Issues
- LP #1502411: proxy-protocol doesn't take in consideration connect_timeout, possible DOSPS-3314Resolved issue: PS-3314
- LP #1502408: When using proxy protocol, mysql must bind to an address instead of 0.0.0.0PS-3313Resolved issue: PS-3313
- LP #1496315: Percona Server 5.6.26-74.0 fails to compile from source on FreeBSDPS-2124Resolved issue: PS-2124
- LP #1508909: Connect without proxy information hangs if "proxy_protocol_networks" is enabledPS-1659Resolved issue: PS-1659patrick.birch
- Logrotate not working with proxy protocolK8SPXC-1364Resolved issue: K8SPXC-1364Julio Pasinatto
5 of 5
LP #1502411: proxy-protocol doesn't take in consideration connect_timeout, possible DOS
Won't Do
General
Escalation
General
Escalation
Description
Environment
None
Smart Checklist
Details
Assignee
UnassignedUnassignedReporter
lpjirasynclpjirasync(Deactivated)Affects versions
Priority
Low
Details
Details
Assignee
Unassigned
UnassignedReporter
lpjirasync
lpjirasync(Deactivated)
Affects versions
Priority
LowSmart Checklist
Smart Checklist
Smart Checklist
Created January 24, 2018 at 8:32 AM
Updated December 2, 2024 at 12:19 PM
Resolved September 2, 2024 at 12:02 PM
Activity
Julia VuralSeptember 2, 2024 at 12:02 PM
We talked about this issue during our backlog refinement meeting and decided that it is a low priority issue. For the time being, there are higher priority items that we want to focus our energy at. Hence, closing it as won't do.
Kamil HolubickiJuly 26, 2024 at 8:44 AM
I confirm the behavior reported (as well 8.0.36).
The thing is:
We’ve got wait_timeout and interactive_timeout variables that cause automatic client disconnection in case of inactivity. Both default to 8hrs
If we start the container like
docker run -it --name ps80 -p 3306:3306 -e MYSQL_ROOT_PASSWORD=secret percona:8.0 --interactive-timeout=60 --wait-timeout=60 --max-connections=3
and then
docker exec -it ps80 mysql -uroot -psecret --protocol=tcp
first 3 connections will be fine, 4th one will be ERROR 1040 (HY000): Too many connections.
That’s OK.Wait for 60 seconds and retry the fourth connection. Now it connects because the first three connections were disconnected by timeout.
However, it is not the case when server is started with --proxy_protocol_networks='*'
In such a case the attempting connection is hanging in the state ‘login’ state and is never timeouted.
I didn’t investigate why it hangs (should it?), but my understanding is that this ticket is about timeouting such connection. It should automatically be killed after 60 seconds.
@Nickolay Ihalainen @Marco Tusa,
Do I understand the problem and the requirement properly
George LorchJanuary 20, 2020 at 5:06 PM
Nickolay IhalainenApril 5, 2019 at 4:00 AMEdited
Confirmed with Percona Server 5.7.25
docker run -it --name ps3314 -p 3306:3306 -e MYSQL_ROOT_PASSWORD=secret percona:5.7 --proxy_protocol_networks='*'
docker exec -it ps3314 mysql -uroot -psecret --protocol=tcp # hangs
docker exec -it ps3314 mysql -uroot -psecret # local unix socket connection working
mysql> show processlist;
+----+----------------------+-----------------+------+---------+------+----------+------------------+-----------+---------------+
| Id | User | Host | db | Command | Time | State | Info | Rows_sent | Rows_examined |
