pixl-server-web 1.2.5 → 1.3.3

package/README.md

@@ -1,6 +1,6 @@
 # Overview
 
-This module is a component for use in [pixl-server](https://www.npmjs.com/package/pixl-server).  It implements a simple web server with support for both HTTP and HTTPS, serving static files, and hooks for adding custom URI handlers.
+This module is a component for use in [pixl-server](https://www.github.com/jhuckaby/pixl-server).  It implements a simple web server with support for both HTTP and HTTPS, serving static files, and hooks for adding custom URI handlers.
 
 # Table of Contents
 
@@ -25,6 +25,7 @@ This module is a component for use in [pixl-server](https://www.npmjs.com/packag
 		+ [request](#request)
 		+ [close](#close)
 	* [http_keep_alive_timeout](#http_keep_alive_timeout)
+	* [http_socket_prelim_timeout](#http_socket_prelim_timeout)
 	* [http_max_requests_per_connection](#http_max_requests_per_connection)
 	* [http_gzip_opts](#http_gzip_opts)
 	* [http_enable_brotli](#http_enable_brotli)
@@ -136,7 +137,7 @@ server.startup( function() {
 } );
 ```
 
-Notice how we are loading the [pixl-server](https://www.npmjs.com/package/pixl-server) parent module, and then specifying [pixl-server-web](https://www.npmjs.com/package/pixl-server-web) as a component:
+Notice how we are loading the [pixl-server](https://www.github.com/jhuckaby/pixl-server) parent module, and then specifying [pixl-server-web](https://www.github.com/jhuckaby/pixl-server-web) as a component:
 
 ```js
 components: [
@@ -212,7 +213,7 @@ This param allows you to send back any additional custom HTTP headers with each
 
 ```js
 {
-	http_response_headers: {
+	"http_response_headers": {
 		"X-My-Custom-Header": "12345",
 		"X-Another-Header": "Hello"
 	}
@@ -221,7 +222,27 @@ This param allows you to send back any additional custom HTTP headers with each
 
 ## http_timeout
 
-This sets the idle socket timeout for all incoming HTTP requests.  If omitted, the Node.js default is 2 minutes.  Please specify your value in seconds.
+This sets the idle socket timeout for all incoming HTTP requests, in seconds.  If omitted, the Node.js default is 120 seconds.  Example:
+
+```js
+{
+	"http_timeout": 120
+}
+```
+
+This only applies to reading from sockets when data is expected.  It is an *idle read timeout* on the socket itself, and doesn't apply to request handlers.
+
+## http_request_timeout
+
+This property sets an actual hard request timeout for all incoming requests.  If the total combined request processing, handling and response time exceeds this value, specified in seconds, then the request is aborted and a `HTTP 408 Request Timeout` response is sent back to the client.  This defaults to `0` (disabled).  Example use:
+
+```js
+{
+	"http_request_timeout": 300
+}
+```
+
+Note that this includes request processing time (e.g. receiving uploaded data from a HTTP POST).
 
 ## http_keep_alives
 
@@ -259,19 +280,17 @@ This completely disables Keep-Alives for all connections.  All requests result i
 
 ## http_keep_alive_timeout
 
-This sets the HTTP Keep-Alive idle timeout for all sockets.  If omitted, the Node.js default is 5 seconds.  See [server.keepAliveTimeout](https://nodejs.org/api/http.html#http_server_keepalivetimeout) for details.  Example:
+This sets the HTTP Keep-Alive idle timeout for all sockets, measured in seconds.  If omitted, the Node.js default is 5 seconds.  See [server.keepAliveTimeout](https://nodejs.org/api/http.html#http_server_keepalivetimeout) for details.  Example:
 
