On 2016-01-29, Kim Zeitler <kim.zeit...@konzept-is.de> wrote: > It was reported to me that several webshops seem to have this problem > and one of our clients owncloud sites (I'll send zou the link off-list)
Thanks for the link off-list, I've tried fetching it directly without proxy and am seeing a third or more of requests failing too. $ curl https://owncloud.XXXXXXXXXX/apps/files_pdfviewer/js/previewplugin.js curl: (7) Failed to connect to owncloud.XXXXXXXXXX port 443: Operation timed out > I have access to the logs and they show a mixture of 200 and 503 ...and that pretty much matches the pattern I've seen connecting by hand, so it's no big surprise that there are problems with the proxy too. >From my first guess based on what I've seen I'd say that the site was on multiple hosts behind a load-balancer and one of them is faulty. But that doesn't sound entirely likely for owncloud. Then I remembered a problem someone else ran into, and played with that and it seems like it may well be the problem here. http://thread.gmane.org/gmane.os.openbsd.misc/228420/focus=228452 If you have contact with any of the site admins see if they are running on linux with tcp_tw_recycle=1, I think there is a strong possibility that they are, and if so then they should fix their configuration. They're likely to be breaking connections for NATted clients too (and this is only going to get worse as more ISPs start using CG-NAT for IPv4). The links in the above post have detailed explanations. OpenBSD uses this method which is described in RFC7323 sec 5.4 (OpenBSD's implementation predates this RFC by some years). o A random offset may be added to the timestamp clock on a per- connection basis. See [RFC6528], Section 3, on randomizing the initial sequence number (ISN). The same function with a different secret key can be used to generate the per-connection timestamp offset. There was a recent-ish change to the method used to generate the offsets (MD5 to SHA512), I wondered if that had changed anything so I've just checked from a 5.6 box, it does exactly the same - if I make repeated connections to the owncloud box, some of them fail.