Right. It was mod_security's suspicious User-Agent rule that was triggering the firewall block.
[Mon May 13 23:27:28 2013] [error] [client 72.232.223.58] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^w3c-|systran\\\\))" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec_rules/20_asl_useragents.conf"] [line "130"] [id "330039"] [rev "4"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Unusual User Agent (libwww-perl). Disable this rule if you use libwww-perl. "] [severity "CRITICAL"] [hostname "
centos.hostingxtreme.com"] [uri "/6.3/os/i386/repodata/repomd.xml"] [unique_id "UZEpiM7eFzIAC1GSBYMAAAAL"]
This was the only IP blocked for this subdomain, so legitimate users should not be getting affected. I have disabled that rule for this subdomain.
As far as the slowdown is concerned, we do not have any block based on DNS / rDNS / region / location etc. In all the test tools etc, the DNS does not seem to be the problem.
Wait 83.19%
Connect 8.53%
SSL 6.04%
DNS 2.23%
Receive 0.01%
Send 0.00%
Any other suggestions welcome.
Ruzbeh.
On Tue, May 21, 2013 at 2:28 AM, Ralph Angenendt
<ralph.angenendt@gmail.com> wrote:
On 20.05.2013 08:47, Info | HostingXtreme.com wrote:
> I traced the mirror status probe server to 72.232.223.58 (US/United States/
>
58.223.232.72.static.reverse.ltdomains.com)
>
> Whitelisting this IP in the firewall has got it to show up again. Not sure
> how many other Probe IPs are there.
connects on a *public* mirror, it shouldn't be in a blacklist anyway (or
firewalled), as it behaves as a normal client.
It checks for the two timestamp files in the / of your mirror.
Regards,
Ralph