Issue description — Apache logs
I found items similar to this one in the Apache log file:
166.147.68.243 [24/Feb/2013:06:06:25 -0500] 19 web-site.com "-" 408 - "-"
I’ve got custom log format and 408 here stands for status. The log format is:
LogFormat "%h %t %D %V "%r" %>s %b "%{User-agent}i"" detailed
And normally the line in the log file looks like
184.73.232.108 [26/Feb/2013:08:38:16 -0500] 30677 www.site.com "GET /api/search... HTTP/1.1" 200 205 "Zend_Http_Client"
This is why 408 error lines look strange to me. No request is logged and I have no idea on what should be optimized.
Questions
How to tackle the issue?
What additional information or logs should I gather?
What might cause the issue? Is this something wrong on the server? Or is this absolutely a network connectivity problem?
I’m addressing this because our customer complained that he has got 408 error on his mobile phone. I found many records in the log file but I have to admit I don’t know what to do with this.
My own research
There are several questions on this subject already here. But people are much more specific. Like they discus issues with some specific client software and scripts. Here I just got the error when opening some page on iPhone.
For example in HTTP, 408 Request timeout, it is suggested to do the GET request before POST. If I have custom client I can do this. But I can not control the behavior of the user’s browser.
Guess #1
When searching the Internet and thinking about the issue I found https://serverfault.com/questions/383290/too-many-408-error-codes-in-access-log
The suggestion is to update the Timeout config parameter back to its default value.
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
I tried the value 30 first because I thought 30 seconds should be enough. But even with 300 seconds default value, I continue to get the errors in the log. I did tail -f when I was writing this text and got more then 10 lines in a few minutes.
To me this does not look a complete solution.
The apache error 408 specifies that the server did not receive a complete request from the client within a specific timeout period.
Here at Bobcares, we have seen several such apache related errors as part of our Server Management Services for web hosts and online service providers.
Today we’ll take a look at the causes for this error and see how to fix it.
Why does apache error 408 occur
When the website connection times out this error occurs. To be simpler when we make a request to the web server, it takes too long for the request to complete when compared to the waiting time of the website’s server.
This means the client request time is higher greater than the server waiting time. So this error is known to be a client-side error.
The Apache 408 error appears with the text “404 Request Time-out” error. For instance, the error appears as shown below.
How we fix apache error 408
There are different ways to fix this error. Although this error is known to be a client-side error, it doesn’t mean that there is no issue with the server end. Now, let’s take a look at the different fixes our Support Engineers provide to our customers to tackle this error.
Client-Side troubleshooting
1. Check your internet connection.
Make sure that you have a good internet connection. In case, if the internet is slow then it could take too long for this request to complete. As a result, if the server timeout value exceeds then a 408 error will occur.
2. Check the URL
Entering an incorrect URL is one of the common causes of this error. So double-check your URL.
3. Revert recent upgrades
If you’ve recently updated the CMS then try reverting it to the previous version.
In case, if you have updated any other extension, modules, themes, or any plugins then this can also be a culprit of your error. So try reverting it to the previous version or you can even consider uninstalling it as well.
4. Reload the webpage
This one is the easiest method to fix this error. Sometimes, a temporary issue on the client or server-side can cause this error. So simply reloading the page can resolve the error.
Server-Side troubleshooting
1. Check the server configuration
Make sure that the web server’s timeout value is not less than that of the client request time.
Check your .htaccess file and the Apache configuration file. Find: KeepAliveTimeout or RequestReadTimeout directives and try increasing their values. Then reload the webserver and try again.
2. Check the logs
Look for the server error logs. This will provide you more information in order to fix this error.
[Need any further assistance in fixing Apache errors? – We are here to help you.]
Conclusion
In short, this error occurs if the server did not receive a complete request from the client within a specific timeout period. Today, we saw different ways to fix this error.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
var google_conversion_label = «owonCMyG5nEQ0aD71QM»;
A colleague recently remarked that while my last post gave a valid explanation how a 408 could have an association with a security measure, it offered no solution.
Piped Access log is my personal solution.
