web requests killing CAS server

web requests killing CAS server

by Brian Gibson -
Number of replies: 5

Sorry, I didn't know exactly where to post this so I did it here.

We are seeing a flood of web requests (20 or so per second) to our CAS server from certain clients logging into Moodle. The log entries on the CAS server look like this

155.47.47.196 - - [10/Apr/2014:09:29:30 -0400] GET /cas/login?service=https%3A%2F%2Foncourse.wheatoncollege.edu%2Flogin%2Findex.php&gatewa
y=true HTTP/1.1 200 370 ???'???resource in 'calendar, mail, portal, resource{usid}c -

155.47.47.196 - - [10/Apr/2014:09:29:30 -0400] GET /cas/login?service=https%3A%2F%2Foncourse.wheatoncollege.edu%2Flogin%2Findex.php&gatewa
y=true HTTP/1.1 200 370 ???'???resource in 'calendar, mail, portal, resource{usid}c -

We initially thought we had this issue resolved, we thought it was a Safari SSL bug in Mac OSX 10.9.1 but today we saw a Windows computer do it (although it did have Safari 5.1.7 installed) but we couldn't reproduce the issue after it stopped. Back when we found an OSX 10.9.1 system doing it we could easily reproduce it, just log into Moodle and it would start hammering away at the CAS server. If you used Chrome or Firefox it didn't happen. Even after we upgraded to OSX 10.9.2 and used Safari to get to Moodle it still kept happening until we dumped the Safari cache, then it stopped.

We are running some version of Moodle 2 (not sure, I'm not the Moodle admin). Any thoughts on what could be causing this? One machine yesterday made a quarter of a million web requests to our CAS server alone!

 

 

Average of ratings: -
In reply to Brian Gibson

Re: web requests killing CAS server

by Brian Gibson -

An update on this issue.... it is not isolated to Mac OSX 10.9.1, we've found several different OS versions (including 10.9.2) exhibiting the exact same behavior. It IS isolated to Safari. I found a professor who's machine was doing it this morning so I paid him a visit and confirmed his IP address with the IPs I was seeing in the logs. He had Safari up but did not have Moodle in a window or tab and his machine was pounding away at the server (I was doing "tail -f /var/log/httpd/ssl_access_log).

I removed any cookies related to the moodle or CAS server and the problem was still happening. I then closed out of Safari completely and it stopped. I then fired up Safari (without going to the Moodle page) and the requests on the Moodle server started pouring in again. This leads me to believe that it might be some miscoded (or incorrectly processed) javascript from the Moodle server that Safari is holding on to and won't stop processing it.

One other note, I shut off the professor's anti virus (ESET) temporarily to see if there was some sort of conflict between it and the web content from the Moodle server but that didn't help.

Any and all advice would be greatly appreciated smile

Average of ratings: -
In reply to Brian Gibson

Re: web requests killing CAS server

by Charles Fulton -
Picture of Core developers Picture of Plugin developers Picture of Testers

Brian, does your institution have some kind of SSO-enabled portal that could be trying to authenticate to Moodle in the background but is getting trapped in a loop? It looks like from your logs that CAS gateway mode is active and I've seen that cause looping behavior.

Average of ratings: -
In reply to Charles Fulton

Re: web requests killing CAS server

by Brian Gibson -

Hi Charles,

We figured out how to replicate the issue and it looks like it is a combination of the following elements

- CAS (for SSO like you mentioned)

- Safari (it doesn't effect other browsers)

- Javascript

We can reproduce the issue by doing the following.

Log into Moodle with Safari then browse to a particular course then open up a new tab in Safari and the https requests come pouring in. Once the requests start you can go to "Safari" -> "Preferences" -> "Security" and disable Javascript and the request stop.

The other thing that is interesting is if the flood of requests are hitting the server you can close Safari and the request stop, but if you fire up Safari again (and don't even go to the Moodle web page) the https requests start up again.

Next step is to set up a test Moodle server the same way this server is set up and copy over a course that causes the issue and if we can reproduce the issue we will switch the test server over to LDAP authentication and see if the problem still happens and take it from there.

 

 

 

 

 

Average of ratings: -
In reply to Brian Gibson

Re: web requests killing CAS server

by Mark Pearson -

We had a similar problem last semester. The Moodle server is set to CAS authentication (ugly Luminis CAS server) and was configured to allow access to logged in users only. So if you went  to moodle.earlham.edu you'd get redirected to the CAS login which happened to be the Luminis portal (locally known as  theHeart).

What Safari does in a blank tab or page  is to make this an infinite loop by continually polling the moodle server, getting redirected, trying to render the page and getting frustrated and reloading the original. Firefox OTOH uses a non-dynamic way to show the mini-web panes in a fresh tab. We addressed the problem by allowing access to the moodle front page to non-logged in users. Not brilliant but better than the alternative.

Hope this helps.

Average of ratings: Useful (1)