https://bz.apache.org/bugzilla/show_bug.cgi?id=60681
--- Comment #10 from William A. Rowe Jr. <[email protected]> --- Sorry for confusion, I should have stated 'request line', not 'header line': HTTP Connect: no record HTTP Timeout before the request line is read: no record HTTP Timeout after request line is read, before all header lines are read: [Thu Feb 09 16:16:31 2017] [error] [client 127.0.0.1] request failed: error reading the headers With mod_reqtimeout loaded, these events are changed; HTTP reqtimeout Connect: no record HTTP reqtimeout before the request line is read: Redundant recording, both error (level [info]) and access log entries; [Thu Feb 09 17:11:26 2017] [info] [client 127.0.0.1] Request header read timeout 127.0.0.1 - - [09/Feb/2017:17:11:26 -0600] "-" 408 - [No 408 error message is transmitted to the client] HTTP reqtimeout after request line is read, before all header lines are read: Redundant recording, both error (level [error]!) and access log entries; [Thu Feb 09 17:13:54 2017] [info] [client 127.0.0.1] Request header read timeout [Thu Feb 09 17:13:54 2017] [error] [client 127.0.0.1] request failed: error reading the headers 127.0.0.1 - - [09/Feb/2017:17:13:38 -0600] "GET / HTTP/1.1" 408 223 HTTP reqtimeout after header lines complete, before C-L request body: Redundant recording, both error and access log entries; [Thu Feb 09 18:22:55 2017] [info] [client 127.0.0.1] Request body read timeout 127.0.0.1 - - [09/Feb/2017:18:22:34 -0600] "GET / HTTP/1.1" 400 226 HTTP reqtimeout after header lines complete, before T-E:chunked header: Redundant recording, both error and access log entries; [Thu Feb 09 18:19:41 2017] [info] [client 127.0.0.1] Request body read timeout 127.0.0.1 - - [09/Feb/2017:18:19:20 -0600] "HEAD / HTTP/1.1" 400 - HTTP reqtimeout after header lines complete, before T-E:chunked content: Redundant recording, both error and access log entries; 127.0.0.1 - - [09/Feb/2017:18:26:37 -0600] "GET / HTTP/1.1" 400 226 [Thu Feb 09 18:26:47 2017] [info] [client 127.0.0.1] Request body read timeout HTTP reqtimeout on keepalive: no record Here again, an [error] level was too loud and redundant. The [info] level messages are in-line with the historical mod_ssl [info] reporting. This suggests to me that the [info] alerts should be emitted from the core non-reqtimeout read failure paths, and that the explicit 408, transmitted or not, should be the core reaction to timeout before the request has been read and during the body read timeout. The [error] alert for the one and only one failure path once a 408 is recorded is incorrect. Timeouts reading the body should also be 408. The fail2ban filter should be applied for all 408 responses, be that the first request line timeout, all timeouts of header line timeouts and all header body timeouts, along with all 400 responses, which records all "illegible" and "too slow" cases which may likely indicate an abuse pattern. Some reasonable threshold needs to be applied, so that the remote cellular or other user with intermittent connectivity does not trip this filter too easily. Given that any web request may consist of as many as 2-4 parallel http connections to gather the primary request and tangential resources (gif/jpg/css/js etc), some limit such as 10 400+408 requests combined would appear to indicate abusive traffic. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
