On Tue, Jan 05, 1999, Nigel Metheringham wrote:
> Someone very kindly tried a DOS attack on a web server of ours recently.
> Basically they opened a pile of connections to a server but sent no data
> down them. To make matters worse they then disconnected their modem
> connection leaving a couple of hundred hanging connections....
>
> On a non-ssl connection, setting TimeOut lower helps mitigate against this
> by killing idle connections. However this option has no apparent effect
> on an SSL connection.
What's the reason you assume that Timeout doesn't apply to HTTPS connections?
Actually Timeout is implemented totally generic inside Apache without any
knowledge of the SSL protocol (it's only aware of keepalive connections). And
even inside our Apache source I see no reason why it shouldn't apply to a
HTTPS connection. Have you really tried to use Timeout inside the
<VirtualHost> for HTTPS?
> Is there an analog to this... or a way of changing
> stuff down in SSLeay?
As I say, Timeout should apply to both HTTP and HTTPS connections.
When it really doesn't then there is a bug somewhere.
> On a related note, is there a means to limit the number of live
> connections from a particular IP address? [more a standard apache rather
> than mod_ssl issue].
AFAIK we've no mechanism which limits the connections on a per IP basis. But
you can write a patch which implements this within a few hundrets of lines of
code, I think.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
