403 Timing-out and httpd.conf

T

TomJones

Verified User
Joined
May 9, 2004
Messages
76
I was having a heck of a time with a shopping cart on one of my sites, it would never load a full page of products and would return a 403 FORBIDDEN message half the time. The logs showed a ton of "client denied by server configuration" errors, so I started (after three days) to think it was an Apache problem. I went into the httpd.conf for the site and set the following:
KeepAlive Off
MaxKeepAliveRequests 0
KeepAliveTimeout 15

Low and behold, that worked! No more problems!!
Here are the questions:

1. I am wondering how the above three settings will affect security. Seems like I should set some limits (especially on MaxKeepAliveRequests), but I don't know what would be advisable, does anyone have suggestions?

2. I set the above in the individual site httpd. conf (/usr/local/directadmin/data/users/SITENAME/httpd.conf), but, upon restarting Apache, the commands seem to have effected all sites. Shouldn't it have only effected the one individual site?
 
I set the above in the individual site httpd. conf (/usr/local/directadmin/data/users/SITENAME/httpd.conf)
Click to expand...

Impossible since there is no httpd.conf for individual sites. There is one httpd.conf for each user ( /usr/local/directadmin/data/users/username/httpd.conf) So it will affect all sites for that user.

Now with that being said

KeepAlive Off
MaxKeepAliveRequests 0
KeepAliveTimeout 15
Click to expand...

are normally global configurations. If you did not put them in the <virtualhost> section then it will affect all sites on the server.

I also do not see how this would have solved your original problem. What reasoning did you use to come to this conclusion?
 
Yes, you are right it's one httpd.conf per user (all my users have only one site, so there's my over simplification).

It 100% was my problem, I analized the headers being returned from the site to find the problem. They would be returning "200 OK" up to a certain point and then everything after that point would be "403 Forbidden." Adding those commands to the httpd.conf corrected that issue.

Further proof, I took your direction (thanks!) on placing those commands inside the <virtualhost> for only one user, restarted Apache, and the issue re-appeared on the other user site (with the exact same shopping-cart on it) but did not manifest on the user with the altered httpd.conf. I altered the httpd.conf of the other user and the issues disappeared.

Still don't know how safe those settings are, I'm pretty sure not limiting MaxKeepAliveRequests could turn into a problem with exploit potential.
 
You must log in or register to reply here.
Back
Top