exceptionfactory commented on pull request #4972: URL: https://github.com/apache/nifi/pull/4972#issuecomment-814106145
> I agree that the IP whitelisting is more representative of how the DoS should work rather than excluding the S2S paths. Testing this out it seems like the whitelist is only applied to the request rate tracking, as the timeout method onRequestTimeout() doesn't seem to call checkWhitelist(), confirmed by docs http://archive.eclipse.org/jetty/8.0.0.M1/apidocs/org/eclipse/jetty/servlets/DoSFilter.html That's a good point about `DoSFilter.onRequestTimeout()` still enforcing the maximum value as configured using the `maxRequestMs`. With the addition of the new property `nifi-web.request.timeout` and one more property to exclude IP addresses or subnets from rate limiting, it seems like that should provide sufficient ability to configure the filter. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
