HTTP 503 response in a proxy chain environment with reflect client ip.

book

Article ID: 166545

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Scenario is the following:

Client makes a get to an ocs. Client connects explicitly to child proxy. The request is then forwarded on to the parent proxy. This has reflect client ip enabled. The ocs after serving the object fins its side of the connection. The parent

sends ack so is now in close_wait state. A new connection comes in from the client. Since the connection between the parent and ocs is not fully closed the proxy chooses to use the same tcp connection for efficiency reasons.

However the server does not like this and sends back a 503 response.


Note this is a proxy chain environment with reflect client ip enabled on the parent or child proxy. In this environment you would not really want to add the following policy:

 

http.client.persistence(preserve)

Since when the ocs sends fin to parent proxy. The parent proxy  will then close the persistent tunnel between parent and child proxy.

 

 

Resolution

We have fixed the retry logic in 6.5.1.1 (bug 174159) so that now when the ocs fins the connection the parent proxy will now fin the connection. The connection between child and parent proxy however remains open.

Now when the second http request  is seen by the parent a new connection to the ocs is made rather than reusing the port.

A workaround of setting the http persistent-timer client to 5 seconds also stops the 503 being sent. This is helpful only when the ocs returns a keep-alive timer of greater than 5 seconds. Latest Apache version now includes a 5 seconds idle timer. Version prior to that was 15 seconds. This however won't help if the the server fins the connection straight away. Disabling persistent connections or using persistent preserve for the sites in question would help here but you will find the persistent tunnel between the proxies being closed/opened so you would lose the benefit of persistent tunnels. With reflect client ip however you should not see port reuse.