Cloudflare indefinitely leaves TCP connections in the CLOSE_WAIT state

elon_gates · May 18, 2022, 11:55am

I’m running a web server using nginx .
For some cases, I purposefully make the website load over 100 seconds so that Cloudflare displays its timeout error.
However this results in nginx and Cloudflare never closing these connections.
netstat shows a CLOSE_WAIT connection staying open for each of these unterminated connection.
This eventually leads to the server running out of available file descriptors.

Is there a way to force nginx or Cloudflare to properly close those connections, while still showing Cloudflare timeout?

M4rt1n · May 18, 2022, 12:42pm

Which version if I might ask?

Since the this issue with too many “CLOSE_WAIT” connections (opened connections that should be closed, but are not) has been fixed in Nginx v1.19.9: #2145 (CLOSE_WAIT socket leak in downstream connections with keepalive) – nginx

elon_gates · May 18, 2022, 12:43pm

nginx/1.20.2

elon_gates · May 18, 2022, 12:49pm

Here’s the full version with modules

nginx version: nginx/1.20.2
built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --add-module=../echo-nginx-module-master --with-http_perl_module --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

I’m using the echo_sleep command from the echo-nginx-module to make nginx wait.

M4rt1n · May 18, 2022, 1:05pm

There even was an old Cloudflare Blog post about it: https://blog.cloudflare.com/this-is-strictly-a-violation-of-the-tcp-specification/

But I don’t know how to solve that issue

system · June 2, 2022, 1:05pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.