 ```js
 {
-	"http_keep_alive_timeout": 5000
+	"http_keep_alive_timeout": 5
 }
 ```
 
-This feature was introduced in Node.js version 8.  Prior to that, the [http_timeout](#http_timeout) was used as the Keep-Alive timeout.
-
 ## http_socket_prelim_timeout
 
-This sets a special preliminary timeout for brand new sockets when they are first connected.  If an HTTP request doesn't come over the socket within this timeout (specified in seconds), then the socket is hard closed.  This timeout should always be set lower than the [http_timeout](#http_timeout) if used.  This defaults to `0` (disabled).  Example use:
+This sets a special preliminary timeout for brand new sockets when they are first connected, measured in seconds.  If an HTTP request doesn't come over the socket within this timeout (specified in seconds), then the socket is hard closed.  This timeout should always be set lower than the [http_timeout](#http_timeout) if used.  This defaults to `0` (disabled).  Example use:
 
 ```js
 {
@@ -281,6 +300,8 @@ This sets a special preliminary timeout for brand new sockets when they are firs
 
 The idea here is to prevent certain DDoS-style attacks, where an attacker opens a large amount of TCP connections without sending any requests over them.
 
+**Note:** Do not enable this feature if you attach a WebSocket server such as [ws](https://github.com/websockets/ws).
+
 ## http_max_requests_per_connection
 
 This allows you to set a maximum number of requests to allow per Keep-Alive connection.  It defaults to `0` which means unlimited.  If set, and the maximum is reached, a `Connection: close` header is returned, politely asking the client to close the connection.  It does not actually hard-close the socket.  Example:
@@ -520,7 +541,7 @@ server.WebServer.addURIHandler( /^\/custom\/match\/$/i, 'Custom2', function(args
 
 Your handler function is passed exactly two arguments.  First, an `args` object containing all kinds of useful information about the request (see [args](#args) below), and a callback function that you must call when the request is complete and you want to send a response.
 
-If you specified a regular expression with paren groups for the URI, the matches array will be included in the `args` object as `args.matches`.  Using this you can extract your matched groups from the URI, for e.g. `/^\/api\/(\w+)/`.
+If you specified a regular expression with parenthesis groups for the URI, the matches array will be included in the `args` object as `args.matches`.  Using this you can extract your matched groups from the URI, for e.g. `/^\/api\/(\w+)/`.
 
 Note that by default, URIs are only matched on their path portion (i.e. sans query string).  To include the query string in URI matches, set the [http_full_uri_match](#http_full_uri_match) configuration property to `true`.
 
@@ -788,12 +809,16 @@ var session_id = args.cookies['session_id'];
 
 ### args.perf
 
-This is a reference to a [pixl-perf](https://www.npmjs.com/package/pixl-perf) object, which is used internally by the web server to track performance metrics for the request.  The metrics may be logged at the end of each request (see [Logging](#logging) below) and included in the stats (see [Stats](#stats) below).
+This is a reference to a [pixl-perf](https://www.github.com/jhuckaby/pixl-perf) object, which is used internally by the web server to track performance metrics for the request.  The metrics may be logged at the end of each request (see [Logging](#logging) below) and included in the stats (see [Stats](#stats) below).
 
 ### args.server
 
 This is a reference to the pixl-server object which handled the request.
 
+### args.id
+
+This is an internal ID string used by the server to track and log individual requests.
+
 ## Request Filters
 
 Filters allow you to preprocess a request, before any handlers get their hands on it.  They can pass data through, manipulate it, or even interrupt and abort requests.  Filters are attached to particular URIs or URI patterns, and multiple may be applied to one request, depending on your rules.  They can be asynchronous, and can also pass data between one another if desired.
@@ -897,7 +922,7 @@ Here are descriptions of the data JSON properties:
 | `host` | The hostname from the request URL. |
 | `perf` | Performance metrics, see below. |
 
-The `perf` object contains performance metrics for the request, as returned from the [pixl-perf](https://www.npmjs.com/package/pixl-perf) module.  It includes a `scale` property denoting that all the metrics are displayed in milliseconds (i.e. `1000`).  The metrics themselves are in the `perf` object, and counters such as the number of bytes in/out are in the `counters` object.
+The `perf` object contains performance metrics for the request, as returned from the [pixl-perf](https://www.github.com/jhuckaby/pixl-perf) module.  It includes a `scale` property denoting that all the metrics are displayed in milliseconds (i.e. `1000`).  The metrics themselves are in the `perf` object, and counters such as the number of bytes in/out are in the `counters` object.
 
