httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: mod_reqtimeout logging
Date Sat, 12 Feb 2011 16:11:43 GMT
On Thursday 10 February 2011, Daniel Ruggeri wrote:
> On 2/10/2011 2:21 AM, Nick Gearls wrote:
> > Probably not, but as we specify the time-outs to allow all normal
> > requests (we hope), I'd like to be warned when an attack occurs,
> > but also if one of my genuine customers is blocked (to possibly
> > fine-tunes the time-outs).
> We should figure out what the general case would be for users.
> Since per-module logging levels is a reality, it's a trivial
> matter to let the server admin decide if they want to log these
> messages. My concern with putting it at WARN level (and a server
> admin doesn't want these messages), they may accidentally suppress
> other warnings. I may be speaking out of turn, though, since I
> don't know what messages this module emits and at what levels.

For trunk, WARN is OK becasue the admin can set mod_reqtimeout's 
loglevel separately and mod_reqtimeout doesn't log anything else. For 
2.2.x, I am reluctant to bump it to warn, as this may become too 
noisy. And the acess log should already record the timeouts with 
status 408.

> > Another option would be to set an environment variable, so I
> > could check it and handle my notification manually.
> Maybe I misunderstand the idea, but why wouldn't creating a
> 'LogTimeoutErrors' (or something to that effect) directive be The
> Right Thing to do in this case?

For 2.2.x we would need something like that to make it configurable. 
But do we really need that?

View raw message