Re: Feedback needed: suexec different-owner patch

fied to comment on security-critical code. Tim -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: [PATCH] Add "FreeListen" to support IP_FREEBIND

> On 8 Mar 2016, at 18:13, William A Rowe Jr <wr...@rowe-clan.net> wrote: >> >> On Tue, Mar 8, 2016 at 11:38 AM, Tim Bannister <is...@c8h10n4o2.org.uk> >> wrote: >> On 8 Mar 2016, at 10:43, Jan Kaluža <jkal...@redhat.com> wrote: >> > On 03/

Re: [PATCH] Add "FreeListen" to support IP_FREEBIND

is socket). Using the second model, the Listen directive needs a way for the admin to specify multiple protocols. Maybe the answer is for that to be set in the Protocols directive only? What should the Listen directive look like, ideally, for a freebind-enabled socket that can be either HT

Re: [PATCH] Add "FreeListen" to support IP_FREEBIND

he listening TCP socket (and send the FD to httpd over an AF_UNIX socket*), ending up with the same "options=freebind,backlog:4095,reuseport,..." concept. I'm presuming that “options=protocol:https” would be fine too, and “https” on its own would be taken to be a deprecated shorthand? * similar to how https://github.com/JiriHorky/privbind works -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: httpd + systemd

tpd $OPTIONS -k graceful >Restart=always >RestartSec=1 > Maybe add an ExecStop as well which calls graceful-stop? This is more reliable than a signal. After DefaultTimeoutStopSec seconds, systemd will intervene regardless. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: balancer-manager docs

” guide. I think the topics could be: • forward proxy (and access control) with or without cacheing • reverse proxy with or without cacheing • balancing and high availability for reverse proxies I think this is me volunteering to at least draft some text, if people agree this approach makes sense. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Worker states for balancer members

On 3 February 2016 12:25:21 GMT, Jim Jagielski wrote: > >Maybe we can just say that STOPPED is there for potential >3rd party uses and be done w/ it :) +1 to that philosophy -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Worker states for balancer members

out is going to be worth documenting (I think?) to avoid that risk of confusion. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Work in progress: mod_proxy Health Check module

arently healthy backend (2xx status) which is actually serving the wrong page, eg “this domain is for sale!” -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Shouldn't ap_get_remote_host use req->useragent_addr?

t;client_addr to obtain the >REMOTE_HOST. >> >> what about "Require ip ..."? “ip” is a minimal and doesn't explain much. How about, maybe: Require remote-ip-host 192.0.2.42/30? I'm assuming that this would succeed if the TCP peer is in the specified range OR if mod_remoteip makes a similar declaration. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Upgrades

This kind of rule ought to live outside the HTTP/1.x implementation as it has more to do with WebSocket than HTTP. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: reverse proxy wishlist

ervene. The application could signal to httpd that its response has a user-friendly body via a special header. I don't think httpd can do what I have in mind yet (maybe with mod_lua, but that's too much for many webmasters). Tim -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Question about "Trailer" header field

rable. I'm not sure what the default should be. I think the safe option, at least for trunk, is to remove those headers in the proxy code as well. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Is Apache getting too patchy?

those should stay consensual and democratic - but often leads discussions and moves things on. Comments very welcome. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: SSLUseStapling: ssl handshake fails until httpd restart

interested. I can attempt a patch for this if other people think it'd be useful. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: [Patch] Async write completion for the full connection filter stack

data is available on the > other connection. In the process, mod_proxy becomes asynchronous. Also super cool mojo. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: [RFC] Enable OCSP Stapling by default in httpd trunk

enefit from stapling, either because networking filters would block a conversation between the client and the CA's OCSP responder, or the extra latency from using conventional OCSP is a problem. For another example of a non-interactive application implementing OCSP, look at the Exim mail transfer agent (which can be both client and server). -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: SSLCertificateChainFile deprecation, still

find the info in the manual. I think that suggestion is a good approach if the SSLCertificateChainFile directive can remain available for the full lifespan of 2.4.x -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: 2.2 and 2.4 and 2.6/3.0

Now that even stability-loving Debian is providing 2.4.x with full security support, moving on from 2.2 seems to make sense. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: 2.2 and 2.4 and 2.6/3.0

to be a better how-to-FOO that uses httpd 2.4 ;) (I don't even think 2.2 is an issue here) …same with forward- and reverse-proxying (Squid, Pound, Varnish, etc) Is the httpd wiki a good place to publish these? -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: mod_ssl: Reading dhparams and ecparams not only from the first certificate file

auto (that last case – I'm imagining that httpd generates the D-H parameters at each startup, blocking use of ECDH until generation is complete). -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: mod_proxy_fcgi default port

