On 2016-01-29, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
> It was reported to me that several webshops seem to have this problem
> and one of our clients owncloud sites (I'll send zou the link off-list)

Thanks for the link off-list, I've tried fetching it directly
without proxy and am seeing a third or more of requests failing
too.

$ curl https://owncloud.XXXXXXXXXX/apps/files_pdfviewer/js/previewplugin.js 
curl: (7) Failed to connect to owncloud.XXXXXXXXXX port 443: Operation timed out

> I have access to the logs and they show a mixture of 200 and 503

...and that pretty much matches the pattern I've seen connecting by
hand, so it's no big surprise that there are problems with the proxy
too.

>From my first guess based on what I've seen I'd say that the site
was on multiple hosts behind a load-balancer and one of them is
faulty. But that doesn't sound entirely likely for owncloud.
Then I remembered a problem someone else ran into, and played with
that and it seems like it may well be the problem here.
http://thread.gmane.org/gmane.os.openbsd.misc/228420/focus=228452

If you have contact with any of the site admins see if they are
running on linux with tcp_tw_recycle=1, I think there is a strong
possibility that they are, and if so then they should fix their
configuration.

They're likely to be breaking connections for NATted clients
too (and this is only going to get worse as more ISPs start
using CG-NAT for IPv4). The links in the above post have
detailed explanations.

OpenBSD uses this method which is described in RFC7323 sec 5.4
(OpenBSD's implementation predates this RFC by some years).

   o  A random offset may be added to the timestamp clock on a per-
      connection basis.  See [RFC6528], Section 3, on randomizing the
      initial sequence number (ISN).  The same function with a different
      secret key can be used to generate the per-connection timestamp
      offset.

There was a recent-ish change to the method used to generate the
offsets (MD5 to SHA512), I wondered if that had changed anything
so I've just checked from a 5.6 box, it does exactly the same -
if I make repeated connections to the owncloud box, some of them
fail.

Reply via email to