504 Gateway Time-out due to uncertain problem

Keywords: RoundCube - AWS - Technical issue - Application configuration

bnsupport ID: d3fe137e-6772-9160-0617-1649f0a6a78d

bndiagnostic output:

? Apache: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/

bndiagnostic failure reason: The suggested guides are not related with my issue

Description:
Recently, I got into time-out problem when log-in.
Usually, it works. But sometimes it happens. Where can I find what’s going on and how to solve it?

Best

Hi @takamizawa,

I checked your bnsupport information and I found some weird requests in the Apache logs.

[Mon Sep 20 22:11:34.649045 2021] [authz_core:error] [pid 15851:tid 140087111173888] [client **ip_address**:64034] AH01630: client denied by server configuration: /opt/bitnami/roundcube/config/getuser
[Mon Sep 20 23:09:58.968512 2021] [authz_core:error] [pid 15851:tid 140086305736448] [client **ip_address**:8540] AH01630: client denied by server configuration: /opt/bitnami/roundcube/config/getuser
[Tue Sep 21 00:57:53.257895 2021] [authz_core:error] [pid 719:tid 140087421409024] [client **ip_address**:24198] AH01630: client denied by server configuration: /opt/bitnami/roundcube/config/getuser

In addition to this, I see there are many requests from a couple of unique IP addresses.

-----------------------------------
Check performance issues: Count number of requests for the 10 most active IP addresses in the last 100.000 requests
-----------------------------------
Running: tail -n 100000 access_log | awk '{print $1}' | sort | uniq -c | sort -nr | head -n 10 | awk '{print $1}'
In: /opt/bitnami/apache2/logs/

Output:

6926
6803
65
55
34
30
14
13
11
10

Can you check if they are bots?

https://docs.bitnami.com/aws/apps/wordpress/troubleshooting/deny-connections-bots-apache/

Apart from that, I don’t see any other performance issue on your server, but you can double check it using our performance troubleshooting guide

https://docs.bitnami.com/aws/faq/troubleshooting/troubleshoot-server-performance/

Thanks for the reply.
I guess maybe some suspicious bot attacking our mail tool.
Therefore, I’d like to set basic authentication. Is it helpful?
If so, where can I setup basic auth in ec2 roundcube app?

Hi @takamizawa,

Thanks for your message. Before setting basic auth to your website, I think it is better to understand if your site is under a bot attack. Did you check the link I shared in my previous message?

Sorry to be late. Thank you for the informative comment.
In accordance with your suggestion, I checked whether the poor performance come from bots.
Here’s the result.

$ test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."
Approach A: Using system packages.
:/opt/bitnami/apache2/logs$ tail -n 30000 access_log | awk '{print $1}'| sort| uniq -c| sort -nr| head -n 10
  14472 172.31.23.X
  14456 172.31.38.X
    115 45.146.164.X
     34 178.128.244.X
     34 137.184.109.X
     30 13.208.145.X
     28 107.189.14.X
     24 93.186.199.X
     22 209.141.62.X
     18 54.175.139.X
$ grep "ATTACKER_IP" access_log
(none)

Probably, there’s no bots attack. But I wonder why many internal access(172.31.X.X) is caused recently.
I’d appreciate if you give some more advice.

I checked these IP addresses. It’s ELB(http/https) access. For the mean time, problem is not bot issue. Where can I find the cause of problem?

BTW, it might be related issue.
Just while ago, I checked about memory. Here’s the result.

$ free -m
              total        used        free      shared  buff/cache   available
Mem:           3947         521        2968          20         457        3194
Swap:             0           0           0

There’s no swap memory. Might it be possible for the problem?

Hi @takamizawa,

Thanks for your message. If those IP address are well known and they belong to a load balancer you are aware of, then you are right, bots shouldn’t be a problem here. Can you share the content of the file /opt/bitnami/apache/conf/vhosts/htaccess/roundcube-htaccess.conf with us? I’d like to see if this can be related to the error message you are getting on Apache logs.

Regarding the memory and swap question, note swap memory uses the disk to store information and that it usually has a little worst performance than real RAM memory. Also notice according to the command you shared, your server is currently using only 512MB out of the around 4GB available, so there’s no reason to create a swap memory. Your server has plenty of free RAM available for starting new processes.

Thank you for the comment. Here’s the file you requested. It’s completely standard configuration.
Currently, our problem is happening 4 - 5 times per daytime, which means slow login processing(finally fail).