How about asking IANA to assign a port? -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: SSL/TLS best current practice

. Any joint interest in maintaining a guide to implementing SSL/TLS best practices in the documentation for those that don't normally see our latest/greatest default configuration and/or need some extra prose around it? I can help with this. -- Tim Bannister - is...@c8h10n4o2.org.uk

Re: Disable SSLv3 by default

that. In that case, 'SSLProtocol all' should be just the remaining supported TLSv1.1 and TLSv1.2 protocols, or TLSv1.2-only. FWIW, I agree. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Proposal/RFC: informed load balancing

be able to serve stale responses from its cache. The sysadmin contacts the vendor “ACME Proxy”; the vendor asserts that their product is conforming to HTTP 1.1 and that the incorrect behaviour is in Apache httpd. Which, in my view, it would be. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Proposal/RFC: informed load balancing

deprecated by IETF, how about allowing any field name provided it's prefixed with “x-”? -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Listen on UDS

would be a boon, even if the daemon listening on port 443 is different. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: Unexpected Warnings from Macro Use in 2.4

be changed. Another unused character could be used, like § There aren't many suitable symbols left unused. To make interpolation not clash with Define I'd prefer “${macro:var}”, or something like that, to “§{var}”. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: replacing Date header

: header iff it is compliant with the relevant RFC? With this, modules that want a Date: header automatically added need only to ensure they don't assert an apparently valid Date header. -- Tim Bannister – +44 7980408788 – is...@c8h10n4o2.org.uk

Re: disable SSLv3 the same way SSLv2 was disabled in mod_ssl

IMO this is one for packagers (as well as anyone wishing to contribute packaging patches). How did Traffic Server disable SSL – just an edit to the default configuration, or code changes as well? -- Tim Bannister - is...@c8h10n4o2.org.uk On 2 Jan 2015, at 19:38, Leif Hedstrom zw

Re: disable SSLv3 the same way SSLv2 was disabled in mod_ssl

disabled SSLv3. It's easy to configure httpd not to offer SSLv3 (and this makes a good default for new installs). -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: [Patch] Simplifying mod_alias

odd, though: Location /gone Redirect 410 /Location …so how about adding one new directive e.g. ForceStatus: Location /gone ForceStatus 410 /Location -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: ApacheCon Austin, httpd track

of the OpenSSL folks to come for that? Anyone have any contacts there? A day on SSL/TLS could and perhaps should cover both OpenSSL and GnuTLS. -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: commercial support

has fewer dependencies. Commercial support sounds nice. I think firms who'd pay for it would really like to get a commercially-supported web server bundled with their “enterprise” operating system. In that sense, Oracle and Red Hat are already offering commercial support for httpd. -- Tim

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

} -- Tim Bannister – is...@c8h10n4o2.org.uk

Re: [Patch] Async write completion for the full connection filter stack

thinking about (and I don't know enough about). Changing the meaning of “empty brigade” also has compatibility issues but they will show up much later than build time. -- Tim Bannister – is...@jellybaby.net

Re: [RFC] enhancement: mod_cache bypass

for CacheEnable to be valid within If? Tim -- Tim Bannister – is...@jellybaby.net

Re: mod_autoindex issue with multibyte chars

names or description text will alternate between left-to-right and right-to-left reading order” Changing the default IndexOptions (e.g. to include “XHTML HTMLtable FancyIndexing”) would mitigate this. I wouldn't change the default behaviour for 2.2.x / 2.4.x though. -- Tim Bannister

Re: stop copying footers to r-headers_in?

