On Tuesday 01 September 2009, Ruediger Pluem wrote: > I guess > > reqtimeout_after_body > > also needs to be updated to the assert / do nothing if not > configured logic like reqtimeout_after_headers >
Thanks, I missed that. I fixed it and also added support for minimum upload rates: This RequestHeaderTimeout initialTimeout [maxTimeout] RequestHeaderMinRate minRate will now set the timeout to initialTimeout. Whenever data is received, the timeout is increased according to minRate, but not to a value larger than maxTimeout. If RequestHeaderMinRate is not present, maxTimeout will be ignored. The same goes for the Body* directives. The new version is again at http://www.sfritsch.de/mod_reqtimeout/ @Nick: I now had also a brief look at mod_evasive, mod_cband and mod_qos. mod_evasive does only request-level checking and cannot defend against slowloris style attacks. mod_cband only provides upper bandwidth and connection limits. mod_qos has minimum upload rates and per IP connection limits and much more. However, it is much more heavy weight than mod_reqtimeout. The source code is about 20 times larger, it uses many mutexes, etc. Therefore I think mod_reqtimeout still has its use cases. And it's far easier to review, too ;-) Cheers, Stefan