 If you only want to log *some* requests, but not all of them, you can specify a regular expression in the [http_regex_log](#http_regex_log) configuration property, which is matched against the incoming request URIs.  Example:
 
@@ -1111,7 +1136,7 @@ The `recent` array is a sorted list of the last 10 completed requests (most rece
 | `host` | String | The hostname from the request URL. |
 | `ips` | Array | The array of client IPs, including proxy IPs. |
 | `ua` | String | The client's `User-Agent` string. |
-| `perf` | Object | A [pixl-perf](https://www.npmjs.com/package/pixl-perf) performance metrics object containing stats for the request. |
+| `perf` | Object | A [pixl-perf](https://www.github.com/jhuckaby/pixl-perf) performance metrics object containing stats for the request. |
 
 If you would like more than 10 requests, set the [http_recent_requests](#http_recent_requests) configuration property to the number you want.
 
@@ -1126,7 +1151,7 @@ The `queue` object contains information about the request queue.  This includes
 
 ## Including Custom Stats
 
-To include your own application-level metrics in the `getStats()` output, a [pixl-perf](https://www.npmjs.com/package/pixl-perf) performance tracker is made available to your URI handler code via `args.perf`.  you can call `begin()` and `end()` on this object directly, to measure your own operations:
+To include your own application-level metrics in the `getStats()` output, a [pixl-perf](https://www.github.com/jhuckaby/pixl-perf) performance tracker is made available to your URI handler code via `args.perf`.  you can call `begin()` and `end()` on this object directly, to measure your own operations:
 
 ```js
 server.WebServer.addURIHandler( '/my/custom/uri', 'Custom Name', function(args, callback) {
@@ -1147,7 +1172,7 @@ server.WebServer.addURIHandler( '/my/custom/uri', 'Custom Name', function(args,
 
 Please do not call `begin()` or `end()` without arguments, as that will mess up the existing performance tracking.  Also, make sure you prefix your perf keys so you don't collide with the built-in ones.
 
-Alternatively, you can use your own private [pixl-perf](https://www.npmjs.com/package/pixl-perf) object, and then "import" it into the `args.perf` object at the very end of your handler code, just before you fire the callback.  Example:
+Alternatively, you can use your own private [pixl-perf](https://www.github.com/jhuckaby/pixl-perf) object, and then "import" it into the `args.perf` object at the very end of your handler code, just before you fire the callback.  Example:
 
 ```js
 my_perf.end();
@@ -1156,7 +1181,7 @@ args.perf.import( my_perf, "app_" );
 
 This would import all your metrics and prefix the keys with `app_`.
 
-See the [pixl-perf](https://www.npmjs.com/package/pixl-perf) documentation for more details on how to use the tracker.
+See the [pixl-perf](https://www.github.com/jhuckaby/pixl-perf) documentation for more details on how to use the tracker.
 
 ## Stats URI Handler
 
@@ -1293,7 +1318,7 @@ Certbot produces its own log file here: `/var/log/letsencrypt/letsencrypt.log`
 
 **The MIT License (MIT)**
 
-*Copyright (c) 2015 - 2019 Joseph Huckaby.*
+*Copyright (c) 2015 - 2021 Joseph Huckaby.*
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/lib/http.js

@@ -161,6 +161,7 @@ module.exports = class HTTP {
 				});
 				delete self.conns[ id ];
 				self.numConns--;
+				socket._pixl_data.aborted = true;
 			} );
 		} );
 		
@@ -175,6 +176,7 @@ module.exports = class HTTP {
 			}
 			
 			var err_args = {
+				id: args.id,
 				ip: socket.remoteAddress,
 				ips: args.ips,
 				state: args.state,

package/lib/https.js

@@ -159,6 +159,7 @@ module.exports = class HTTP2 {
 				});
 				delete self.conns[ id ];
 				self.numConns--;
+				socket._pixl_data.aborted = true;
 			} );
 		} );
 		
