Is there a bug in ngx_http_upstream_module's broken connection check code?

Maxim Dounin mdounin at mdounin.ru
Sat Nov 26 23:38:58 UTC 2011


Hello!

On Sat, Nov 26, 2011 at 07:41:24AM -0500, nviennot wrote:

> I am experiencing this bug in a production system. (SSL closes are not
> detected,  thus sockets stay in CLOSE_WAIT state forever -- nice DoS).

I believe I've already stated this several times, but let me 
repeat: this is not a bug, it's rather lack of optimization.

And if this makes DoS possible in you setup, this means your setup 
is broken (i.e. there is a bug in your setup).  Even if nginx will 
be able to detect connection close in simple SSL case, this 
doesn't mean all connection closes will be detectable.  

Consider connection with a pipelined request not yet read from 
client: it won't be possible to detect pending connection close 
with standard interfaces (without reading the request first, which 
isn't an option).  You must use some timeouts/keepalives to handle 
this.

> I was looking at nginx sources, and it seems that this bug has not been
> fixed.
> The alternative is to use stunnel with the X-Forwarded-For patch, but
> that's way too messy.
> 
> In ngx_http_upstream_check_broken_connection(), there seems to be a
> different path for kqueue. What about modifying the poll/epoll behavior
> to detect disconnections for other event modules ? In
> ngx_epoll_add_connection(), we can add the EPOLLHUP event, and mark the
> connection as disconnected when processing HUP events instead of using
> the buggy MSG_PEEK hack

Likely, EPOLLRDHUP is needed here.  Patches are welcome.

Maxim Dounin



More information about the nginx mailing list