Data Center QoS equipment breaking http 1.1?

James_Smallacombe · July 31, 2009, 9:25pm

Sorry if this is a little OT, but we're seeing a serious problem and was wondering if it is what I think it is.

In short: I have been moving services off of our servers in a data center onto a server at eSecuredata, who rents dedicated servers. The idea is to lower costs and eliminate having to deal with hardware.

The advertise "unmetered bandwidth", but mention QoS measure to control "bandwidth hogs".

One of my customers, whose site I just moved from a unique IP virtual host on my old server onto an Apache NameVirtualHost on the new one, worked fine at first. Then today, they started complaining about getting one of our home pages. I figured DNS or web caching issues, until I started seeing it for myself. It was no caching issue, it was NameVirtualHost breaking.

I poured over my configs (I've done this config countless times), and saw this in the apache docs:

http://httpd.apache.org/docs/2.2/vhosts/name-based.html

" Some operating systems and network equipment implement bandwidth management techniques that cannot differentiate between hosts unless they are on separate IP addresses."

So, I installed lynx on the server, and sure enough, it worked perfectly fine there, just not from anywhere outside eSecuredata's network that I could see.

Can anyone shed any light on this particular practice, of this company in particular?

thanks

James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am

James_Smallacombe · July 31, 2009, 10:05pm

Please disregard this idiocy of mine...it appears that the Apache UseCanonicalName directive selectively breaks some NameVirtualHosts, while leaving others unscathed, but turning it off fixed it anyway.

James_Smallacombe · August 1, 2009, 12:02am

Disregard my disregard. The problem resurfaced with no changes on my part. I purged browser caches and tried them from 3 browsers and each time:

http://www.countytheater.org

redirected to: http://webmail.ns3.pil.net/ which is another NameVhost on that server sharing that IP. This is incorrect. However, I then switch from a Verizon connection to an ATT 3g connection on the IPhone and the problem goes away.

Has anyone heard of upstream transparent caching issues causing this kind of problem? Does anyone else here get the redirect instead of the correct page?

TIA

Jay_Mitchell · August 1, 2009, 12:34am

Quoting up@3.am:

Disregard my disregard. The problem resurfaced with no changes on my
part. I purged browser caches and tried them from 3 browsers and each
time:

http://www.countytheater.org

redirected to: http://webmail.ns3.pil.net/ which is another NameVhost
on that server sharing that IP. This is incorrect. However, I then
switch from a Verizon connection to an ATT 3g connection on the IPhone
and the problem goes away.

Has anyone heard of upstream transparent caching issues causing this
kind of problem? Does anyone else here get the redirect instead of the
correct page?

TIA

From .au the first 3 times I got pil.net. After that I got lots of 302's and finally www.countytheater.org loaded, however the url showing in the browser is http://ns3.pil.net/~jsanders/. Looking at the packet cap it looks like your apache is doing strange things.

--jay

James_Smallacombe · August 1, 2009, 1:06am

Again, turned out to be my own stupidity. It was just DNS on a secondary DNS server, which was pointing to the old IP, which was redirecting to the new IP, but at that point, the headers are lost.

I would have thought that on MacOSX (my client; the server is FreeBSD 7.2-STABLE), if I tell the /etc/resolv.conf to look at the primary name server only, which has the correct info, plus doing a dnscacheutil -flushcache, that this wouldn't be an issue.

Apparently, I was wrong, or perhaps it doesn't override what Verizon does with my browser's queries, despite what nslookup shows in a terminal window.

Nathan_Ward · August 1, 2009, 1:13am

As you are on OS X, have a read of http://developer.apple.com/documentation/Darwin/Reference/Manpages/man5/resolver.5.html

It lets you do per-domain resolvers, and so on.

Ivan_Pepelnjak · August 1, 2009, 8:11am

Facts first: name-based virtual hosts depend on the HOST header in the
HTTP/1.1 request to select the virtual web server.

I poured over my configs (I've done this config countless
times), and saw this in the apache docs:

Name-based Virtual Host Support - Apache HTTP Server Version 2.2

" Some operating systems and network equipment implement
bandwidth management techniques that cannot differentiate
between hosts unless they are on separate IP addresses."

Thanslated into networking engineerese: since the QoS equipment (including
routers unless you use HTTB NBAR) cannot peer into contents of the TCP
session, it cannot find the HOST header and thus cannot decide which virtual
host the traffic belongs to, making it impossible to enforce
per-virtual-host QoS policies.

So, I installed lynx on the server, and sure enough, it
worked perfectly fine there, just not from anywhere outside
eSecuredata's network that I could see.

Can anyone shed any light on this particular practice, of
this company in particular?

What you're experiencing usually means only one thing: they're using a box
that messes with HTTP headers. It could be a misconfigured DPI box, a
transparent (broken) HTTP proxy or a custom-developed "wizardry".

Configure the Apache logs (Log Files - Apache HTTP Server Version 2.2) to
log the virtual host name in the HTTP request (the %{host}i directive) or
use Wireshark on your client and the server to inspect it. If you find out
they're messing with the HOST header (as suspected) switch the provider
immediately.

Ivan

http://www.ioshints.info/about