-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jesse,
On 1/13/15 6:29 PM, Jesse Barnum wrote: > I need the ability to examine the POST data from a request, > examine it, and either respond to it or close the connection > without returning any result, not even a 200 OK status. > > The reason for this is because I’m getting overwhelmed with > thousands of invalid requests per second, which are racking up > bandwidth fees. The requests can’t be traced to an IP address, so I > can’t just block them in a firewall or Apache - I need to actually > use logic in my Tomcat app to figure out which requests to respond > to. > > Is there a way to force Tomcat to just drop the connection and > close the socket without sending a response? You can't close the stream form your code, Tomcat will ignore it, so a response flush, and return a 200 response anyway. I'm curious, what's wrong with an empty 200 response? It's only a couple of bytes, but I suppose if you are getting millions per hous, you could still incur bandwidth costs... You might be able to do this with a Valve, but then you might have problems with your web application needing to provide the logic to determine whether or not to accept the request. When you say "can't be traced to an IP address" do you mean that you are seeing invalid requests coming from all over the place, or that the requests don't include a source IP address (which seems fishy)? A few options that might achieve your goal without using the technique you describe: 1. Use client authentication; unauthorized clients can't even handshake Downsides: SSL overhead 2. Use a VPN (which essentially uses client authentication) Downsides: VPNs really, really suck 3. (As Mark E suggests) Use mod_security with httpd I know this will seriously separate your business logic form your web application, but perhaps there is a simple set of criteria that might eliminate a significant portion of the requests, thus solving the problem "well enough" - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUteJIAAoJEBzwKT+lPKRY13MP+gM+q3VtnKYHRwksGTnf2ZO7 mCiBZYudoYUqaWwzumIsi3bOp7dMjnFlkjw9/nG68x5O8vIIPxOY13n30gA2YXaN 4B4+Wfaf6nFTYgq84IfcNs6qJ1GOR2dfasVkeGbhfqslcgkkl/05VOBz2f5tK3mI Kc3j1FygiXc2R8fG5KLZREgnRmVxNUwxsRDL9pZTj/okQyg2fLlljmCwDFHvuLLx 19W1x3CeeeAJD8/Akp8WCsjAsgdnYvg7r9ynC9DFBFKfjztZR+/QXK3mXxAYLziS KadzbE/k3Am1VLA5dAD5VSFTOmCMPkt2i0INIrKvnf3Hj6QpU1B+qTr++dYTZUBb F1n1GIXGYV1YJZFMIcZu7f4gTyJiKDCQQ6im+PJVfpG5zhVrlKv2teAttfT7qEET pILu71NYVN5ysT11pYM8xoBj9zv1v/V9sOyvWpmLi6oPrJSnlqMKMfoXqlNRwq9q DVGL0GkDR83MIChe+yen+/3QDnBaXnQTUGlG2U3tDns7yChAVbhu0TjT/uzxNRvc 15DUUrnvve8R8c/49tXumgPnb/fGrL/jooCk2SiKNHF2HsoxoNY5VWYybIzXw+Aw 0SpgVV/By4RMOEWGevhIagczMeakUm1y3v6dX9hVjMm+lN4Fr5C4TteKRtComrn0 KuaAooL3NTb+/yL/s49S =zen8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
