httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Improving documentation / configuration as a result of report 38123
Date Tue, 17 Jan 2006 16:20:36 GMT


On 01/17/2006 03:26 PM, Joshua Slive wrote:
> On 1/17/06, Ruediger Pluem <rpluem@apache.org> wrote:


[..cut..]


>>1. I think the comment
>>
>>   "It is not set any lower by default because there may still be odd places
>>    in the code where the timer is not reset when a packet is sent."
>>
>>   on http://httpd.apache.org/docs/2.0/en/mod/core.html#timeout
>>
>>   is not valid for 2.0.x and up. AFAIK the Timeout was implemented in 1.3
>>   with the help of the alarm function which justifies this remark, but this
>>   is no longer true since 2.0 where poll is used.
> 
> 
> +1  I think we'd at least prefer that if any of these edge cases still
> exist in the code, they be treated as bugs and not expected behavior.
> 

I will remove it once there is an agreement on a new default value for Timeout.

> 
>>2. There should be a section on the Security Tips page that mentions this
>>   issue and makes some remarks on it.
> 
> 
> +1  Although you'll note that the security tips page is really just a
> big mess.  It needs someone with some real-world knowledge to point
> out what is important.

I just clashed with your commit :-). I will have a look at your draft and add
my things to it.

[..cut..]

> 
> That sounds like a little too drastic a change to me without testing
> to back it up.  Pehaps 60 would be a good intermediate step.  One

This is also fine with me. Lets see what others think.

> problem is that TimeOut applies to to many different things.  Why
> should the timeout waiting for CGI output and the timeout waiting for
> the network be the same?  It would be nice to have more fine-grained
> control.

Yes, that would be really nice, but some work needs to be done to reach this.

> 
> (And it would also be nice to unify all the different timeouts used by
> the server in some way; ie, "TimeOut cgi=60 request=5 ldap=10 dav=50",
> etc.  But perhaps that is asking for too much.)

I prefer separate directives for each of these areas.

Regards

RĂ¼diger


Mime
View raw message