Bug 61464

Summary: mod_authnz_fcgi uses a hard-coded value of 30 sec as the socket io timeout value
Product: Apache httpd-2 Reporter: farhanz <farhaan.syed>
Component: mod_authnz_fcgiAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: farhaan.syed
Priority: P2 Keywords: PatchAvailable
Version: 2.4.16   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Attachments: An optional configurable socket io timeout parameter patch file for mod_authnz_fcgi
Use the request timeout directive value as the socket IO timeout value

Description farhanz 2017-08-28 08:53:22 UTC 
- mod_authnz_fcgi uses a hard-coded 30 sec value as the socket IO timeout value to write to and read from a back end FCGI Authorizer application.
- While this timeout value seems sufficient, in certain cases it may not be.
- Further, instead of hard-coding this parameter, a user should have an option to be able to configure a suitable timeout of his choice.
- If none is specified, a certain default timeout (like the request timeout of connection timeout) needs to be used.

Steps-to-repro:

1. Sample FCGI Authorizer application which can be started with fcgistarter: 
   fcgistarter -c <fcgi app name> -p 5555 -i 127.0.0.1 -N 1
   (Refer to the fcgistarter documentation)
2. Note that in the above app, a sleep of 32 secs (any value greater than 30 sec) needs to be induced to repro the issue.
3. Configure the mod_authnz_fcgi module in httpd.conf:
   LoadModule authnz_fcgi_module /usr/lib/apache2/modules/mod_authnz_fcgi.so

Actual results:
The httpd daemon returns an HTTP 503 Service Unavailable status code back to the client after 30 secs. However, in the back end, the authentication was handled (success or failure).

Expected results:
- The status code as returned from the FCGI application after authentication.
- Or, HTTP 503 service unavailable if the configured timeout elapses.
Comment 1 farhanz 2017-08-28 09:48:13 UTC 
Created attachment 35263 [details]
An optional configurable socket io timeout parameter patch file for mod_authnz_fcgi

An optional configurable socket IO timeout parameter patch file for mod_authnz_fcgi.

This patch could be used for extending the AuthnzFcgiDefineProvider directive to include an optional socket io timeout parameter. For e.g.:

AuthnzFcgiDefineProvider AuthnzFcgiDefineProvider authnz my-fcgi-app fcgi://127.0.0.1:5555/ timeout=60

The above line sets the socket IO timeout to 60 secs.

If no timeout is specified, then the standard HTTP request timeout applies.
Comment 2 farhanz 2017-08-28 10:31:02 UTC 
Created attachment 35264 [details]
Use the request timeout directive value as the socket IO timeout value

Approach 2:

Utilise the HTTP request TimeOut directive value as the socket IO timeout instead of the current hard-coded value of 30 secs.