Geeklog Forums

I don't know if this is a plugin problem, a BB issue, or a common problem out in the wild. While playing with the BB plugin I see that there are quite a few legit users turned away, and as near as I can tell it's due to the "Connection" header line. The users that are being flagged have "Connection:keep-alive,close".Comparing this to the server logs, it would appear that "Connection:close" or "Connection:keep-alive" is acceptable, but not both values together. In one of the cases the remote computer is behind a Squid proxy, the others I don't know. Browser doesn't seem to play into it, MS I-Exploder, Firefox, Konqueror, Opera, and Galeon are all in the list with the same issue. The error the plugin displays is proxy related, so this may be proxy/firewall related, or at least something playing with the HTTP headers.

BB Log:

Header 'Connection' contains invalid values

GET /blog/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en,en-us;q=0.8,en-ie;q=0.5,en-ca;q=0.3
Cache-Control: no-cache, max-age=259200
Connection: keep-alive, close

What makes you think those are legit users? The user agent (browser) name doesn't mean a thing, it's easy to fake.

Check the IP addresses of those requests. I would almost bet you'd see a lot of them coming from China, Russia and other areas well-known to host a lot of spammers ...

bye, Dirk

I don't think, I know. The site hasn't gone 'public', just a test bed for a client. The site gets it share of the script kiddies with their RFI's, but they are not amongst the users in question. There are just shy of 60 users that are associated with the client around the country that peruse the site regularly. All but a couple of the hits referenced are verifiably from these remote locations. It does appear that some Squid versions as well as some versions of Norton do send both 'keep-alive' and 'close' in the HTTP header. BB says that's a no-no, and quite possibly correctly... 'close and keep-alive are mutually exclusive'. However that may not be the opinion of the proxy and firewall folks. I worked with the admin at one of the sites today to modify Squid's behavior so it's no longer considered 'bad'. All this may be an isolated thing that just happened to appear chronic to us, but with all the Notons and Squids out there, I wouldn't be surprised if it's somewhat common.
Thanks for the reply, Dirk, and happy holidays!