Core: Disable / detect mod_reqtimeout to avoid upload problems

Created on 28 Feb 2015  路  9Comments  路  Source: owncloud/core

According to:

http://sabre.io/dav/webservers/

the Apache module could stop large uploads from completing. On Ubunutu 14.04 its not enabled by default anymore but it could be still useful to add a check similar to https://github.com/owncloud/core/pull/6675 and https://github.com/owncloud/core/pull/6637.

The .htaccess approach is probably recommended as the apache_get_modules approach is not working on PHP CGI.

enhancement statuSTALE
Source
picture ghost

Most helpful comment

Ok, an .htaccess entry like:

<IfModule reqtimeout_module>
  RequestReadTimeout header=0
  RequestReadTimeout body=0
</IfModule>

could do the trick.

picture ghost on 28 Feb 2015
👍21

All 9 comments

Ok, an .htaccess entry like:

<IfModule reqtimeout_module>
  RequestReadTimeout header=0
  RequestReadTimeout body=0
</IfModule>

could do the trick.

ghost picture ghost on 28 Feb 2015
👍21

Care to submit a pull request? :smile:

LukasReschke picture LukasReschke on 28 Feb 2015

I'm not sure if disabling it completely is the best approach here? Any opinions?

ghost picture ghost on 28 Feb 2015

Disabling in our default .htaccess does not hurt :)

LukasReschke picture LukasReschke on 28 Feb 2015

Context: server config, virtual host

from https://httpd.apache.org/docs/current/mod/mod_reqtimeout.html#requestreadtimeout so we can't use this in a .htaccess file.

ghost picture ghost on 2 Mar 2015

Ref for the doc part: https://github.com/owncloud/documentation/pull/992

ghost picture ghost on 28 Mar 2015

Just to have this documented here. Debian stable / jessie is now enabling this module by default again starting with the version 2.4.10-10+deb8u8 of Apache:

Activate mod_reqtimeout in new installs and during updates from before 2.4.10-10+deb8u8. It was wrongly not activated in new installs since jessie. This made the default installation vulnerable to some DoS attacks.

Trouble incoming...

ghost picture ghost on 28 Feb 2017

Default setting on Debian (/etc/apache2/mods-enabled/reqtimeout.conf) below. Could those cause troubles for ownCloud?

    # Wait max 20 seconds for the first byte of the request line+headers
    # From then, require a minimum data rate of 500 bytes/s, but don't
    # wait longer than 40 seconds in total.
    # Note: Lower timeouts may make sense on non-ssl virtual hosts but can
    # cause problem with ssl enabled virtual hosts: This timeout includes
    # the time a browser may need to fetch the CRL for the certificate. If
    # the CRL server is not reachable, it may take more than 10 seconds
    # until the browser gives up.
    RequestReadTimeout header=20-40,minrate=500

    # Wait max 10 seconds for the first byte of the request body (if any)
    # From then, require a minimum data rate of 500 bytes/s
    RequestReadTimeout body=10,minrate=500
ghost picture ghost on 28 Feb 2017

at least documented in https://github.com/owncloud/documentation/blob/master/admin_manual/configuration/files/big_file_upload_configuration.rst#configuring-your-web-server

@tomneedham @PVince81 add check on the admin page?

butonic picture butonic on 13 Mar 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  路  78Comments
Wikinaut picture Wikinaut  路  86Comments
schiessle picture schiessle  路  63Comments
laurivosandi picture laurivosandi  路  65Comments
bonanza123 picture bonanza123  路  81Comments