Score:4

Sudden and sporadic errors from mod_proxy

ru flag

[Edit, addition]: Looks like this could be caused by an attack attempt. But not sure how it can be avoided? https://www.mail-archive.com/[email protected]/msg57219.html

I have an Ubuntu server with apache2. mod_proxy is forwarding requests to a java web server on a local port

ProxyPass / http://localhost:9003/ retry=0

Yesterday I suddenly started seeing errors. Sometimes there seems to be an error from the perspective of apache mod_proxy. The default "error" page is shown instead of the data from the backend server. Apache error log:

[Mon Jan 31 08:16:09.800927 2022] [proxy:error] [pid 1061:tid 140673390929664] (13)Permission denied: AH02454: HTTP: attempt to connect to Unix domain socket /var/run/apache2/ (localhost) failed
[Mon Jan 31 08:16:09.801876 2022] [proxy:error] [pid 1061:tid 140673390929664] AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 0s

This started suddenly, with no known changes or updates on the machine. It is shifting all the time. Working for some time, then not working for some time etc., with seemingly no pattern.

There is no load on the machine, and no errors or noteworthy output from the java server at all.

Any ideas?

Sir McPotato avatar
br flag
Having the same strange symptoms than you in our production servers, without any changes too. Not to much informative, but let you know that - imho - you're not isolated
rogiller avatar
id flag
We were seeing this today as well on some of our production servers... an Apache restart cleared it up at least for the time being... we are continuing to monitor our servers.
ma flag
We are seeing this issue too. FYI, for us, Apache is fronting a Tomcat container
rogiller avatar
id flag
Found https://www.traccar.org/forums/topic/server-error/ this morning... the one commenter there seems to think it's an Apache exploit and links to https://www.rapid7.com/blog/post/2021/11/30/active-exploitation-of-apache-http-server-cve-2021-40438/
Sir McPotato avatar
br flag
@rogiller I think this is indeed related, thanks! Time to plan updates
gmanjon avatar
mx flag
In that same rapid7 page says that is advisable to upgrade to 2.4.51 (time of writting) due to other vulnerabilities found in 2.4.49 ans 2.4.50. Just for everyone to know. I just upgraded my production server to 2.4.52. Thank you everyone.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.