httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Tue, 01 Sep 2009 19:09:50 GMT


On 09/01/2009 04:26 PM, Torsten Foertsch wrote:
> On Tue 01 Sep 2009, Stefan Fritsch wrote:
>> http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c
>>
>> Any comments are welcome.
> 
> Just a few thoughts:
> 
> - You use GLOBAL_ONLY in ap_check_cmd_context. That means the directive 
> must not appear in vhost context. AFAIK, conn->base_server reflects the 
> vhost in a pre connection hook if it is IP-based. So, why don't you 
> allow for RequestTimeout to be valid in ip-based vhost context? That 
> way the protocol problem is solved, isn't it?
> 
> - Wouldn't RequestTimeout better be named RequestHeaderTimeout or 
> ReadRequestHeaderTimeout? RequestTimeout is a bit missleading (IMHO). 
> My first thought was: That thing limits the whole transaction.


Nice module. +1 to the comments above.

Regards

RĂ¼diger


Mime
View raw message