In message <fe35d553-dff2-4d85-8abe-3a8711908...@etr-usa.com>, Warren Young writes: >On Dec 22, 2017, at 10:20 AM, Olivier R. <m...@grammalecte.net> wrote: >> >> Le 22/12/2017 à 16:10, Warren Young a écrit : >>> 1. Your repo is public-facing. Is this a reasonable number of >>> clients to be connected at any given time to this repo? It seems >>> high to me, given the transient nature of most Fossil connections. >> >> Only two devs have the right to modify the online repository. >> I’d be surprised if there were more than 5 people connected to this >> repo at the same time. > >Your first netstat -na output shows 24 established connections, most >to distinct remote peer IPs. > >Additionally, Fossil connections tend to be short-lived due to the >nature of Fossil. [...] >Therefore, one of two things is happening: > >1. You have a high rate of connections to the server, so that at any > one time, we can see dozens of them. Disproving this hypothesis is > the purpose of the tshark test. > >2. You have connections that stay open for a long time, which suggests: > >2a. A connection handle leak. But if this were common, lots of > people would have found it before you. > >2b. Bad actors on those remote hosts, which is why I bought up the > possibility of a botnet attack. > >If we have a 2b case, then you’d want to find some way to identify >the connections somehow, so that you can block them.
The only way I managed to reproduce the lsof output that was reported earlier was to connect to my fossil using netcat and send no data. Once I sent any data (by hitting a return) fossil reported a 403 (since I sent no http headers). As I noted earlier I have hiawatha running in front of the fossil server. It kills idle connections after I think 60 seconds. So if there is no traffic, the connection to the back end fossil server will be killed. Note that Warren is running nginx as the front end for his fossil server. I think that has anti-DOS and timeouts on client header/body and response times that can do something similar. Does fossil have any idle connection timeout limits? -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users