(Mon, 26 Mar 16:40) Warren Young:
> On Mar 26, 2018, at 2:45 PM, Warren Young wrote:
> >
> > On Mar 26, 2018, at 2:15 PM, Svyatoslav Mishyn
> > wrote:
> >>
> >> Here are results of r.sh when stress.sh was run (and all RAM was used
> >> on VPS):
>
> I’ve thought a bit more about this stress.sh script. It is based on ab,
> which I presume is the Apache Benchmark program. You aren’t giving it -C,
> which means it’s just bouncing off that URL and sending you back to the login
> page on each HTTP hit. Thus, it is not at all like a real user trying to use
> the fossil-scm.org repository remotely.
>
> Monitor your HTTP traffic to the Fossil server, and I think you’ll see that
> you aren’t actually pulling vdiffs with this test.
Actually, Apache Benchmark pulls diffs without "-C" option as the
"nobody" user got "gjorz" permissions.
If I remove "o" (Check-Out) capability, then yes, will be a redirect to
/login page.
On the other hand, how to protect a VPS against such requests?
Without removing current functionality for non-logged ("nobody") users, i.e.
keep "o" capability.
"max-loadavg" setting can't help as it does not affect /vdiff pages.
Only by limiting requests by nginx to fossil.?
--
https://www.juef.space/
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users