We are using mod_qos (v 10.23) on an Apache server (v 2.4.6) configured with Event MPM. The server is used as a reverse-proxy in front of a cluster of backends.
If we activate a limit of concurent connexions per IP with QS_SrvMaxConnPerIP, any request that is blocked by this rule (as seen in the logs) leaves an Apache process stuck in a "CLOSE_WAIT" ip state indefinitely (as shown with command: "netstat -tupan | grep CLOSE_WAIT"), with the IP address of the offending client as the source address.
This generates two problems: (1) the connexions count seen by mod_qos for this IP never goes down (because it counts the stucked processes), so this client may never connect again until the server is restarted. And worse, (2) if the "attacker" continues to make connections, more and more Apache processes become stucked in this CLOSE_WAIT state and the web server is eventually unreachable by anyone until it is restarted.
Is it possible to completely close the connections filtered by QS_SrvMaxConnPerIP and not leave them in CLOSE_WAIT state?
Log in to post a comment.