] and for another label %[bar]: LogFormat %{sec}t%{msec_frac}t %s %[bar] %L %{REQUEST_STATUS} -strcmatch '5*' -- Tim Bannister – is...@jellybaby.net

Re: Change of web site layout

) The Cordova website project is https://issues.apache.org/jira/browse/CB/component/12320562/ The README for Cordova's website is at https://svn.apache.org/repos/asf/cordova/site/README.md It's a different CMS using, AFAICT, hastings. -- Tim Bannister – is...@jellybaby.net

Re: Change of web site layout

On 17 Jun 2014, at 14:24, Rich Bowen rbo...@rcbowen.com wrote: On 06/17/2014 05:19 AM, Daniel Gruno wrote: On 06/17/2014 12:46 AM, Tim Bannister wrote: On 16 Jun 2014, at 22:23, Rich Bowen wrote: In addition, I have some comments about your design proposal: - The apache.org design might

Re: SSL and NPN

/alpn.html is enough reason not to backport, but I'll mention it. -- Tim Bannister – is...@jellybaby.net

Re: SSLUserName - mod_auth_user

(empty string). PS. I'd be tempted to call it AuthType Expr. -- Tim Bannister - is...@jellybaby.net

Re: [PATCH ASF bugzilla# 55897] prefork_mpm patch with SO_REUSEPORT support

I'm afraid I don't understand this particular part from httpd_trunk_so_reuseport.patch: #ifndef SO_REUSEPORT #define SO_REUSEPORT 15 #endif Why 15? Is this going to be portable across different platforms? -- Tim Bannister – is...@jellybaby.net

Re: Improving The RewriteMap Program Feature

. -- Tim Bannister – is...@jellybaby.net

Re: Improving The RewriteMap Program Feature

On 2 Mar 2014, at 16:46, Tim Bannister is...@jellybaby.net wrote: On 1 Mar 2014, at 12:20, Eric Covener cove...@gmail.com wrote: If the RewriteMap Program fails, the code within mod_rewrite returns an empty string rather than NULL. In my tests this caused /index.htm to be returned

Re: Improving The RewriteMap Program Feature

be done. -- Tim Bannister – is...@jellybaby.net

Re: [VOTE] obscuring (or not) commit logs/CHANGES for fixes to vulnerabilities

if preventative measures should be taken. ---cut here--- s/outweighed by/balanced against/ ? -- Tim Bannister – is...@jellybaby.net

Re: Revisiting: xml2enc, mod_proxy_html and content compression

,chunked transfer-encodings ⇦ [origin server] (I'm assuming that the client doesn't negotiate gzip transfer encoding) Of course, this still won't help with a badly-configured origin server. -- Tim Bannister – is...@jellybaby.net

Re: Revisiting: xml2enc, mod_proxy_html and content compression

configuration, so maybe the way to handle this is via a change to documentation / default configuration, rather than code. Any thoughts? -- Tim Bannister – is...@jellybaby.net

Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests

. It's not reasonable to expect the proxy server to know the private key for remote.host.example -- Tim Bannister – is...@jellybaby.net

Re: Forbid directive in core?

for it then I will have a go at providing a patch. -- Tim Bannister – is...@jellybaby.net

Re: any interest in massaging the new error log provider to fit into 2.4.x?

…and by analogy, these could be valid too: ErrorLog syslog 127.0.0.1:user ErrorLog syslog [::1]:user ErrorLog console ErrorLog relp remotehost.example ErrorLog compresslog /var/log/apache2/error.log.gz -- Tim Bannister – is...@jellybaby.net

Re: mod_autoindex string pluggability

How about implementing XHTML → JSON as a filter? Either with existing modules or with something dedicated to autoindex. TimOn 05/08/2013 7:26 Sven Dowideit wrote: Hello Everyone, I'm scratching an itch to make mod_autoindex output what I want, and would love to know what, if anything would make

Re: Struggling with AuthMerging

On 31 Jul 2013, at 00:18, Mikhail T. wrote: Hello! I realize, configurations questions aren't meant for this list, but I'm beginning to suspect a bug... I'd try the users list first. The server might be working properly and it's just the documentation that has fallen short. Tim -- Tim

Re: [Bug 45023] DEFLATE preventing 304 NOT MODIFIED response

ugly to consider committing: https://issues.apache.org/bugzilla/show_bug.cgi?id=52860 Any help is definitely welcome. -- Tim Bannister – is...@jellybaby.net

Re: [Bug 45023] DEFLATE preventing 304 NOT MODIFIED response

On 9 Jul 2013, at 15:56, Tim Bannister is...@jellybaby.net wrote: On 9 Jul 2013, at 15:49, Eric Covener cove...@gmail.com wrote: What to do in 2.4? Maybe still early enough to still change 2.4 behavior? Roy Fielding links this to bug #39727… I still want to push for gzip Transfer

Re: Forbid directive in core?

be defined in the same place as the Forbid is set. Forbid ForbidExemption /srv/web /nfs/foo/bar /Directory # Require HTTPS except from IPv4 localhost If %{REQUEST_SCHEME} != HTTPS (! -R 127.0.0.0/8 ) # Expression evaluation doesn't need exemptions Forbid /Directory -- Tim Bannister

Re: Forbid directive in core?

