Right. It was mod_security's suspicious User-Agent rule that was triggering the firewall block.
[Mon May 13 23:27:28 2013] [error] [client 72.232.223.58] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^w3c-|systran\\))" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec_rules/20_asl_useragents.conf"] [line "130"] [id "330039"] [rev "4"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Unusual User Agent (libwww-perl). Disable this rule if you use libwww-perl. "] [severity "CRITICAL"] [hostname "centos.hostingxtreme.com"] [uri "/6.3/os/i386/repodata/repomd.xml"] [unique_id "UZEpiM7eFzIAC1GSBYMAAAAL"]
This was the only IP blocked for this subdomain, so legitimate users should not be getting affected. I have disabled that rule for this subdomain.
As far as the slowdown is concerned, we do not have any block based on DNS / rDNS / region / location etc. In all the test tools etc, the DNS does not seem to be the problem.
Wait 83.19% Connect 8.53% SSL 6.04% DNS 2.23% Receive 0.01% Send 0.00%
Any other suggestions welcome.
Ruzbeh.
On Tue, May 21, 2013 at 2:28 AM, Ralph Angenendt ralph.angenendt@gmail.comwrote:
On 20.05.2013 08:47, Info | HostingXtreme.com wrote:
I traced the mirror status probe server to 72.232.223.58 (US/United
States/
58.223.232.72.static.reverse.ltdomains.com)
Whitelisting this IP in the firewall has got it to show up again. Not
sure
how many other Probe IPs are there.
That should be the only probing IP. But as it is doing http and/or ftp connects on a *public* mirror, it shouldn't be in a blacklist anyway (or firewalled), as it behaves as a normal client.
It checks for the two timestamp files in the / of your mirror.
Regards,
Ralph
CentOS-mirror mailing list CentOS-mirror@centos.org http://lists.centos.org/mailman/listinfo/centos-mirror