<Directory "/opt/bitnami/roundcube/temp">
  # deny webserver access to this directory
  <ifModule mod_authz_core.c>
      Require all denied
  </ifModule>
  <ifModule !mod_authz_core.c>
      Deny from all
  </ifModule>
</Directory>
<Directory "/opt/bitnami/roundcube/logs">
  # deny webserver access to this directory
  <ifModule mod_authz_core.c>
      Require all denied
  </ifModule>
  <ifModule !mod_authz_core.c>
      Deny from all
  </ifModule>
</Directory>
<Directory "/opt/bitnami/roundcube">
  # This is a sample with suggested security and performance options
  
  <IfModule mod_rewrite.c>
  Options +SymLinksIfOwnerMatch
  RewriteEngine On
  RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
  
  # security rules:
  # - deny access to files not containing a dot or starting with a dot
  #   in all locations except installer directory
  RewriteRule ^(?!installer|\.well-known\/|[a-zA-Z0-9]{16})(\.?[^\.]+)$ - [F]
  # - deny access to some locations
  RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|vendor|program\/(include|lib|localization|steps)) - [F]
  # - deny access to some documentation files
  RewriteRule /?(README.*|meta\.json|composer\..*|jsdeps.json)$ - [F]
  </IfModule>
  
  <IfModule mod_deflate.c>
  SetOutputFilter DEFLATE
  </IfModule>
  
  <IfModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 1 month"
  </IfModule>
  
  FileETag MTime Size
  
  <IfModule mod_autoindex.c>
  Options -Indexes
  </IfModule>
  
  <IfModule mod_headers.c>
  # Disable page indexing
  Header set X-Robots-Tag "noindex, nofollow"
  
  # replace 'append' with 'merge' for Apache version 2.2.9 and later
  #Header append Cache-Control public env=!NO_CACHE
  
  # Optional security headers
  # Only provides increased security if the browser supports those features
  # Be careful! Testing is required! They should be adjusted to your installation / user environment
  
  # HSTS - HTTP Strict Transport Security
  #Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
  
  # HPKP - HTTP Public Key Pinning
  # Only template - fill with your values
  #Header always set Public-Key-Pins "max-age=3600; report-uri=\"\"; pin-sha256=\"\"; pin-sha256=\"\"" env=HTTPS
  
  # X-Xss-Protection
  # This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). 
  #Header set X-XSS-Protection "1; mode=block"
  
  # X-Frame-Options
  # The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks
  # Already set by php code! Do not activate both options
  #Header set X-Frame-Options SAMEORIGIN
  
  # X-Content-Type-Options
  # It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.
  #Header set X-Content-Type-Options: "nosniff"
  
  # CSP - Content Security Policy
  # for better privacy/security ask browsers to not set the Referer
  # more flags for script, stylesheets and images available, read RFC for more information
  # Note: "Referrer-Policy: same-origin" is already set by php code.
  #Header set Content-Security-Policy "referrer no-referrer"
  </IfModule>
</Directory>
<Directory "/opt/bitnami/roundcube/config">
  # deny webserver access to this directory
  <ifModule mod_authz_core.c>
      Require all denied
  </ifModule>
  <ifModule !mod_authz_core.c>
      Deny from all
  </ifModule>
</Directory>
<Directory "/opt/bitnami/roundcube/public_html">
  # This configuration has been moved to the /opt/bitnami/apache/conf/vhosts/htaccess/roundcube-htaccess.conf config file for performance and security reasons
</Directory>

Hi @takamizawa,

Thanks for your reply. There is an entry to block access to the config folder, I understand due to security reasons. This explains the error message you are getting in the Apache logs, which is fine.

Can you contact the Roundcube developers for further help on how to debug the issues you are facing?

@gongomgra Thanks for the comment. How can I contact Roundcube developers?

Hi @takamizawa,

Thanks for your message. The official Roundcube community forum is at https://www.roundcubeforum.net/. I understand you can contact the application developers there. You can also take a look at the support page on their website to get other support alternatives

https://roundcube.net/support/

@gongomgra Thanks for the reply. I have another issue.
I fixed the configuration to track IMAP log. And I saw some skeptical action in the log.

[29-Sep-2021 03:57:07 +0000]: <bu66sn6o> [145B] Connecting to [mail.someserver.com:143](http://mail.someserver.com:143/)..

After this log is shown up, roundcube moved slowly and finally the error(504 time out) is shown.

I checked mailserver(mail.someserver.com) log, but no connection activities was found.
I’s wondering what’s going on this roundcube server. Is there any firewall inside roundcube?

If you have any idea, please let me know.

Hi @takamizawa,

Thanks for your message. Unfortunately, the bnsupport tool didn’t get the Roundcube config file. Can you check in your config.inc.php file if that server is configured? I launched a fresh new server and I can’t see any reference to mail.someserver.com. The default SMTP server I see there is for Gmail

$config['smtp_server'] = 'tls://smtp.gmail.com';

Apart from that, can you check it with the Roundcube community? Due to our lack of knowledge on how Roundcube works internally, I think they can provide you with better support on this than we can

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.