Elvex's questions

Current OpenSSL version

OpenSSL 1.1.1d  10 Sep 2019 (Library: OpenSSL 1.1.1g  21 Apr 2020)

Current openssl.cnf configuration

At the top of the file

openssl_conf = default_conf

At the bottom of the file

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1

No Ciphersuites directive is set.

Supported cipher list differs from configuration

However, when I asks for the enabled ciphers with openssl ciphers -s -v, I get ciphers like :

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1

Should I define a Ciphersuites setting, or is openssl ciphers -s -v unreliable in some way ?

Documentation

-s Only list supported ciphers: those consistent with the security level, and minimum and maximum protocol version.

While SecLevel 1 permits SSLv3 and TLSv1, MinProtocol doesn't.

Sources :

• https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
• https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
• https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html

I have a website, which queries a Varnish server, which queries an Apache server, which queries a db server.

At 07:00:00, a request is send to the Apache server, which triggers a db request that takes over 30 seconds to process. While the db server is "locked", concurrent db requests are piling up, causing apache requests to pile up as well. So far, this is not my issue.

In the meantime, Varnish polls Apache every 5 second, with a 1 second timeout. The probe target is an empty html file.

Apache log tells me that every poll is answered with a 200 status code.

I get the following results from combined Varnish/Apache log :

Polled at   Served at   Delay (s)
07:00:26    07:00:26            0
07:00:31    07:00:34            3
07:00:37    07:01:01           24
07:00:43    07:01:01           18
07:00:49    07:01:01           12
07:00:55    07:01:01            6
07:01:01    07:01:01            0
07:01:06    07:01:06            0

What I don't understand is the following :

• Given that Apache serves every polling requests, it should means that the MaxClients has not been reached. Otherwise, I guess Apache would reject any new incoming polling requests. Am I right ?
• If Apache can accept connections for the polling requests, why is the response delayed ? Serving an empty html file should be as fast as usual, even if many concurrent requests are still waiting for the db to "unlock". The timing looks like Apache needs somehow the db to unlock, and other processes to be served, so it can process the polling request.

The delay causes Varnish to believe that my server is "unhealthy", thus causing automatic rejection of all following requests, while they could all be served within a 30 seconds delay.

Varnish config :

backend foo {
    .timeout = 60s;
    .probe = {
        .url = "/check.html";
        .interval = 5s;
        .timeout = 1s;
        .window = 10;
        .threshold = 8;
    }
}

Apache configuration :

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers       20
    ServerLimit           200
    MaxClients            200
    MaxRequestsPerChild   0
</IfModule>

Don't hesitate to ask for more configuration informations or logs.

I find that the error "request failed: error reading the headers" is quite common on Apache servers, and can be triggered by numerous causes.

However, what I can't find is this :

• How can I identify more precisely the kind of request that is causing this error ?
• Can I tune my server so it handles those errors in a clean way (for example, 404 are not loggued in the error log)

Thanks for your insights !

This is a dummy question. I have to give public access to PDFs, let's say 8 MB / file. It seems to me that nginx will serve any kind of files, as long as they are static. But someone tells me nginx isn't suited for this.

Can you provide me some documentation to prove me/him wrong ?