how to block new connections whilst allowing existing established
Hi guys I run a couple of mirrors serving "tails" over http. Occasionally I need to shut those servers down and reboot (for example I have just upgraded both of them to wheezy). Both servers are reasonably busy (they ship out about 2-3 TiB each per month) and normally have active connections at the time I want to power cycle them. Connections can (of course) come from anywhere and some people may be on slow lines and may be over half way through a download of one of the 700 meg iso files. If I simply power cycle the server they will likely lose the connection and the download. I'd like to be more friendly than that. So what I have in mind is some mechanism that I can invoke to prevent new connections being established but permit the existing ones to complete before I switch off. I've thought about cobbling together an iptables script which will change the lines: BLAH –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT to BLAH –dport 80 -m state –state ESTABLISHED -j ACCEPT temporarily and then switch it back afterwards. But I have yet to try it. Before I start playing in earnest, does anyone know of a more elegant solution? TIA Mick --------------------------------------------------------------------- blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 ---------------------------------------------------------------------
On 26/05/13 20:09, mick wrote:
Hi guys
I run a couple of mirrors serving "tails" over http. Occasionally I need to shut those servers down and reboot (for example I have just upgraded both of them to wheezy). Both servers are reasonably busy (they ship out about 2-3 TiB each per month) and normally have active connections at the time I want to power cycle them.
Connections can (of course) come from anywhere and some people may be on slow lines and may be over half way through a download of one of the 700 meg iso files. If I simply power cycle the server they will likely lose the connection and the download. I'd like to be more friendly than that.
So what I have in mind is some mechanism that I can invoke to prevent new connections being established but permit the existing ones to complete before I switch off. I've thought about cobbling together an iptables script which will change the lines:
| I thought that ||"||apachectl -k graceful-stop|" would do this |but I've never tried it. Nev |
On Sun, 26 May 2013 23:03:17 +0100 nev young <nev@nevilley.org.uk> allegedly wrote:
On 26/05/13 20:09, mick wrote:
So what I have in mind is some mechanism that I can invoke to prevent new connections being established but permit the existing ones to complete before I switch off. I've thought about cobbling together an iptables script which will change the lines:
| I thought that ||"||apachectl -k graceful-stop|" would do this |but I've never tried it.
Nev
Nev Many thanks for this. In my case this won't work. I should have said that I use lighttpd, not apache. But your answer pointed me in the right direction anyway. Searches on "lighttpd apachectl" and "lighttpd run-time control" and (eventually) "lighttpd graceful shutdown" gave me the answer. It turns out that lighty >= 1.4.3 will stop accepting new connections but continue to service existing ones if sent a SIGINT. So a simple script is all I need. Thanks again. Cheers Mick --------------------------------------------------------------------- blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 ---------------------------------------------------------------------
participants (2)
-
mick -
nev young