6

We have private forums running vBulletin, and we've gotten complaints from a customer that has trouble accessing them when he opens a lot of tabs. The last time he called, it was determined that our host had automatically blocked his ip address. After opening a support ticket with the host, they unblocked it, and they said it had been automatically blocked for too many connections (I assume concurrent connections). They said there were 546 connections.

The customer is running IE8 and claims that after around 8-12 tabs, the rest "time out" - every time. And, of course, no other website has this problem.

UPDATE: It turns out that Chrome (or Firefox, but I think it was Chrome) has the same issue. But Opera seems to be fine (I'm figuring because of its aggressive caching).

With no direct access to the computers on either end, how can I hope to resolve this?

DarkTygur
  • 83
  • 1
  • 5
  • Just out of curiousity, what is the maximum number of connections on the server before it blocks a client? *Would it happen to be 512?* – Avery Payne Jul 12 '10 at 21:00
  • Going by things they've said previously on support tickets, I think it's around 200. – DarkTygur Jul 13 '10 at 20:22
  • 1
    I'd probably think about changing host to someone who doesn't suck so hard when it comes to normal user activities. You're there to provide a service to your user.. If the user can't access the site, that's your business on the line. – Tom O'Connor Jul 14 '10 at 15:48
  • Well-said. We might have to switch hosts. – DarkTygur Jul 15 '10 at 00:29

3 Answers3

5

It sounds like your host has some sort of anti-DOS configuration setup and your customer is triggering it by opening many tabs simultaneously. I'm not surprised if a single tab accessing your system is opening several simultaneous HTTP sessions to download files in parallel - so if your customer has 10 tabs opening at once, as newer browsers offer to do, then it's not surprising to hear that your customer is opening 10 x several HTTP sessions to your server.

IE 8 opens up to 6 concurrent sessions to the same hostname.

If you have several hostnames set up as CNAMEs pointing to the same IP (some people like to set up, say, "images.example.com", "css.example.com" and "forums.example.com", all pointing to the same actual host), you may be making the problem worse by making it hard for IE to see that they are all the same machine - apparently the comparison is done by host NAME, not IP.

Your customer could probably reduce the likelihood of this occurring by using a different browser, using a local cache, modifying his IE installation to use fewer simultaneous sessions, or by not loading so many tabs at once.

You could ask your host to increase the number of allowable connections to your webserver, shrink the time window for detecting overusage, or whitelist your customer(s) if your customer(s) use predictable IP addresses.

If your host's firewall is excluding based upon the number of simultaneous open connections, you might be able to improve the situation by making sure your configuration is optimized - e.g., minimizing unnecessary queries, looking at caching with varnish or some other sort of accelerator, turning on compression, making sure you're allowing HTTP persistent connections.

This sounds like a tough problem to solve if you can't control the system making the connections or the system limiting the connections.

gbroiles
  • 1,344
  • 8
  • 8
  • Well, the host is sticking to the theory that something's wrong with the guy's computer, so they won't do any kind of whitelisting. We're only pointing one hostname at that server - a subdomain meant specifically for the forums. As for alternate browsers, it turns out that Chrome (or Firefox, but I think it was Chrome) has the same issue. But Opera seems to be fine (likely because of its aggressive caching). – DarkTygur Jul 14 '10 at 15:14
1

gbroiles already has a good answer; I'm adding an answer as this is too long to fit into a comment.

All browsers open multiple connections in order to download the site faster. Each image, CSS file, Javascript file etc linked to in the HTML must be downloaded, and this is done in parallel to speed things up. You can see how many connections each browser opens at Browserscope.org's "Network" tab.

There are 2 more things to notice:

  • The trend is towards never browsers opening more connections per host.
  • If the connection is downgraded to HTTP 1.0 (fx by a intermediary proxy), then most browsers will open additional connections. (The best link I could quickly find is here; Steve Souders writes more about this in one of his books.)

In effect, if this user is opening 10+ tabs to a single small VPS server, then he is hoarding resources. I think it's perfectly sensible to disallow this. The user may get grumpy, but he only has one set of eyes, so he really can't claim to interact with all 10+ pages at the same time. If the server is a big, beefy machine with low load, then it's another matter of course.

Some of the things you can do are:

  • Look at your HTTP Keepalive setting, and either turn it off, or set it to a low timeout value (fx 5 seconds). This may not be enough, but at least you won't have many lingering open connections.
  • Host static content (logos, CSS, JS, images used for layout) on a Content Delivery Network (CDN). Small CDN accounts are cheap now, and you would direct all HTTP request for static content away from your own server.
  • Verify that your server is sending proper caching headers for static content. As a minimum, you don't want users to download the same logo, CSS and more over and over again. See this excellent tutorial to caching, and test your headers at webpagetest.org or REDbot.
  • Figure out exactly which system blacklisted your customer. If it was an anti-DDoS service from your ISP, then perhaps you could ask to be excluded from the anti-DDoS protection (but think about this first of course). If it was an on-host software firewall, then you could ask for the limits to be raised.

In short, you should be able to fix this together with your hosting partner -- but first think about the potential consequences first.

  • The CDN idea sounds sensible. I'll have to look into that. – DarkTygur Jul 15 '10 at 00:31
  • I chose to Accept this answer as it's the one that really helped solve the problem. I updated the server so that static content properly gets Cache-Control and Expires headers. It looks like IE is respecting them by not requesting those files again so quickly, which would decrease the number of connections. The customer reported that the problem appears to have gone away. – DarkTygur Jul 15 '10 at 21:33
0

Given you can't control either the web browser or the server you have two options.

1) Take control of the server by putting the site on something you have more control over. This will cost you in time and money, but it will gain you as much control as you're willing to pay for. A Rackspace cloud server, a VPS from a recommended provider or just good quality shared hosting would go a long way here. You could also use a hosted forum solution, you wouldn't get much control but you'd be paying somebody else to worry about things like this.

2) Reduce the number of requests being made. You can do this by not having multiple css or js files, reducing the number of images, using css sprites and eventually using a cdn (or just a separate machine) for hosting as much of the external images, javascript and css as possible. You'll need to be able to take quite close control over your forum software, and I've never developed with vBulletin, but it should certainly be doable - at least in part.

WheresAlice
  • 5,290
  • 2
  • 23
  • 20