Re: TTLimit directive

2017-06-22 Thread Donatas Abraitis 
Hey Nick,

anything else is missing from me regarding this patch?

On Tue, Jun 13, 2017 at 2:20 PM, Donatas Abraitis <
donatas.abrai...@gmail.com> wrote:

> Hey Nick,
>
> it must be 0, not 255. I updated it in patch attached 
>
> Sent from my iPhone
>
> > On 13 Jun 2017, at 13:52, Nick Kew  wrote:
> >
> >> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote:
> >>
> >> I would like to propose this patchset allowing to set maximum TTL value
> for incoming requests. This is not a usual use case, but I'm interested
> (maybe others too) to have this in place. The real use case would be like
> this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/.
> >
> > Thanks!  I'm not sure I follow your exact scenario, but it
> > looks like a modest enhancement at very low cost or risk!
> >
> >> TL;DR: if you want to deny requests bypassing proxy layer (in this case
> Apache operates as a backend). Hence set TTLimit to 1 and Apache will be
> able to handle requests coming almost from the local network, because
> packets with TTL usually come from local networks.
> >>
> >>
> >> I don't know which place is the right place to put patches, but
> >> original patch is here:
> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
> >> https://bz.apache.org/bugzilla/attachment.cgi?id=35048
> >
> > That's exactly the right place.
> >
> > At first glance, patch looks interesting, and I'm minded to
> > adopt (some version of) it for trunk.  Though I think I'd
> > default it to 0 (off) rather than your 255.  Any other views?
> >
> > --
> > Nick Kew
> >
> >
>



-- 
Donatas

Re: TTLimit directive

2017-06-13 Thread Donatas Abraitis 
Hey Nick,

it must be 0, not 255. I updated it in patch attached 

Sent from my iPhone

> On 13 Jun 2017, at 13:52, Nick Kew  wrote:
> 
>> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote:
>> 
>> I would like to propose this patchset allowing to set maximum TTL value for 
>> incoming requests. This is not a usual use case, but I'm interested (maybe 
>> others too) to have this in place. The real use case would be like this one 
>> http://blog.donatas.net/blog/2017/04/20/http-request-validation/. 
> 
> Thanks!  I'm not sure I follow your exact scenario, but it
> looks like a modest enhancement at very low cost or risk!
> 
>> TL;DR: if you want to deny requests bypassing proxy layer (in this case 
>> Apache operates as a backend). Hence set TTLimit to 1 and Apache will be 
>> able to handle requests coming almost from the local network, because 
>> packets with TTL usually come from local networks.
>> 
>> 
>> I don't know which place is the right place to put patches, but
>> original patch is here:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
>> https://bz.apache.org/bugzilla/attachment.cgi?id=35048
> 
> That's exactly the right place.
> 
> At first glance, patch looks interesting, and I'm minded to
> adopt (some version of) it for trunk.  Though I think I'd
> default it to 0 (off) rather than your 255.  Any other views?
> 
> -- 
> Nick Kew
> 
>

Re: TTLimit directive

2017-06-13 Thread Nick Kew 
On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote:

> I would like to propose this patchset allowing to set maximum TTL value for 
> incoming requests. This is not a usual use case, but I'm interested (maybe 
> others too) to have this in place. The real use case would be like this one 
> http://blog.donatas.net/blog/2017/04/20/http-request-validation/. 

Thanks!  I'm not sure I follow your exact scenario, but it
looks like a modest enhancement at very low cost or risk!

> TL;DR: if you want to deny requests bypassing proxy layer (in this case 
> Apache operates as a backend). Hence set TTLimit to 1 and Apache will be able 
> to handle requests coming almost from the local network, because packets with 
> TTL usually come from local networks.
> 
> 
> I don't know which place is the right place to put patches, but
> original patch is here:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
> https://bz.apache.org/bugzilla/attachment.cgi?id=35048

That's exactly the right place.

At first glance, patch looks interesting, and I'm minded to
adopt (some version of) it for trunk.  Though I think I'd
default it to 0 (off) rather than your 255.  Any other views?

-- 
Nick Kew

TTLimit directive

2017-06-13 Thread Donatas Abraitis 
Hi,

I would like to propose this patchset allowing to set maximum TTL
value for incoming requests. This is not a usual use case, but I'm
interested (maybe others too) to have this in place. The real use case
would be like this one
http://blog.donatas.net/blog/2017/04/20/http-request-validation/.

TL;DR: if you want to deny requests bypassing proxy layer (in this
case Apache operates as a backend). Hence set TTLimit to 1 and Apache
will be able to handle requests coming almost from the local network,
because packets with TTL usually come from local networks.

I don't know which place is the right place to put patches, but original
patch is here: https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
https://bz.apache.org/bugzilla/attachment.cgi?id=35048

-- 
Donatas