Hi all,
I am running httpd 1.3.37 on Linux 2.4.33.3 as a reverse proxy server fronting a corporate web portal to the Internet. Lately, I have seen a rise in client complaints of web pages not loading completely, and when I check Apache logs I see several messages like the following directly tied to what the particular user was doing: [Fri Feb 6 16:41:17 2009] [error] [client 11.222.333.444] (104)Connection reset by peer: proxy: error r eading from https://www.someplace.com/irj/servlet/prt/portal/prtpos/com!252esap!252e portal!252enavigation !252eportallauncher!252edefault!7b!3b1!7d/prttarget/pcd!253aportal_conte nt!252fcom!252ecooper!252efl_coo per_internal!252fcom!252ecooper!252efl_cooper_internal_iviews!252fcom!25 2ecooper!252eCooperCustomerCente r!252fcom!252ecooper!252eDesktop!252fcom!252ecooper!252eNewCCCDefaultDes ktop!252fframeworkPages!252fcom! 252ecooper!252eportal!252eNew_CCC_Light_Framework_Page.com!252esap!252ep ortal!252elightinnerpage.com!252 ecooper!252eCCCContentAreaLight.content/prteventname/HtmlbEvent/prtroot/ com.sap.portal.navigation.portal launcher.default The connection path is Browser -> [SSL] -> ReverseProxy -> [ProxyPass] -> [SSL] -> AppServer When the reverse proxy is bypassed (ie, accessed from internal network) we don't see this issue at all. Feedback I'm getting from the apps people after comparing TCPDUMP traces is that the reverse proxy box is resetting connections instead of going through the normal FIN/ACK handshake process. Although, from the above error log entry, it appears that it is the app server which is resetting the connection. My questions so far: 1) What is the above error really telling me? 2) Am I correct that the connection which was reset was RP -> appserver, and not browser -> RP? 3) Who is really resetting the connection, the RP or the app server? 4) This issue has been seen off and on for the past year, but has become worse in the past two months. I theorize the problem to be increased traffic / volume-related, as this reverse proxy also services a few other domains. Is there any information available on kernel (IP stack) or HTTP parameter tuning for such a server? 5) I see SSL config directives that allow me to limit which SSL protocol I will allow from the client. Is there any way to force the SSL protocol (and even the encryption method) that I use when ProxyPass opens the socket to my app server? Thanks! Eric C. Webb Sr. Systems Analyst / Unix System Administrator Cooper Industries IT Solutions & Services (770) 486-4623 FAX: (770) 486-4677
