Re: TTLimit directive
Hey Nick, anything else is missing from me regarding this patch? On Tue, Jun 13, 2017 at 2:20 PM, Donatas Abraitis < donatas.abrai...@gmail.com> wrote: > Hey Nick, > > it must be 0, not 255. I updated it in patch attached > > Sent from my iPhone > > > On 13 Jun 2017, at 13:52, Nick Kewwrote: > > > >> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote: > >> > >> I would like to propose this patchset allowing to set maximum TTL value > for incoming requests. This is not a usual use case, but I'm interested > (maybe others too) to have this in place. The real use case would be like > this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/. > > > > Thanks! I'm not sure I follow your exact scenario, but it > > looks like a modest enhancement at very low cost or risk! > > > >> TL;DR: if you want to deny requests bypassing proxy layer (in this case > Apache operates as a backend). Hence set TTLimit to 1 and Apache will be > able to handle requests coming almost from the local network, because > packets with TTL usually come from local networks. > >> > >> > >> I don't know which place is the right place to put patches, but > >> original patch is here: > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179 > >> https://bz.apache.org/bugzilla/attachment.cgi?id=35048 > > > > That's exactly the right place. > > > > At first glance, patch looks interesting, and I'm minded to > > adopt (some version of) it for trunk. Though I think I'd > > default it to 0 (off) rather than your 255. Any other views? > > > > -- > > Nick Kew > > > > > -- Donatas
Re: TTLimit directive
Hey Nick, it must be 0, not 255. I updated it in patch attached Sent from my iPhone > On 13 Jun 2017, at 13:52, Nick Kewwrote: > >> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote: >> >> I would like to propose this patchset allowing to set maximum TTL value for >> incoming requests. This is not a usual use case, but I'm interested (maybe >> others too) to have this in place. The real use case would be like this one >> http://blog.donatas.net/blog/2017/04/20/http-request-validation/. > > Thanks! I'm not sure I follow your exact scenario, but it > looks like a modest enhancement at very low cost or risk! > >> TL;DR: if you want to deny requests bypassing proxy layer (in this case >> Apache operates as a backend). Hence set TTLimit to 1 and Apache will be >> able to handle requests coming almost from the local network, because >> packets with TTL usually come from local networks. >> >> >> I don't know which place is the right place to put patches, but >> original patch is here: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179 >> https://bz.apache.org/bugzilla/attachment.cgi?id=35048 > > That's exactly the right place. > > At first glance, patch looks interesting, and I'm minded to > adopt (some version of) it for trunk. Though I think I'd > default it to 0 (off) rather than your 255. Any other views? > > -- > Nick Kew > >
Re: TTLimit directive
On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote: > I would like to propose this patchset allowing to set maximum TTL value for > incoming requests. This is not a usual use case, but I'm interested (maybe > others too) to have this in place. The real use case would be like this one > http://blog.donatas.net/blog/2017/04/20/http-request-validation/. Thanks! I'm not sure I follow your exact scenario, but it looks like a modest enhancement at very low cost or risk! > TL;DR: if you want to deny requests bypassing proxy layer (in this case > Apache operates as a backend). Hence set TTLimit to 1 and Apache will be able > to handle requests coming almost from the local network, because packets with > TTL usually come from local networks. > > > I don't know which place is the right place to put patches, but > original patch is here: > https://bz.apache.org/bugzilla/show_bug.cgi?id=61179 > https://bz.apache.org/bugzilla/attachment.cgi?id=35048 That's exactly the right place. At first glance, patch looks interesting, and I'm minded to adopt (some version of) it for trunk. Though I think I'd default it to 0 (off) rather than your 255. Any other views? -- Nick Kew
TTLimit directive
Hi, I would like to propose this patchset allowing to set maximum TTL value for incoming requests. This is not a usual use case, but I'm interested (maybe others too) to have this in place. The real use case would be like this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/. TL;DR: if you want to deny requests bypassing proxy layer (in this case Apache operates as a backend). Hence set TTLimit to 1 and Apache will be able to handle requests coming almost from the local network, because packets with TTL usually come from local networks. I don't know which place is the right place to put patches, but original patch is here: https://bz.apache.org/bugzilla/show_bug.cgi?id=61179 https://bz.apache.org/bugzilla/attachment.cgi?id=35048 -- Donatas