@@ -173,6 +174,7 @@ module.exports = class HTTP2 {
 			}
 			
 			var err_args = {
+				id: args.id,
 				ip: socket.remoteAddress,
 				ips: args.ips,
 				state: args.state,

package/lib/request.js

@@ -13,6 +13,8 @@ module.exports = class Request {
 	enqueueHTTPRequest(request, response) {
 		// enqueue request for handling as soon as concurrency limits allow
 		var args = {
+			id: this.getNextId('r'),
+			date: Date.now() / 1000,
 			request: request,
 			response: response
 		};
@@ -23,7 +25,7 @@ module.exports = class Request {
 			var ip = args.ip = this.getPublicIP(ips);
 			
 			this.logError(503, "Server is shutting down, denying request from: " + ip, 
-				{ ips: ips, uri: request.url, headers: request.headers }
+				{ id: args.id, ips: ips, uri: request.url, headers: request.headers }
 			);
 			
 			args.perf = new Perf();
@@ -35,6 +37,7 @@ module.exports = class Request {
 		// allow special URIs to skip the line
 		if (this.queueSkipMatch && request.url.match(this.queueSkipMatch)) {
 			this.logDebug(8, "Bumping request to front of queue: " + request.url);
+			this.requests[ args.id ] = args;
 			this.queue.unshift(args);
 			return;
 		}
@@ -45,6 +48,7 @@ module.exports = class Request {
 			var ip = args.ip = this.getPublicIP(ips);
 			
 			this.logError(429, "Queue is maxed out (" + this.queue.running() + " active reqs), denying new request from: " + ip, { 
+				id: args.id,
 				ips: ips, 
 				uri: request.url, 
 				headers: request.headers,
@@ -65,6 +69,7 @@ module.exports = class Request {
 			var ip = args.ip = this.getPublicIP(ips);
 			
 			this.logError(429, "Queue is maxed out (" + this.queue.length() + " pending reqs), denying new request from: " + ip, { 
+				id: args.id,
 				ips: ips, 
 				uri: request.url, 
 				headers: request.headers,
@@ -79,15 +84,47 @@ module.exports = class Request {
 			return;
 		}
 		
+		this.requests[ args.id ] = args;
 		this.queue.push(args);
 	}
 	
 	parseHTTPRequest(args, callback) {
 		// handle raw http request
+		// (async dequeue handler function)
 		var self = this;
 		var request = args.request;
 		var response = args.response;
-		args.callback = callback;
+		
+		// all requests will end up in this callback here
+		args.callback = function() {
+			if (args.timer) { clearTimeout(args.timer); delete args.timer; }
+			delete self.requests[ args.id ];
+			callback();
+		};
+		
+		// add timer for request timeout
+		if (this.config.get('http_request_timeout')) {
+			args.timer = setTimeout( function() {
+				// request took too long
+				delete args.timer;
+				
+				self.logError(408, "Request timed out: " + self.config.get('http_request_timeout') + " seconds", {
+					id: args.id,
+					socket: request.socket._pixl_data.id,
+					ips: args.ips,
+					url: self.getSelfURL(args.request, request.url) || request.url,
+					state: args.state
+				});
+				
+				self.sendHTTPResponse( args, 
+					"408 Request Timeout", 
+					{ 'Content-Type': "text/html" }, 
+					"408 Request Timeout: " + self.config.get('http_request_timeout') + " seconds.\n"
+				);
+				
+				self.deleteUploadTempFiles(args);
+			}, this.config.get('http_request_timeout') * 1000 );
+		}
 		
 		// check for early abort (client error)
 		if (request.socket._pixl_data.aborted) {
@@ -102,6 +139,7 @@ module.exports = class Request {
 		var ip = this.getPublicIP(ips);
 		
