection). Set to "Off" to deactivate.
    KeepAlive On

    # MaxKeepAliveRequests: The maximum number of requests to allow
    # during a persistent connection. Set to 0 to allow an unlimited amount.
    # We recommend you leave this number high, for maximum performance.
    #MaxKeepAliveRequests 100
    MaxKeepAliveRequests 6

    # KeepAliveTimeout: Number of seconds to wait for the next request from the
    # same client on the same connection.
    KeepAliveTimeout 5

I haven't tried setting KeepAlive Off yet. I was trying to get some benefit from short/persistent connections, but they're not closing.

Is Apache config the correct place to solve this? Is it instead part of the ssh config for the tunnel? (config for that can be provided if needed).

Best Answer

Unfortunately, it looks like this is a known bug with Apache and the mod_proxy code : https://issues.apache.org/bugzilla/show_bug.cgi?id=51814

I've switched to an alternative solution now.

Related Topic