httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Micha Lenk <mi...@lenk.info>
Subject Re: mod_proxy, oooled backend connections and the keep-alive race condition
Date Tue, 01 Oct 2013 14:53:31 GMT
Hi all,

Am 01.10.2013 14:36, schrieb Plüm, Rüdiger, Vodafone Group:
>> That's time when the proxy *thinks* the connection is valid but
>> the backend thinks the connection is idle.  And in most
>> reverse-proxy cases that prefetch is adding basically no value
>> AFAICT - the backend is a known vintage and probably HTTP/1.1.
>> So... could we make the prefetch stuff configurable away?
> 
> IMHO no issue with this. Let's hear what others say. I guess the main
> point of prefetch was to make better decisions whether to use
> chunked encoding when sending to the backend. Or provide a CL to the
> backend when the real client does not.

As far as I understand the issue, the main point of prefetch was to fix
CVE-2005-2088, a HTTP Request Smuggling attack (see also
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088).

This is not an argument against making the prefetch stuff configurable,
but if this ever gets implemented, this CVE should definitely needs to
be mentioned in the documentation so that users are aware of it.

Regards,
Micha

Mime
View raw message