+----+----------------------+-----------------+------+---------+------+----------+------------------+-----------+---------------+
| 3 | root | localhost | NULL | Query | 0 | starting | show processlist | 0 | 0 |
| 4 | unauthenticated user | connecting host | NULL | Connect | 2590 | login | NULL | 0 | 0 |Stack trace:
10 __io_getevents_0_4(libaio.so.1),LinuxAIOHandler::collect(os0file.cc:2800),LinuxAIOHandler::poll(os0file.cc:2946),os_aio_linux_handler(os0file.cc:3002),os_aio_handler(os0file.cc:3002),fil_aio_wait(fil0fil.cc:6359),io_handler_threa
d(srv0start.cc:337),start_thread(libpthread.so.0),clone(libc.so.6)
6 recv(libpthread.so.0),recv(socket2.h:44),vio_process_proxy_header(socket2.h:44),vio_peer_addr(socket2.h:44),check_connection(sql_connect.cc:1126),login_connection(sql_connect.cc:1357),thd_prepare_connection(sql_connect.cc:1357),h
andle_connection(connection_handler_per_thread.cc:312),pfs_spawn_thread(pfs.cc:2190),start_thread(libpthread.so.0),clone(libc.so.6)
3 pthread_cond_wait,wait(os0event.h:156),os_event::wait_low(os0event.h:156),os_event_wait_low(os0event.cc:328),srv_worker_thread(srv0srv.cc:3026),start_thread(libpthread.so.0),clone(libc.so.6)
1 sigwait(libpthread.so.0),signal_hand(mysqld.cc:2370),pfs_spawn_thread(pfs.cc:2190),start_thread(libpthread.so.0),clone(libc.so.6)
1 sigwaitinfo(libc.so.6),timer_notify_thread_func(posix_timers.c:77),pfs_spawn_thread(pfs.cc:2190),start_thread(libpthread.so.0),clone(libc.so.6)
1 pthread_cond_wait,wait(os0event.h:156),os_event::wait_low(os0event.h:156),os_event_wait_low(os0event.cc:328),srv_purge_coordinator_suspend(srv0srv.cc:3187),srv_purge_coordinator_thread(srv0srv.cc:3187),start_thread(libpthread.so.
0),clone(libc.so.6)
1 pthread_cond_wait,wait(os0event.h:156),os_event::wait_low(os0event.h:156),os_event_wait_low(os0event.cc:328),buf_resize_thread(buf0buf.cc:3027),start_thread(libpthread.so.0),clone(libc.so.6)
1 pthread_cond_wait,wait(os0event.h:156),os_event::wait_low(os0event.h:156),os_event_wait_low(os0event.cc:328),buf_dump_thread(buf0dump.cc:782),start_thread(libpthread.so.0),clone(libc.so.6)
1 pthread_cond_wait,native_cond_wait(thr_cond.h:140),my_cond_wait(thr_cond.h:140),inline_mysql_cond_wait(thr_cond.h:140),compress_gtid_table(thr_cond.h:140),pfs_spawn_thread(pfs.cc:2190),start_thread(libpthread.so.0),clone(libc.so.
6)
1 pthread_cond_timedwait,os_event::timed_wait(os0event.cc:81),os_event::wait_time_low(os0event.cc:208),os_event_wait_time_low(os0event.cc:311),srv_monitor_thread(srv0srv.cc:1942),start_thread(libpthread.so.0),clone(libc.so.6)
1 pthread_cond_timedwait,os_event::timed_wait(os0event.cc:81),os_event::wait_time_low(os0event.cc:208),os_event_wait_time_low(os0event.cc:311),srv_error_monitor_thread(srv0srv.cc:2102),start_thread(libpthread.so.0),clone(libc.so.6)
1 pthread_cond_timedwait,os_event::timed_wait(os0event.cc:81),os_event::wait_time_low(os0event.cc:208),os_event_wait_time_low(os0event.cc:311),pc_sleep_if_needed(buf0flu.cc:2772),buf_flush_page_cleaner_coordinator(buf0flu.cc:2772),
start_thread(libpthread.so.0),clone(libc.so.6)
1 pthread_cond_timedwait,os_event::timed_wait(os0event.cc:81),os_event::wait_time_low(os0event.cc:208),os_event_wait_time_low(os0event.cc:311),lock_wait_timeout_thread(lock0wait.cc:573),start_thread(libpthread.so.0),clone(libc.so.6
