httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: svn commit: r1202255 - /httpd/httpd/trunk/modules/filters/mod_reqtimeout.c
Date Wed, 16 Nov 2011 10:44:58 GMT
On 15.11.2011 20:57, Jeff Trawick wrote:
> On Tue, Nov 15, 2011 at 2:32 PM, William A. Rowe Jr.
> <wrowe@rowe-clan.net>  wrote:
>> On 11/15/2011 12:33 PM, Stefan Fritsch wrote:
>>>
>>> On Tuesday 15 November 2011, Paul Querna wrote:
>>>>
>>>> On Tue, Nov 15, 2011 at 9:17 AM, Stefan Fritsch<sf@sfritsch.de>
>>>
>>> wrote:
>>>>>
>>>>> On Tue, 15 Nov 2011, pquerna@apache.org wrote:
>>>>>>
>>>>>> Author: pquerna
>>>>>> Date: Tue Nov 15 15:49:19 2011
>>>>>> New Revision: 1202255
>>>>>>
>>>>>> URL: http://svn.apache.org/viewvc?rev=1202255&view=rev
>>>>>> Log:
>>>>>> disable mod_reqtimeout if not configured
>>>>>
>>>>> Why that? We have just changed the default to be enabled in
>>>>> r1199447 and several developers at the hackathon agreed to this
>>>>> change.
>>>>
>>>> Didn't know it was discussed in depth at the hackathon, and there
>>>> wasn't any discussion on the list....
>>>>
>>>> It showed up quite quickly in my profiling of the Event MPM,
>>>> because every pull/push on the filters would cause a
>>>> apr_time_now() call.
>>>>
>>>> I don't really like that just by loading the module, it changes the
>>>> behavior and performance of the server so drastically.
>>>
>>> It only acts on reads from the client. Normal non-POST requests arrive
>>> in one or two packets, which would mean approx. 3 additional
>>> apr_time_now calls per request. I haven't done benchmarks, but I can't
>>> imagine that this has a drastic impact on performance. And if it costs
>>> 1-2%, then that's a small cost compared to the impact of slowloris
>>> type attacks which eat lots of memory.
>>>
>>> The general intention of the recent changes in default configs and
>>> module selection/loading was to make it easier to only load those
>>> modules that are really needed, have a reasonable default config, and
>>> have the compiled-in default values be the same as those in the
>>> example config files.
>>
>> Which means, build by default, disable by default.  I think that keeps
>> everyone happy.  When abuse arrives, it's trivial to load.
>
> Timeout 60 isn't nearly as bad as the old Timeout 300 that is probably
> still in wide use, but mod_reqtimeout can provide a much more
> reasonable out of the box configuration.  I think we should keep it in
> place by default.

+1

Rainer


Mime
View raw message