#merging -- Tim Bannister – is...@jellybaby.net

Re: disable pid file writing?

' in the serverroot directory. That's why I thought it would make a good no-pid sentinel value. How about as a non-sane name? /dev might be /Devices on some arcane Unix-like system but isn't a valid filename anywhere I've ever seen. -- Tim Bannister – is...@jellybaby.net

Re: mod_cache with Cache-Control no-cache= or private=

not to store it). The origin doesn't have to mention that header in the 304 response. -- Tim Bannister – is...@jellybaby.net

Re: If/If-Match don't work for COPY

but only if you haven't lost an update? ETags are used to avoid lost updates; checking that cached data are fresh is just a common special case. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: mod_lbmethod_byrequests required to define a BalancerMember

the moon on a stick please. Maybe there could be a very simple lbmethod that isn't byrequests, and is always available? For example, purely random allocation using a poor quality PRNG? -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: The Case for a Universal Web Server Load Value

On 15 Nov 2012, at 07:01, Issac Goldstand wrote: On 15/11/2012 00:48, Tim Bannister wrote: On 14 Nov 2012, at 22:19, Ask Bjørn Hansen wrote: The backend should/can know if it can take more requests. When it can't it shouldn't and the load balancer shouldn't pass that back to the end-user

Re: The Case for a Universal Web Server Load Value

to use a backend that is reporting a lower load. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: The Case for a Universal Web Server Load Value

handling multiple concurrent requests. SPARQL sometimes means POST requests; a subset of these are safely repeatable but determining which ones is too complex for any HTTP proxy. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: The Case for a Universal Web Server Load Value

*”, and will of course remember when a connection goes bad either via a TCP close or a 5xx response. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: Rethinking be liberal in what you accept

it. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: svn commit: r1406719 - in /httpd/httpd/trunk: CHANGES docs/log-message-tags/next-number include/http_core.h server/core.c server/protocol.c

expr %{HTTP_PROTOCOL} -gt 1.1 I realise that won't work as things stand, because -gt only handles integers. Maybe another binary operator could allow decimals? NB. SERVER_PROTOCOL would not be suitable because the initial “HTTP/” makes it harder to do math. -- Tim Bannister

Re: [PATCH] mod_systemd

a suggestion. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: DNT IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)

. The message to Microsoft, such as it is, suffers because of that. s/administrators/packagers/ ? -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: Ideas for an output filter for mod_lua

On 23 Aug 2012, at 11:45, Daniel Gruno rum...@cord.dk wrote: On 08/23/2012 12:02 AM, Tim Bannister wrote: I don't know if this is another way of phrasing Nick's question or not, but would I be able to implement gzip Transfer-Encoding: just using Lua and this new directive? I found (bug

Re: Ideas for an output filter for mod_lua

to achieve in C, so I think it could be harder still with the extra limitations of the Lua environment. My C code uses AP_FTYPE_TRANSCODE which I think is the right choice but few modules get involved at this filtering stage. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME

Re: [ANNOUNCEMENT] Apache HTTP Server 2.4.3 Released

clear. I realise the release is done but I thought I'd mention it anyway… maybe the same note will go in the next release announcement. -- Tim Bannister – +44 7980408788 – is...@jellybaby.net

Re: utf-8 - punycode for ServerName|Alias?

to differ from the other. How will the new httpd handle this kind of situation? I think what I'd expect is a warning and then for one of them to take precedence and the other to be ignored. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: mpm-itk and upstream Apache, once again

or a UID mismatch between the previous and current request. -- Tim Bannister - +44 7980408788 - is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: mpm-itk and upstream Apache, once again

to retry in the keepalive-disconnect case, whereas a 500 response usually gets displayed to the user. Very different experiences. I think there's a case for leaving itk separate, a bit like mod_fcgid. It is a bit unusual and troubleshooting won't be straightforward. -- Tim Bannister

Re: Scripting for a windows installer

PowerShell used here. I think httpd contributors are more likely to know / learn PowerShell than alternatives like WSH. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: utf-8 - punycode for ServerName|Alias?

