Apache reverse-proxy intermittent error 113 - No route to host

apache-2.2 mod-rewrite mod-proxy
10,088

Solution 1

To solve this problem you need to add rule(s) in the 'iptables' of your App servers. For Red Hat Enterprise the file is '/etc/sysconfig/iptables' . It should be the same for CentOS.

You probaly have one or more rules that accept NEW connection from the front-ends that look like these:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 'IP of the front-ends' --dport 'port number' -j ACCEPT

OR

-A RH-Firewall-1-INPUT -m state --state NEW -m multiport -m tcp -p tcp -s 'IP of the front-ends' --dports 'ports numbers' -j ACCEPT

Your problem shoud be solved by adding rules that send a tcp-reset to the front-ends for each SYN packet that passed throught the preceedings rules. The rules should looks like these:

-A RH-Firewall-1-INPUT -m tcp -p tcp -s 'IP of the front-ends' --dport 'port number' --syn -j REJECT --reject-with tcp-reset

OR

-A RH-Firewall-1-INPUT -m multiport -m tcp -p tcp -s 'IP of the front-ends' --dports 'ports numbers' --syn -j REJECT --reject-with tcp-reset

Add the rules near the end of your 'iptables' just before the rule that looks like:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Good luck.

Paul

Solution 2

I had this problem (113 - No route to host) on CentOS 6.5 with Apache 2.2, although it was only intermittent- about every 20 mins. I doubt it is related to your issue but this may help someone.

I captured the network traffic on both ends using Wireshark and discovered that ICMP host administratively prohibited packets were sometimes being returned by the App server in response to a SYN packet from the Reverse Proxy. However, most of the time the SYNs were being accepted.

Based on Paul's answer, I checked the iptables rules- indeed the rules of course were fine to accept NEW connections on port 8009.

I decided to reset iptables with the command:

service iptables restart

After restarting iptables the '113 - No route to host' problem has gone away completely.

Share:
10,088

Related videos on Youtube

BonkaBonka
Author by

BonkaBonka

I write in Python for a living but occasionally create filthy hacks in Go when it makes sense.

Updated on September 17, 2022

Comments

  • BonkaBonka
    BonkaBonka over 1 year

    I've got an Apache 2.0.52 server on CentOS 4 that front-ends a couple of App servers (mix of Jetty and Tomcat). Apache has a handful of virtual hosts configured like this:

    <VirtualHost www1.example.com:443>
    ServerName www1.example.com
    DocumentRoot "/mnt/app_web/html"

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLCertificateFile      /etc/httpd/conf/ssl.crt/server.crt
    SSLCertificateChainFile /etc/httpd/conf/ssl.crt/chain.crt
    SSLCertificateKeyFile   /etc/httpd/conf/ssl.key/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

    RewriteEngine on
    RewriteRule ^/app1/(.*)$ http://app1.example.com:8080/app1/$1 [P,L]
    RewriteRule ^/app2/(.*)$ http://app2.example.com:8080/app2/$1 [P,L]
</VirtualHost>

    However, I'm getting the following errors in the logs intermittently:

    [Fri Dec 04 07:19:41 2009] [error] (113)No route to host: proxy: HTTP: attempt to connect to 10.0.0.1:8080 (app1.example.com) failed

    I initially tried turning off IPv6, and that seemed to largely cure it, but I still have sporadic bursts of these messages.

    Additionally, we're running memcache on same front-end and during the times when I'm getting those messages in Apache's log, the following command doesn't work:

    echo stats | nc 127.0.0.1 11211

    No messages are printed, but neither are the stats printed. I am completely lost as to how to proceed with troubleshooting this. =(

  • BonkaBonka
    BonkaBonka over 13 years
    While this didn't exactly fix the problem, it did point the way to a proper resolution - specifically the iptables rules allowed access to tomcat only if the request was IPv4 (d'oh!) We also shuffled a couple of PHP apps off the front-end server to another VM and we've been error-free for a couple of months now. Thanks! (I'd upboat but I don't have the rep on this shard =/)
  • BonkaBonka
    BonkaBonka about 9 years
    This came back to bite us again a while ago and we finally found the root cause - IPTables connection tracking. Turning that off truly cured the problem.
  • BonkaBonka
    BonkaBonka about 9 years
    IPv6 was a red-herring. The root cause is IPTables' connection tracking. Disabling it has permanently cured the issue.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Custom Apache ErrorDocument with proxy balancer & RewriteEngine
apache2 mod_proxy in conjuction with mod_rewrite not working as expected
to set RequestHeader in apache httpd server is not working
How to pass arguments through ProxyPass in Apache
Trying to redirect a url to another page by IP range
Using Apache httpd to redirect context path?
Mod-proxy with query string alternatives?
Dynamically set RequestHeader host within Apache mod rewrite
Apache: proxy an internal URL using regex
ProxyPass only if file doesn't exist