The following should work out-of-the-box on most Ubuntu configurations, and with minimal tinkering on other Apache configurations. I’ve chosen PHP because it’s the easiest to understand. There are two scripts: the first prevents a 408 being written to your access log. The second script sends all 408s to a separate log file. Either way the result is no more 408s in your access log. It’s your choice which script to implement.
Use your favorite text editor, I use nano. Open the file where you have your ‘LogFormat’ and ‘CustomLog’ directives. Comment-out the originals with the usual # and add the following. You may find these directives in the file below.
sudo nano /etc/apache2/sites-available/default
LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" AccessLogPipe
CustomLog "|/var/log/apache2/PipedAccessLog.php" AccessLogPipe env=!dontlog
NOTE: I don’t log images in my access log. In my etc/apache2/httpd.conf file I include the line
SetEnvIfNoCase Request_URI ".(gif)|(jpg)|(png)|(css)|(js)|(ico)$" dontlog
If this is of no interest to you then remove the env=!dontlog from the CustomLog directive.
Now create one of the following PHP scripts (#!/usr/bin/php is a reference to the location of the interpreter, make sure that the location is correct for your system — you can do this by typing at the $ prompt; whereis php — this should return something like php: /usr/bin/php /usr/bin/X11/php /usr/share/man/man1/php.1.gz. As you can see #!/usr/bin/php is right for my setup).
sudo nano /var/log/apache2/PipedAccessLog.php
#!/usr/bin/php
<?php
$file = '/var/log/apache2/access.log';
$no408 = '"-" 408 0 "-" "-"';
$stdin = fopen ('php://stdin', 'r');
ob_implicit_flush (true);
while ($line = fgets ($stdin)) {
if($line != "") {
if(stristr($line,$no408,true) == "") {
file_put_contents($file, $line, FILE_APPEND | LOCK_EX);
}
}
}
?>
sudo nano /var/log/apache2/PipedAccessLog.php
#!/usr/bin/php
<?php
$file = '/var/log/apache2/access.log';
$file408 = '/var/log/apache2/408.log';
$no408 = '"-" 408 0 "-" "-"';
$stdin = fopen ('php://stdin', 'r');
ob_implicit_flush (true);
while ($line = fgets ($stdin)) {
if($line != "") {
if(stristr($line,$no408,true) != "") {
file_put_contents($file408, $line, FILE_APPEND | LOCK_EX);
}
else {
file_put_contents($file, $line, FILE_APPEND | LOCK_EX);
}
}
}
?>
Having saved the PipedAccessLog.php script; make sure that root has ownership by executing the following at the $ prompt.
sudo chown -R root:adm /var/log/apache2/PipedAccessLog.php
The PipedAccessLog.php script will need read/write and execute permissions so execute the following at the $ prompt.
sudo chmod 755 /var/log/apache2/PipedAccessLog.php
Finally to get everything working you need to restart the Apache service. Execute the following at the $ prompt.
sudo service apache2 restart
If your Apache logs are located elsewhere then change the paths to suit your configuration. Good Luck.
What is a 408 Request Timeout Error
This error means the server timed out waiting for the client after the client has initiated a request. From the W3 HTTP specs: «The client did not produce a request within the time that the server was prepared to wait. The client may repeat the request without modifications at any later time.» Also see RFC2616.
Are 408 Request Timeout Errors a Problem?
Not necessarily, and 408 errors may not be indicative of a larger issue. In many cases 408 errors are just connections that hold Apache open for longer than allowed based on the timeout settings in the web server’s configuration files.
If Apache never enforced any timeout settings to close connections where the client has not communicated in a certain amount of time, then a single bad actor could flood the server with connections and not allow anyone else to connect.
In some cases these 408 errors come from systems looking for exploits. In recent years link previews and link prefetching have become popular and can also cause 408 errors as the services that implement such link previews (think Slack, social media sites, etc.) do not respect the standards and may leave server connections hanging after receiving the data they need (frequently the og-image, title, and description for the link preview). And link prefetching may just make the initial connection request prior to the user actually clicking the link, so a connection will be initiated on the server side which is left to die on the server side if the user never actually clicks the pre-fetched link.