)
1 pthread_cond_timedwait,os_event::timed_wait(os0event.cc:81),os_event::wait_time_low(os0event.cc:208),os_event_wait_time_low(os0event.cc:311),ib_wqueue_timedwait(ut0wqueue.cc:160),fts_optimize_thread(fts0opt.cc:2900),start_thread(
libpthread.so.0),clone(libc.so.6)
1 pthread_cond_timedwait,os_event::timed_wait(os0event.cc:81),os_event::wait_time_low(os0event.cc:208),os_event_wait_time_low(os0event.cc:311),dict_stats_thread(dict0stats_bg.cc:428),start_thread(libpthread.so.0),clone(libc.so.6)
1 poll(libc.so.6),poll(poll2.h:46),vio_io_wait(poll2.h:46),vio_socket_io_wait(viosocket.c:116),vio_read(viosocket.c:171),net_read_raw_loop(net_serv.cc:672),net_read_packet_header(net_serv.cc:756),net_read_packet(net_serv.cc:756),my
_net_read(net_serv.cc:899),Protocol_classic::read_packet(protocol_classic.cc:808),Protocol_classic::get_command(protocol_classic.cc:965),do_command(sql_parse.cc:992),handle_connection(connection_handler_per_thread.cc:318),pfs_spawn_threa
d(pfs.cc:2190),start_thread(libpthread.so.0),clone(libc.so.6)
1 poll(libc.so.6),poll(poll2.h:41),Mysqld_socket_listener::listen_for_connection_event(poll2.h:41),connection_event_loop(connection_acceptor.h:66),mysqld_main(connection_acceptor.h:66),__libc_start_main(libc.so.6),_start
1 nanosleep(libpthread.so.0),os_thread_sleep(os0thread.cc:303),srv_master_sleep(srv0srv.cc:2812),srv_master_thread(srv0srv.cc:2812),start_thread(libpthread.so.0),clone(libc.so.6)
1 nanosleep(libpthread.so.0),os_thread_sleep(os0thread.cc:303),buf_lru_manager_sleep_if_needed(buf0flu.cc:3576),buf_lru_manager(buf0flu.cc:3576),start_thread(libpthread.so.0),clone(libc.so.6)It's possible to reach max_connections:
set global max_connections=10;
repeat docker exec -it ps3314 mysql -uroot -psecret --protocol=tcp until:
ERROR 1040 (HY000): Too many connections
**Reported in Launchpad by Frederic Descamps last update 23-10-2015 04:30:18
When proxy_protocol_network =* is used, it's impossible to connect directly to MySQL (bypassing the proxy sending proxy-protocol header).
The problem is that if mysql client tries to connect anyway , there is no timeout (connect_timeout) used. This can lead to max connection easily reached:
pxc1 mysql> show full processlist;
---------------------------------------------------------------------------------------------------------------------------------+
Id
User
Host
db
Command
Time
State
Info
Rows_sent
Rows_examined
---------------------------------------------------------------------------------------------------------------------------------+
1
system user
NULL
Sleep
1969
NULL
NULL
0
0
2
system user
NULL
Sleep
1969
wsrep aborter idle
NULL
0
0
9
root
localhost
NULL
Query
0
init
show full processlist
0
0
990
unauthenticated user
connecting host
NULL
Connect
NULL
login
NULL
0
0
992
unauthenticated user
connecting host
NULL
Connect
NULL
login
NULL
0
0
993
unauthenticated user
connecting host
NULL
Connect
NULL
login
NULL
0
0
994
unauthenticated user
connecting host
NULL
Connect
NULL
login
NULL
0
0
996
unauthenticated user
connecting host
NULL
Connect
NULL
login
NULL
0
0
997
unauthenticated user
connecting host
NULL
Connect
NULL
login
NULL
0
0
---------------------------------------------------------------------------------------------------------------------------------+