Bug 61464 - mod_authnz_fcgi uses a hard-coded value of 30 sec as the socket io timeout value
Summary: mod_authnz_fcgi uses a hard-coded value of 30 sec as the socket io timeout value
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authnz_fcgi (show other bugs)
Version: 2.4.16
Hardware: All Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2017-08-28 08:53 UTC by farhanz
Modified: 2020-11-01 11:13 UTC (History)
1 user (show)



Attachments
An optional configurable socket io timeout parameter patch file for mod_authnz_fcgi (2.94 KB, patch)
2017-08-28 09:48 UTC, farhanz
Details | Diff
Use the request timeout directive value as the socket IO timeout value (568 bytes, patch)
2017-08-28 10:31 UTC, farhanz
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description farhanz 2017-08-28 08:53:22 UTC
- mod_authnz_fcgi uses a hard-coded 30 sec value as the socket IO timeout value to write to and read from a back end FCGI Authorizer application.
- While this timeout value seems sufficient, in certain cases it may not be.
- Further, instead of hard-coding this parameter, a user should have an option to be able to configure a suitable timeout of his choice.
- If none is specified, a certain default timeout (like the request timeout of connection timeout) needs to be used.

Steps-to-repro:

1. Sample FCGI Authorizer application which can be started with fcgistarter: 
   fcgistarter -c <fcgi app name> -p 5555 -i 127.0.0.1 -N 1
   (Refer to the fcgistarter documentation)
2. Note that in the above app, a sleep of 32 secs (any value greater than 30 sec) needs to be induced to repro the issue.
3. Configure the mod_authnz_fcgi module in httpd.conf:
   LoadModule authnz_fcgi_module /usr/lib/apache2/modules/mod_authnz_fcgi.so

Actual results:
The httpd daemon returns an HTTP 503 Service Unavailable status code back to the client after 30 secs. However, in the back end, the authentication was handled (success or failure).

Expected results:
- The status code as returned from the FCGI application after authentication.
- Or, HTTP 503 service unavailable if the configured timeout elapses.
Comment 1 farhanz 2017-08-28 09:48:13 UTC
Created attachment 35263 [details]
An optional configurable socket io timeout parameter patch file for mod_authnz_fcgi

An optional configurable socket IO timeout parameter patch file for mod_authnz_fcgi.

This patch could be used for extending the AuthnzFcgiDefineProvider directive to include an optional socket io timeout parameter. For e.g.:

AuthnzFcgiDefineProvider AuthnzFcgiDefineProvider authnz my-fcgi-app fcgi://127.0.0.1:5555/ timeout=60

The above line sets the socket IO timeout to 60 secs.

If no timeout is specified, then the standard HTTP request timeout applies.
Comment 2 farhanz 2017-08-28 10:31:02 UTC
Created attachment 35264 [details]
Use the request timeout directive value as the socket IO timeout value

Approach 2:

Utilise the HTTP request TimeOut directive value as the socket IO timeout instead of the current hard-coded value of 30 secs.