Required reading about such problems with Google Chrome’s prefetch implementation:
- How Chrome’s pre-connect breaks HaProxy (and HTTP)
- HAProxy and HTTP Errors 408 in Chrome — HAProxy Technologies
- 377581 — Chromium does not handle 408 responses — chromium
Related Apache Configuration Settings:
KeepAliveTimeout
Timeout
Related Apache Modules:
mod_reqtimeout — Apache HTTP Server Version 2.4
Related Attacks:
Slow Loris — if client connections are not timed out after a reasonable interval, an attacker can attempt to max out connection slots to the web server. Duck Duck Go for more info and ways to mitigate, and how to scan log files to identify possible attackers by IP address.
- ‘http-status-code-408’ tag wiki — Stack Overflow
- RFC 2616 — Hypertext Transfer Protocol — HTTP/1.1
- apache 2.2 — Getting 408 errors on our logs with no request or user agent — Server Fault
- Timeout and Keep Alive in Apache
- Apache Performance Tuning for Linux — OLinux
- Apache Performance Tuning — Apache HTTP Server Version 2.4
- apache2 — Understanding “408 Request Timeout” on Apache with PHP — Stack Overflow
- apache 2.2 — too many 408 error codes in access log — Server Fault
and
- mod_reqtimeout — Apache HTTP Server Version 2.4
- access_log — what is 408??? | cPanel Forums
- Reverse Proxy Intermittant 408 Time Out Errors — Forum — Hiawatha webserver
- 377581 — Chromium does not handle 408 responses — chromium
- apache2 — A lot of 408 errors in apache logs — how to prevent them? — Webmasters Stack Exchange
- apache 2.2 — too many 408 error codes in access log — Server Fault
- apache 2.2 — How can I detect Slowloris? — Server Fault
- Quite a few 408 errors in Apache log — DoS ? | Linode Questions
- apache 2.2 — too many 408 error codes in access log — Server Fault
- apache 2.2 — Getting 408 errors on our logs with no request or user agent — Server Fault
- apache2 — Understanding “408 Request Timeout” on Apache with PHP — Stack Overflow
- How Chrome’s pre-connect breaks HaProxy (and HTTP)
- HAProxy and HTTP Errors 408 in Chrome — HAProxy Technologies
- How Chrome’s pre-connect breaks HaProxy (and HTTP)
Не могу решить проблему с ошибками 408, которые пишутся в лог default виртуал хост
сначала начитался, что дос атаки сюда попадают, типа мертвые соединения.
Но за вчера на 500 000 открытых страниц 15тыс соединений попали в логи с 408 ошибкой.
сегодня обнарижил там ИП Гугловсого робота 66.249.76.37 и другие ИП Гугла, на 3500 записей 125 Гугловских, понял, что не DDoS атаки.
much:80 37.147.211.111 - - [21/Dec/2012:01:05:44 +0200] "-" 408 0 "-" "-"
much:80 66.249.76.37 - - [21/Dec/2012:01:08:47 +0200] "-" 408 0 "-" "-"
much:80 217.118.64.39 - - [21/Dec/2012:01:10:53 +0200] "-" 408 0 "-" "-"
much:80 217.118.64.39 - - [21/Dec/2012:01:11:27 +0200] "-" 408 0 "-" "-"
much:80 213.109.234.32 - - [21/Dec/2012:01:11:49 +0200] "-" 408 0 "-" "-"
из лога не понятно, к какому виртульному хосту, какой странице, какой браузер обращается???
из /etc/apache2/apache2.conf важные параметры
#
# ooo OLD 300
Timeout 20
# ooo OLD 100
MaxKeepAliveRequests 150
KeepAliveTimeout 5
<IfModule mpm_prefork_module>
StartServers 50
MinSpareServers 5
MaxSpareServers 256
MaxClients 256
MaxRequestsPerChild 10
</IfModule>
<IfModule mpm_worker_module>
StartServers 20
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 250
MaxRequestsPerChild 10
</IfModule>
<IfModule mpm_event_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
еще прикручены libapache2-mod-evasive и libapache-mod-security
Кто знает как решить проблему?
Спасибо за помощь.
Код ошибки http сервера — ошибка 408 Request Time-out
Этот код ответа означает, что клиент не передал полный запрос в течение некоторого установленного промежутка времени (который обычно задается в конфигурации сервера) и сервер разрывает сетевое соединение.