httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)
Date Tue, 01 Sep 2009 20:27:12 GMT


On 09/01/2009 10:16 PM, Stefan Fritsch wrote:
> On Tuesday 01 September 2009, Ruediger Pluem wrote:
>> On 09/01/2009 04:26 PM, Torsten Foertsch wrote:
>>> On Tue 01 Sep 2009, Stefan Fritsch wrote:
>>>> http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c
>>>>
>>>> Any comments are welcome.
>>> Just a few thoughts:
>>>
>>> - You use GLOBAL_ONLY in ap_check_cmd_context. That means the
>>> directive must not appear in vhost context. AFAIK,
>>> conn->base_server reflects the vhost in a pre connection hook if
>>> it is IP-based. So, why don't you allow for RequestTimeout to be
>>> valid in ip-based vhost context? That way the protocol problem is
>>> solved, isn't it?
>>>
>>> - Wouldn't RequestTimeout better be named RequestHeaderTimeout or
>>> ReadRequestHeaderTimeout? RequestTimeout is a bit missleading
>>> (IMHO). My first thought was: That thing limits the whole
>>> transaction.
>> Nice module. +1 to the comments above.
> 
> Thanks to everyone commenting so far. I have changed these two things 
> and uploaded the new version to the same place.

Thanks for the update. I guess

reqtimeout_after_body

also needs to be updated to the assert / do nothing if not configured
logic like reqtimeout_after_headers

Regards

RĂ¼diger

Mime
View raw message