[SAC] ProjectsVM Upgrade Problem
Arnulf Christl
arnulf at osgeo.org
Fri Feb 10 12:22:14 EST 2012
Thanks Chris,
great work.
Cheers,
Arnulf
On 02/10/2012 05:25 AM, christopher.schmidt at nokia.com wrote:
> Sorry, I'm behind on this, but it looks like something in the upgrade
> opened up the projects server as an open proxy, no? All of those requests
> are people using the OSGeo server as a proxy (typically for spam).
>
> Typically, this happens when something is using a proxypass setting that
> is improperly configured, and allowing connections through that shouldn't
> be.
>
> Specifically:
>
> crschmidt at projects:/etc/apache2/mods-enabled$ diff -u /backup_projects_etc/apache2/mods-enabled/proxy.conf proxy.conf
> --- /backup_projects_etc/apache2/mods-enabled/proxy.conf 2011-01-21 10:53:56.000000000 -0800
> +++ proxy.conf 2012-02-02 06:30:21.000000000 -0800
> @@ -1,20 +1,26 @@
> <IfModule mod_proxy.c>
> - #turning ProxyRequests on and allowing proxying from all may allow
> - #spammers to use your proxy to send email.
>
> - ProxyRequests Off
> +# If you want to use apache2 as a forward proxy, uncomment the
> +# 'ProxyRequests On' line and the <Proxy *> block below.
> +# WARNING: Be careful to restrict access inside the <Proxy *> block.
> +# Open proxy servers are dangerous both to your network and to the
> +# Internet at large.
> +#
> +# If you only want to use apache2 as a reverse proxy/gateway in
> +# front of some web application server, you DON'T need
> +# 'ProxyRequests On'.
> +ProxyRequests On
>
>
> I have backed up the 'new' proxy.conf (after upgrade) to /backup_projects_etc/new_proxy.conf,
> and moved /backup_projects_etc/apache2/mods-enabled/proxy.conf into its place,
> and restarted Apache. In the short term, we should expect to continue to
> *get* these proxy requests until people realize that we're no longer
> serving as an open proxy for spammers to use -- typically, this traffic
> will die down in 1-2 days, but they should consume very few resources now,
> because they should always be 403 Forbidden instead of actually working.
>
> To address some of Martin's later comments:
> - Yes, this is causing very little load on the system -- this is because
> the traffic is not actually *using* the projects server for anything
> other than a bandwidth pipe, all the actual activity is just proxying
> bytes.
> - This default configuration from Debian is, in my opinion, So Completely
> broken -- it basically makes any machine trying to use proxying a
> completely open proxy to the internet, which is So Very Wrong.
>
> Some example requests that are no longer able to use OSGeo as an open proxy:
>
> 114.42.67.26 - - [10/Feb/2012:05:20:32 -0800] "CONNECT 203.188.197.119:25 HTTP/1.0" 405 477 "-" "-"
> 31.131.142.212 - - [10/Feb/2012:05:20:32 -0800] "GET http://www.kotakuclub.com/forum/index.php HTTP/1.0" 404 416 "http://www.kotakuclub.com/forum/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; FDM)"
>
>
> - The fact that these were pointing to docs.geotools.org was just a side
> effect of that being the default domain, though I'm sure
> most people realized this.
>
> - The slow loading of the site was not caused by 'high load', but
> by limited child workers due to all connections being sucked up
> by people outside OSGeo using us as a proxy.
>
> I've also temporarily bumped up the minspareservers, while we're
> still getting over the hump until we move off the 'spam through this'
> lists -- this will keep a slightly larger pool to handle bursts around.
>
> While investigating this, I also found that the 'tilecache' config
> (/backup_projects_etc/apache2/sites-available/tilecache) was not enabled,
> which was resulting in double requests because of default configurations
> of some OpenLayers applications. I re-enabled it -- I don't know if it being
> disabled was on purpose or not. If this was the wrong thing to do,
> let me know, and we can find another way to handle this.
>
> Overall, I hope this will help clarify the state we were in, how
> we got there (bad debian defaults; bad sysadminning on my part most likely
> for not documenting my change to the default configuration), why we
> got in that situation, what affect it had, and how I fixed it.
>
> Let me know if this is unclear, and I can try to clarify.
>
> -- Chris
>
>
>
> On Feb 9, 2012, at 4:02 AM, ext Martin Spott wrote:
>
>> On Thu, Feb 09, 2012 at 09:55:00AM +0100, Markus Neteler wrote:
>>
>>> As posted several times, the server is bombed with requests. Nothing
>>> strange at all.
>>> We have 200 workers or so and they are all saturated. That's why the performance
>>> is (too) low. I played shortly with 256 workers but then reduced again.
>>>
>>> Of course we have to solve this!
>>
>> Definitely. Anyhow, developing a solution which may run unattended for
>> a while without doing more harm than good isn't *that* simple ;-)
>> .... and I'm unaware of readily available solutions working right out
>> of the box.
>>
>> Cheers,
>> Martin.
>> --
>> Unix _IS_ user friendly - it's just selective about who its friends are !
>> --------------------------------------------------------------------------
>> _______________________________________________
>> Sac mailing list
>> Sac at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/sac
>
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/sac
--
President, OSGeo
http://www.osgeo.org
More information about the Sac
mailing list