httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Ristic" <>
Subject Re: Limiting response body length
Date Tue, 13 Feb 2007 14:01:37 GMT
On 2/13/07, Nick Kew <> wrote:
> On Tue, 13 Feb 2007 11:30:32 +0000
> "Ivan Ristic" <> wrote:
> > No. If there's no C-L ModSecurity will count the bytes as they arrive.
> > If there are too many the entire response will be blocked with 500
> > (and the error page sent to the client).
> That's a tradeoff you make against performance.

Of course it's a tradeoff. Isn't everything?

> I would consider
> it unacceptable to buffer entire requests or responses at a proxy.

That depends entirely on system's security requirements. Some people
require the screening/prevention functionality. Some people, such as
yourself, don't. It's for everyone to consider what they want, along
with the implications, and make their decisions accordingly.

> At best it's a big performance hit; at worst it's a DoS-magnet.

Don't be so dramatic :) Every single new feature added to a web server
is a performance hit and a DoS magnet. And yet there's plenty of sites
that moved on from static files! The ingredients matter but it's how
you build it that counts.

I have made it a point to document everything there is to know about
ModSecurity. It's what it is. I built it because it was fun and
because I could. People should make their own minds. I am fine either

> --
> Nick Kew
> Application Development with Apache - the Apache Modules Book

Ivan Ristic

View raw message