. As a user: I already have a configuration file with a UTF-8 ServerAlias defined, that's just waiting for httpd to implement this feature … and until then, I have the punycoded version in there as well. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: A push for 2.4.2

crypto driver error: %s instead? -- Tim Bannister – is...@jellybaby.net

Re: TRACE still enabled by default

enabled. I think TRACE is more like ICMP echo than tcp/7 echo. If a distribution wants to ship a default configuration that disables TRACE, isn't that enough? The issue is naïve / lazy server admins, and almost all of those will install httpd from a distribution. -- Tim Bannister

Re: TRACE still enabled by default

sent from the reverse proxy to the end-point. The same may apply to Via: … and in both cases the answer may be to disable or restrict the TRACE method. But isn't this more a documentation issue than an argument for changing the compiled-in default? -- Tim Bannister – is...@jellybaby.net

[Bug 52860] Support Transfer-Encoding: gzip

? https://issues.apache.org/bugzilla/show_bug.cgi?id=52860 -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: [proposed] remove docs/1.3/

Gone status? The red block would contain an error message after all. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: [proposed] remove docs/1.3/

think the first one is worthwhile and the second one is not worth the extra effort. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: [proposed] remove docs/1.3/

and admins who can't or won't upgrade. Taking the documents offline altogether is a bit strong … and it won't persuade those laggards to upgrade. Anyone who hasn't upgraded yet is going to take a lot more persuasion. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME

Re: Include strangeness

, that's really great. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: [VOTE] Release Apache httpd 2.4.0

On 16 Jan 2012, at 22:31, Stefan Fritsch wrote: On Monday 16 January 2012, Tim Bannister wrote: $ ./configure --with-included-apr … Configuring Apache Portable Runtime library ... configuring package in srclib/apr now /bin/sh: /home/isoma/src/httpd-2.4.0/srclib/apr/configure: No such file

Re: documenting -deps

and ways to deal with it? -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: [VOTE] Release Apache httpd 2.4.0

, but for a release my understanding is that APR should be bundled with httpd and “just work” with that command line. With httpd 2.2.21 the same command line completes I as expected. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: [VOTE] Release Apache httpd 2.4.0

as they stand. -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: [VOTE] Release Apache httpd 2.4.0

to INSTALL and/or README? Finally, I spotted that INSTALL refers to http://httpd.apache.org/docs/2.3/install.html which should perhaps be bumped to 2.4 -- Tim Bannister - +44 7980408788 - is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature

Re: Proposal: error codes

mentioning these early on in the discussion. -- Tim Bannister – is...@jellybaby.net

Re: Can we be less forgiving about what we accept?

circumstances where mismatch is required / sent by a current client? Some tolerance might be required, for example if the request line specifies a port but the Host: header does not. -- Tim Bannister — is...@jellybaby.net

Re: svn commit: r1163833 - /httpd/httpd/trunk/modules/http/byterange_filter.c

On Wed, Aug 31, 2011 at 6:28 PM, Roy T. Fielding wrote: On Aug 31, 2011, at 6:10 PM, William A. Rowe Jr. wrote: The presumption here is that the client requests bytes=0- to begin the transmission, and provided it sees a 206, restarting somewhere in the stream results in aborting the

Re: Fixing Ranges

single-range response. Naive coding could have the client believe that it is seeing the whole entity rather than just a range. …yes, such a client is badly written but badly written clients can and do exist. If httpd punishes their users unduly, httpd itself may attract some blame. -- Tim

Re: DoS with mod_deflate range requests

. A client that knows about any server-side limit could make multiple requests each with a small number of ranges, but discovering that limit will add latency and take more code. Tim Bannister

Re: DoS with mod_deflate range requests

anyone see why returning 200 for these complex requests (by ignoring Range / If-Range) is a bad idea? -- Tim Bannister – is...@jellybaby.net

Re: DoS with mod_deflate range requests

I wouldn't want to get 416 from requesting a satisfiable but complex range (maliciously or otherwise). Ignoring Range on (ranges = X) is simple to implement and easy to document, so why not do that? -- Tim Bannister – is...@jellybaby.net

Re: DoS with mod_deflate range requests

on whether the document is modified. But it's a pretty odd case. I can't imagine any published client or proxy that would make such a request. It would in any case be acceptable to return a 200 response instead; RFC 2616 states that A server MAY ignore the Range header Tim Bannister

  1   2   >