Bug 63325 - Default body_min_rate not enabled in mod_reqtimeout
Summary: Default body_min_rate not enabled in mod_reqtimeout
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_reqtimeout (show other bugs)
Version: 2.4.39
Hardware: All Linux
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk
: 63329 63617 (view as bug list)
Depends on:
Reported: 2019-04-08 16:46 UTC by Oliver H
Modified: 2019-08-17 20:00 UTC (History)
2 users (show)

Fix reqtimeout macros lowercase (2.75 KB, patch)
2019-04-08 18:31 UTC, Yann Ylavic
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver H 2019-04-08 16:46:26 UTC
The changes to mod_reqtimeout made in 2.4.39 (as per bug 61310) have no default for the body_min_rate parameter, contrary to both the documentation and the behaviour of <=2.4.38.

This means that if no explicit RequestReadTimeout statement is made in httpd.conf, by default the server will return a 408 timeout after 20s even if the client is actively sending data to the server (e.g. for a large file upload). I found this bug when users reported they could no longer upload files to our websites.

I have tested under a fresh install of both Linux (Ubuntu) and FreeBSD (11 and 12).

While some distributions such as ubuntu explicitly define RequestReadTimeout in their default config, the documentation states the default is body=20,minrate=500 (which was correct for <=2.4.38). This means 2.4.39 breaks file uploads where the documented default is relied on, which is why I've marked this bug as major.

WORKAROUND: Explicitly set the default:
RequestReadTimeout handshake=0 header=20-40,MinRate=500 body=20,MinRate=500
in httpd.conf and reload.

It looks like the changes made to mod_reqtimeout in 2.4.39 were fairly major in order to incorporate the new "handshake" stage, so although I've tried, I'm afraid I'm unable to see where the problem might lie. Sorry I can't be more help diagnosing this.

Many thanks.
Comment 1 Yann Ylavic 2019-04-08 17:39:13 UTC
Thanks for the report.

Do you set RequestReadTimeout partly (e.g. body= but no ,MinRate=) or not at all?
Comment 2 Oliver H 2019-04-08 17:59:24 UTC
I would assume that defining a simple body=20 would automatically stop minrate from working, so no: my report is based on when there are no RequestReadTimeout declarations in any conf file (I grepped thoroughly to confirm).

Comment 3 Yann Ylavic 2019-04-08 18:31:46 UTC
Created attachment 36514 [details]
Fix reqtimeout macros lowercase

The macros MRT_DEFAULT_*_MIN_RATE which contain the default value were partially made lowercase for some magic, unfortunately the ones tested in reqtimeout_hooks() were not renammed, hence the bug.

Could you please try with this patch?
Comment 4 Yann Ylavic 2019-04-08 18:47:18 UTC
Fixed in r1857129, will propose a backport to next 2.4.x.
Comment 5 Oliver H 2019-04-09 08:49:20 UTC
Huge thanks for the quick work, I can confirm the patch fixes the issue.
Comment 6 Yann Ylavic 2019-04-09 14:00:37 UTC
*** Bug 63329 has been marked as a duplicate of this bug. ***
Comment 7 Rainer Jung 2019-07-29 12:56:44 UTC
*** Bug 63617 has been marked as a duplicate of this bug. ***
Comment 8 Christophe JAILLET 2019-08-17 20:00:42 UTC
This has been backported in 2.4.x in r1859376.

This is part of 2.4.40.