 		this.logDebug(8, "New HTTP request: " + request.method + " " + request.url + " (" + ips.join(', ') + ")", {
+			id: args.id,
 			socket: request.socket._pixl_data.id,
 			version: request.httpVersion
 		});
@@ -156,7 +194,7 @@ module.exports = class Request {
 		if (this.server.shut) {
 			// server is shutting down, deny new requests
 			this.logError(503, "Server is shutting down, denying request from: " + ip, 
-				{ ips: ips, uri: request.url, headers: request.headers }
+				{ id: args.id, ips: ips, uri: request.url, headers: request.headers }
 			);
 			this.sendHTTPResponse( args, "503 Service Unavailable", {}, "503 Service Unavailable (server shutting down)" );
 			return;
@@ -181,12 +219,12 @@ module.exports = class Request {
 			
 			if (content_type.match(/(multipart|urlencoded)/i) && !content_encoding) {
 				// use formidable for the heavy lifting
-				var form = new Formidable.IncomingForm({
+				var form = Formidable({
 					keepExtensions: true,
 					maxFieldsSize: self.config.get('http_max_upload_size'),
 					maxFileSize: self.config.get('http_max_upload_size'),
-					hash: false,
-					uploadDir: self.config.get('http_temp_dir')
+					uploadDir: self.config.get('http_temp_dir'),
+					allowEmptyFiles: self.config.get('http_allow_empty_files') || false
 				});
 				
 				form.on('progress', function(bytesReceived, bytesExpected) {
@@ -199,15 +237,30 @@ module.exports = class Request {
 				form.parse(request, function(err, _fields, _files) {
 					args.perf.end('read');
 					if (err) {
-						self.logError(400, "Error processing data from: " + ip + ": " + request.url + ": " + err, 
-							{ ips: ips, uri: request.url, headers: request.headers }
+						self.logError(400, "Error processing data from: " + ip + ": " + request.url + ": " + (err.message || err), 
+							{ id: args.id, ips: ips, uri: request.url, headers: request.headers }
 						);
 						self.sendHTTPResponse( args, "400 Bad Request", {}, "400 Bad Request" );
 						return;
 					}
 					else {
 						args.params = _fields || {};
-						args.files = _files || {};
+						
+						// restore original formidable v1 API for our files
+						args.files = {};
+						if (_files) {
+							for (var key in _files) {
+								var file = _files[key];
+								args.files[key] = {
+									path: file.filepath,
+									type: file.mimetype,
+									name: file.originalFilename,
+									size: file.size,
+									mtime: file.mtime || file.lastModifiedDate
+								};
+							}
+						}
+						
 						self.filterHTTPRequest(args);
 					}
 				} );
@@ -230,7 +283,7 @@ module.exports = class Request {
 					});
 					if (total_bytes > bytesMax) {
 						self.logError(413, "Error processing data from: " + ip + ": " + request.url + ": Max data size exceeded", 
-							{ ips: ips, uri: request.url, headers: request.headers }
+							{ id: args.id, ips: ips, uri: request.url, headers: request.headers }
 						);
 						request.socket.end();
 						
@@ -253,7 +306,7 @@ module.exports = class Request {
 						}
 						catch (e) {
 							self.logError(400, "Error processing data from: " + ip + ": " + request.url + ": Failed to parse JSON: " + e, 
-								{ ips: ips, uri: request.url, headers: request.headers, body: body.toString() }
+								{ id: args.id, ips: ips, uri: request.url, headers: request.headers, body: body.toString() }
 							);
 							self.sendHTTPResponse( args, "400 Bad Request", {}, "400 Bad Request" );
 							return;
@@ -300,7 +353,7 @@ module.exports = class Request {
 		// use async to allow filters to run in sequence
 		async.eachSeries( filters,
 			function(filter, callback) {
-				self.logDebug(8, "Invoking filter for request: " + args.request.method + ' ' + uri + ": " + filter.name);
+				self.logDebug(8, "Invoking filter for request: " + args.request.method + ' ' + uri + ": " + filter.name, { id: args.id });
 				
 				args.perf.begin('filter');
 				filter.callback( args, function() {
@@ -381,7 +434,7 @@ module.exports = class Request {
 		}
 		
 		if (handler) {
-			this.logDebug(6, "Invoking handler for request: " + args.request.method + ' ' + uri + ": " + handler.name);
+			this.logDebug(6, "Invoking handler for request: " + args.request.method + ' ' + uri + ": " + handler.name, { id: args.id });
 			
