[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: [users@httpd] Allow From directive causing slow performance for proxy
From: Matthew Turany <mturany () anokii ! com ! au>
Date: 2013-12-23 5:24:55
Message-ID: CAOp=koxMVb+Put2e+OuUp__CkVg=x6=SfqJ=V7yY-s+wpaeS8w () mail ! gmail ! com
[Download RAW message or body]
Hi,
Not sure if this could be considered a bug but here goes.
OS: Oracle Linux 6.4
Apache: 2.2.15
Apache being used as a reverse-proxy sitting in front of multiple web
servers.
We are currently using the Allow From directive to restrict access by IP
Address to virtual hosts. Each virtual host 'client' has their own
"access.conf" file which then lists the one or more IP's, this list of IP's
is usually around two maybe three but sometimes up to ten or more, at the
extreme end is the 'acme' customer e.g.;
+++++++++++++++++++++++++++++++++++++++
# Acme PRODUCTION site
#
<Location /acme/>
AuthName Acme Corp
AuthType Basic
AuthUserFile /abc/http_pass/acme_auth
# comment 1
# comment 2
Require valid-user
Order Allow,Deny
Allow from xxx.xxx.xxx.xxx/24 # Site 1
Allow from xxx.xxx.xxx.xxx/32 # Site 2
Allow from xxx.xxx.xxx.xxx/24 # Site 3
Allow from xxx.xxx.xxx.xxx/32 # Site 4
etc
etc
Allow from xxx.xxx.xxx.xxx/24 # Site 32
+++++++++++++++++++++++++++++++++++++++
Reports started coming in stating slow access speeds from certain networks
(IP's), this performance drop was from 2-3 seconds to display page, to 3 -
5 mins. Troubleshooting the issue revealed that if the slow performing
sites IP address was moved to the top of the list (in the example above -
move Site 32 to the line above Site 1), access speed performance would
return to normal, however someone else in the list would eventually report
the same issue. This problem has also appeared with sites that have a much
shorter list of say ten or fifteen.
If we remove or comment out all of the IP's and simply do a "Allow all"
performance returns to normal.
We have made sure no DNS lookups are in place or being made.
I've searched the mail list archives and have found two identical reports,
unfortunately neither of them appears to have been solved, and they are
from a few years ago as well. Shortening the list is not an option at the
moment.
Any help or assistance would be greatly appreciated.
Regards,
Matt
[Attachment #3 (text/html)]
<div dir="ltr">Hi,<div><br></div><div>Not sure if this could be considered a bug but \
here goes.</div><div><br></div><div>OS: Oracle Linux 6.4</div><div>Apache: \
2.2.15<br><div><br></div><div>Apache being used as a reverse-proxy sitting in front \
of multiple web servers.</div> <div><br></div><div>We are currently using the Allow \
From directive to restrict access by IP Address to virtual hosts. Each virtual host \
'client' has their own "access.conf" file which then lists the one \
or more IP's, this list of IP's is usually around two maybe three but \
sometimes up to ten or more, at the extreme end is the 'acme' customer \
e.g.;</div> </div><div><br></div><div>+++++++++++++++++++++++++++++++++++++++</div><div><div>#<span \
class="" style="white-space:pre"> </span><span class="">Acme<span \
style="white-space:pre"> </span></span>PRODUCTION<span class="" \
style="white-space:pre"> </span>site<span class="" \
style="white-space:pre"> </span></div> <div>#<span class="" \
style="white-space:pre"> </span></div><div><Location<span class="" \
style="white-space:pre"> </span>/acme/><span class="" \
style="white-space:pre"> </span></div><div>AuthName<span class="" \
style="white-space:pre"> </span><span class="">Acme Corp</span><span class="" \
style="white-space:pre"> </span></div> <div>AuthType<span class="" \
style="white-space:pre"> </span>Basic<span class="" \
style="white-space:pre"> </span></div><div>AuthUserFile<span class="" \
style="white-space:pre"> </span>/abc/http_pass/acme_auth<span class="" \
style="white-space:pre"> </span></div> <div># comment 1</div><div># comment \
2</div><div>Require<span class="" style="white-space:pre"> </span>valid-user<span \
class="" style="white-space:pre"> </span></div><div>Order<span class="" \
style="white-space:pre"> </span>Allow,Deny<span class="" \
style="white-space:pre"> </span></div> <div>Allow<span class="" \
style="white-space:pre"> </span>from<span class="" \
style="white-space:pre"> xxx.xxx.xxx.xxx</span>/24<span class="" \
style="white-space:pre"> </span>#<span class="" style="white-space:pre"> Site \
1</span><br> </div><div>Allow<span class="" style="white-space:pre"> \
</span>from<span class="" style="white-space:pre"> xxx.xxx.xxx.xxx</span>/32<span \
class="" style="white-space:pre"> </span>#<span class="" \
style="white-space:pre"> Site 2</span></div> <div>Allow<span class="" \
style="white-space:pre"> </span>from<span class="" \
style="white-space:pre"> xxx.xxx.xxx.xxx</span>/24<span class="" \
style="white-space:pre"> </span>#<span class="" style="white-space:pre"> </span><span \
class="">Site 3</span><span class="" style="white-space:pre"> </span></div> \
<div>Allow<span class="" style="white-space:pre"> </span>from<span class="" \
style="white-space:pre"> xxx.xxx.xxx.xxx</span>/32<span class="" \
style="white-space:pre"> </span>#<span class="" style="white-space:pre"> </span><span \
class="">Site 4 </span></div> <div><span \
style="white-space:pre">etc</span></div></div><div><span \
style="white-space:pre">etc</span></div><div><span style="white-space:pre">Allow from \
xxx.xxx.xxx.xxx/24 # Site 32</span></div><div><span \
style="white-space:pre">+++++++++++++++++++++++++++++++++++++++</span></div> \
<div><span style="white-space:pre"><br></span></div><div><span \
style="white-space:pre">Reports started coming in stating slow access speeds from \
certain networks (IP's), this performance drop was from 2-3 seconds to display \
page, to 3 - 5 mins. Troubleshooting the issue revealed that if the slow performing \
sites IP address was moved to the top of the list (in the example above - move Site \
32 to the line above Site 1), access speed performance would return to normal, \
however someone else in the list would eventually report the same issue. This problem \
has also appeared with sites that have a much shorter list of say ten or \
fifteen.</span></div> <div><span style="white-space:pre"><br></span></div><div><span \
style="white-space:pre">If we remove or comment out all of the IP's and simply do \
a "Allow all" performance returns to normal.</span></div><div> <span \
style="white-space:pre"><br></span></div><div><span style="white-space:pre">We have \
made sure no DNS lookups are in place or being made.</span></div><div><span \
style="white-space:pre"><br></span></div><div><span style="white-space:pre">I've \
searched the mail list archives and have found two identical reports, unfortunately \
neither of them appears to have been solved, and they are from a few years ago as \
well. </span><span style="white-space:pre">Shortening the list is not an option at \
the moment.</span></div> <div><br></div><div>Any help or assistance would be greatly \
appreciated.</div><div><span style="white-space:pre"><br></span></div><div><span \
style="white-space:pre">Regards,</span></div><div><span \
style="white-space:pre">Matt</span></div> <div><br></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic