Bug 38369

Summary: mod_proxy keeps alive connections that should be broken
Product: Apache httpd-2 Reporter: Claire Chauvet <claire.chauvet>
Component: mod_proxyAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED LATER    
Severity: enhancement Keywords: MassUpdate
Priority: P2    
Version: 2.2.0   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Claire Chauvet 2006-01-24 17:50:59 UTC 
I use an Apache as a reverse proxy to send request to an other Apache Web server.
When I close the connection (whith a clean socket shutdown or not), the reverse
proxy does not break the connection with the target web server.
It's really a problem when a web application use the broken connection to detect
a job cancellation. And i think this could be used for denial of service attacks.
Comment 1 Christian BOITEL 2006-08-29 17:19:31 UTC 
I have posted an issue to APR team which is related to this one. 
http://issues.apache.org/bugzilla/show_bug.cgi?id=40348

I would actually expect mod_proxy to keep as much as smax connections opened 
but it will not: under normal load situation, pool to backend web server 
remain at the size of the maximum used.
=> always closing connections would lead to poor performance 

For http connections, a quick workaround is to disabled keepalive connections 
on the backend servers: better is to configure keepalive connections with 
reasonable timeout.
Comment 2 Nick Kew 2007-09-08 15:37:01 UTC 
Connection is defined in RFC2616 as a hop-by-hop header.  Thus the transaction
between client and proxy is independent of that between proxy and backend.

Reclassifying this as an enhancement request, to be able to control behaviour.
Comment 3 William A. Rowe Jr. 2018-11-07 21:09:21 UTC 
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.