 			// Check ACL here
 			if (handler.acl) {
@@ -392,6 +445,7 @@ module.exports = class Request {
 				else {
 					// nope
 					this.logError(403, "Forbidden: IP addresses rejected by ACL: " + args.ips.join(', '), {
+						id: args.id,
 						acl: handler.acl.toString(),
 						useragent: args.request.headers['user-agent'] || '',
 						referrer: args.request.headers['referer'] || '',

package/lib/response.js

@@ -28,6 +28,7 @@ module.exports = class Response {
 			socket_data.total_elapsed = (new Date()).getTime() - socket_data.time_start;
 			socket_data.url = this.getSelfURL(request, request.url) || request.url;
 			socket_data.ips = args.ips;
+			socket_data.req_id = args.id;
 			if (this.config.get('http_log_socket_errors')) {
 				this.logError('socket', "Socket closed unexpectedly: " + socket_data.id, socket_data);
 			}
@@ -98,7 +99,7 @@ module.exports = class Response {
 		
 		response.on('finish', function() {
 			// response actually completed writing
-			self.logDebug(9, "Response finished writing to socket");
+			self.logDebug(9, "Response finished writing to socket", { id: args.id });
 			
 			// guess number of bytes in response header, minus data payload
 			args.perf.count('bytes_out', ("HTTP " + args.http_code + " OK\r\n").length);
@@ -120,6 +121,7 @@ module.exports = class Response {
 				// socket closed during active response
 				if (self.config.get('http_log_socket_errors')) {
 					self.logError('socket', "Socket connection terminated unexpectedly during response", {
+						id: args.id,
 						ips: args.ips,
 						useragent: request.headers['user-agent'] || '',
 						referrer: request.headers['referer'] || '',
@@ -136,6 +138,7 @@ module.exports = class Response {
 		if (is_stream) {
 			body.on('error', function(err) {
 				self.logError('stream', "Stream error serving response: " + request.url + ": " + err.message, {
+					id: args.id,
 					ips: args.ips,
 					useragent: request.headers['user-agent'] || '',
 					referrer: request.headers['referer'] || '',
@@ -260,7 +263,7 @@ module.exports = class Response {
 					response.end();
 				}
 			}
-			this.logDebug(9, "Request complete");
+			this.logDebug(9, "Request complete", { id: args.id });
 		}
 	}
 	
@@ -301,6 +304,7 @@ module.exports = class Response {
 		// write to access log
 		if (this.logRequests && args.request.url.match(this.regexLogRequests)) {
 			this.logTransaction( 'HTTP ' + args.http_code + ' ' + args.http_status, args.request.url, {
+				id: args.id,
 				proto: args.request.headers['ssl'] ? 'https' : socket_data.proto,
 				ips: args.ips,
 				host: args.request.headers['host'] || '',
@@ -312,6 +316,7 @@ module.exports = class Response {
 		// keep a list of the most recent N requests
 		if (this.keepRecentRequests) {
 			this.recent.unshift({
+				id: args.id,
 				when: (new Date()).getTime() / 1000,
 				proto: args.request.headers['ssl'] ? 'https' : socket_data.proto,
 				port: socket_data.port,

package/lib/static.js

@@ -164,13 +164,13 @@ module.exports = class Static {
 	parseByteRange(req, stat) {
 		// parse byte range header from request
 		// Example header: Range: bytes=31-49
-        const byteRange = {
-            from: 0,
-            to: 0
-        }
+		const byteRange = {
+			from: 0,
+			to: 0
+		}
 		
-        let rangeHeader = req.headers['range'];
-        const flavor = 'bytes=';
+		let rangeHeader = req.headers['range'];
+		const flavor = 'bytes=';
 		
 		if (rangeHeader && rangeHeader.startsWith(flavor) && !rangeHeader.includes(',')) {
 			// Parse
@@ -193,7 +193,7 @@ module.exports = class Static {
 			}
 		}
 		
