Gateway 504 issue

[mmd-osm]

Follow up issue for tyrasd/overpass-turbo#171 (comment)

The server responds with a Failed to load resource: the server responded with a status of 504 (Gateway Timeout) error after a couple of minues, but doesn't send an Access-Control-Allow-Origin HTTP-header with the error message. Therefore the site's javascript code isn't even allowed to access the error code, resulting in the very generic error message above.

[mmd-osm]

Unfortunately, this is a bigger issue. As far as it looks, the software sends the header.

That's not quite clear, imho. The HTTP 504 error message is being generated by Apache due to a CGI timeout. Hence the interpreter doesn't have a chance to send the CORS header. That's NOT the same HTTP 504 error, which is created in web_output.cc as a result of a "::timeout" (server is overcrowded).

Here's the response as seen in wireshark:

HTTP/1.1 504 Gateway Timeout
Date: Tue, 21 Jul 2015 20:31:04 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 327
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>504 Gateway Timeout</title>
</head><body>
<h1>Gateway Timeout</h1>
<p>The gateway did not receive a timely response
from the upstream server or application.</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at overpass-api.de Port 80</address>
</body></html>

There are two topics here which need to be addressed:

1. Prevent CGI timeout, by increasing corresponding timeout value in apache config (see apache docs)
2. Missing CORS headers make error message inaccessible for overpass turbo, etc.

Regarding the error message:

CORS headers could be set via .htaccess (see http://enable-cors.org/server_apache.html). However, this competes with the headers we've already added in web_output.cc. Firefox as an example returns an error message, if Access-Control-Allow-Origin occurs twice in the HTTP header (even when it's the same value).

On the other hand, some of the error messages are solely created on by apache, so it could make sense to move the whole Access-Control-Allow-Origin: *, etc. part to the apache config instead.

(just an example for .htaccess:)

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Max-Age "600"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"

See also http://awesometoast.com/cors/

Question: can we provide some kind of (compile time?) flag for web_output.cc to not send any CORS header?

Due to a number of dependencies, this topic probably has to wait until the out_csv_finetuning branch is done and eventually merged into master.

[matkoniecz]

How 504 should be interpreted as user?

"internal bug, retry immediately"?

"you are overusing service, sleep for several minutes and retry"?

[mmd-osm]

Apache has hit its timeout value, b/c Overpass didn't respond in time. So either there's too much load on the server, or your query is simply too large and takes too much time. I'd recommend to double check your query first. Maybe run it on a smaller area, split it up into smaller chunks, something along those lines (depends on your query, obviously).