Bug 63325

Summary: Default body_min_rate not enabled in mod_reqtimeout
Product: Apache httpd-2 Reporter: Oliver H <oliver>
Component: mod_reqtimeoutAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: REOPENED ---    
Severity: major CC: apache-bugs.a2, pmenzel+bz.apache.org
Priority: P2 Keywords: FixedInTrunk
Version: 2.4.39   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Attachments: Fix reqtimeout macros lowercase

Description Oliver H 2019-04-08 16:46:26 UTC
The changes to mod_reqtimeout made in 2.4.39 (as per bug 61310) have no default for the body_min_rate parameter, contrary to both the documentation and the behaviour of <=2.4.38.

This means that if no explicit RequestReadTimeout statement is made in httpd.conf, by default the server will return a 408 timeout after 20s even if the client is actively sending data to the server (e.g. for a large file upload). I found this bug when users reported they could no longer upload files to our websites.

I have tested under a fresh install of both Linux (Ubuntu) and FreeBSD (11 and 12).

While some distributions such as ubuntu explicitly define RequestReadTimeout in their default config, the documentation states the default is body=20,minrate=500 (which was correct for <=2.4.38). This means 2.4.39 breaks file uploads where the documented default is relied on, which is why I've marked this bug as major.

WORKAROUND: Explicitly set the default:
RequestReadTimeout handshake=0 header=20-40,MinRate=500 body=20,MinRate=500
in httpd.conf and reload.

It looks like the changes made to mod_reqtimeout in 2.4.39 were fairly major in order to incorporate the new "handshake" stage, so although I've tried, I'm afraid I'm unable to see where the problem might lie. Sorry I can't be more help diagnosing this.

Many thanks.
Comment 1 Yann Ylavic 2019-04-08 17:39:13 UTC
Thanks for the report.

Do you set RequestReadTimeout partly (e.g. body= but no ,MinRate=) or not at all?
Comment 2 Oliver H 2019-04-08 17:59:24 UTC
I would assume that defining a simple body=20 would automatically stop minrate from working, so no: my report is based on when there are no RequestReadTimeout declarations in any conf file (I grepped thoroughly to confirm).

Oliver
Comment 3 Yann Ylavic 2019-04-08 18:31:46 UTC
Created attachment 36514 [details]
Fix reqtimeout macros lowercase

The macros MRT_DEFAULT_*_MIN_RATE which contain the default value were partially made lowercase for some magic, unfortunately the ones tested in reqtimeout_hooks() were not renammed, hence the bug.

Could you please try with this patch?
Comment 4 Yann Ylavic 2019-04-08 18:47:18 UTC
Fixed in r1857129, will propose a backport to next 2.4.x.
Comment 5 Oliver H 2019-04-09 08:49:20 UTC
Huge thanks for the quick work, I can confirm the patch fixes the issue.
Comment 6 Yann Ylavic 2019-04-09 14:00:37 UTC
*** Bug 63329 has been marked as a duplicate of this bug. ***
Comment 7 Rainer Jung 2019-07-29 12:56:44 UTC
*** Bug 63617 has been marked as a duplicate of this bug. ***
Comment 8 Christophe JAILLET 2019-08-17 20:00:42 UTC
This has been backported in 2.4.x in r1859376.

This is part of 2.4.40.
Comment 9 geegirls3 2022-08-04 12:45:25 UTC
I'm using Apache/2.4.54 on AWS Linux2 (Red Hat) 2 server, mod_jk Tomcat9 and Apache. I'm having this same issue for a large file uploads, although my app still processes, any file over 2GB breaks the file upload to the server.  I was looking for RequestReadTimeout statement in the httpd.conf file but it does not exist, how can I change this?

One other thing, if I append :8443 at the end of my url, then I'm able to upload large files.  Can someone help me with this?