-        return null;
-    }
+		return null;
+	}
 	
 };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pixl-server-web",
-	"version": "1.2.5",
+	"version": "1.3.3",
 	"description": "A web server component for the pixl-server framework.",
 	"author": "Joseph Huckaby <jhuckaby@gmail.com>",
 	"homepage": "https://github.com/jhuckaby/pixl-server-web",
@@ -24,7 +24,7 @@
 		"pixl-perf": "^1.0.0",
 		"pixl-acl": "^1.0.1",
 		"class-plus": "^1.0.0",
-		"formidable": "1.2.1",
+		"formidable": "2.0.1",
 		"errno": "0.1.7",
 		"stream-meter": "1.0.4",
 		"async": "3.2.0",

package/test/test.js

@@ -186,6 +186,20 @@ module.exports = {
 			);
 		},
 		
+		function testBadRequest(test) {
+			// test bad HTTP GET request to webserver backend
+			// this still resolves to the root dir index due to the ../
+			request.get( 'http://127.0.0.1:3020/%0ASet-Cookie%3Acrlfinjection/../',
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 200, "Got 200 response: " + resp.statusCode );
+					test.ok( resp.headers['via'] == "WebServerTest 1.0", "Correct Via header: " + resp.headers['via'] );
+					test.done();
+				} 
+			);
+		},
+		
 		// query string
 		function testQueryString(test) {
 			// test simple HTTP GET request with query string
@@ -707,6 +721,22 @@ module.exports = {
 			);
 		},
 		
+		// Error (Back-end Timeout)
+		function testBackEndTimeout(test) {
+			var self = this;
+			var web = this.web_server;
+			web.config.set('http_request_timeout', 0.5); // 500ms
+			
+			request.get( 'http://127.0.0.1:3020/sleep?ms=750', {},
+				function(err, resp, data, perf) {
+					web.config.set('http_request_timeout', 0); // reset timeout
+					test.ok( !err, "Unexpected error from PixlRequest: " + err );
+					test.ok( resp.statusCode == 408, "Unexpected HTTP response code: " + resp.statusCode );
+					test.done();
+				} 
+			);
+		},
+		
 		// static file get
 		// check ttl, check gzip
 		function testStaticTextRequest(test) {

package/web_server.js

@@ -56,7 +56,8 @@ module.exports = Class({
 		http_queue_skip_uri_match: false,
 		http_clean_headers: false,
 		http_log_socket_errors: true,
-		http_full_uri_match: false
+		http_full_uri_match: false,
+		http_request_timeout: 0
 	},
 	
 	conns: null,
@@ -82,6 +83,7 @@ class WebServer extends Component {
 		
 		// setup connections and handlers
 		this.conns = {};
+		this.requests = {};
 		this.uriFilters = [];
 		this.uriHandlers = [];
 		this.methodHandlers = [];
@@ -354,13 +356,31 @@ class WebServer extends Component {
 		if (this.http) {
 			this.logDebug(2, "Shutting down HTTP server");
 			
+			for (var id in this.requests) {
+				var args = this.requests[id];
+				this.logDebug(4, "Request still active: " + args.id, {
+					id: args.id,
+					ips: args.ips,
+					uri: args.request ? args.request.url : '',
+					headers: args.request ? args.request.headers : {},
+					socket: (args.request && args.request.socket && args.request.socket._pixl_data) ? args.request.socket._pixl_data.id : '',
+					stats: args.state,
+					date: args.date,
+					age: (Date.now() / 1000) - args.date
+				});
+				if (args.callback) {
+					args.callback();
+					delete args.callback;
+				}
+			} // foreach req
+			
 			for (var id in this.conns) {
-				this.logDebug(9, "Closing HTTP connection: " + id);
+				this.logDebug(4, "Closing HTTP connection: " + id);
 				// this.conns[id].destroy();
 				this.conns[id].end();
 				this.conns[id].unref();
 				this.numConns--;
-			}
+			} // foreach conn
 			
 			this.http.close( function() { self.logDebug(3, "HTTP server has shut down."); } );
 			
@@ -369,6 +389,7 @@ class WebServer extends Component {
 			}
 			// delete this.http;
 			
+			this.requests = {};
 			this.queue.kill();
 		}