maybe better shown with a PHP script witout need to enter anything my input / output to both server-types and php-cli-script below
both, httpd and trafficserver are vulnerable in different ways
if both projects could combine their behavior would be great
so i send this message also to httpd-dev
httpd "win's" in case of a request sending "GET / HTTP/1.1" and
nothing more, Trafficserver waits "transaction_no_activity_timeout_in"
while only connecting is better suited by "accept_no_activity_timeout"
"transaction_no_activity_timeout_in" has IMHO a bug and should *not*
close the connection while wait for the response of the origin
server which makes it impossible to set it lower than 60 seconds
without damage web applications like upload a zip-archive with
images, unpack and import them in a gallery as example
_____________________________________
httpd 2.4.4: RequestReadTimeout "header=10-15,MinRate=500"
[harry@srv-rhsoft:~/Desktop]$ ./http-timeout.php localhost
localhost
test with request: 10 seconds
test without request: 41 seconds
_____________________________________
trafficserver 3.2.4: http.transaction_no_activity_timeout_in INT 60
[harry@srv-rhsoft:~/Desktop]$ ./http-timeout.php proxy
proxy
test with request: 60 seconds
test without request: 3 seconds
_____________________________________
[harry@srv-rhsoft:~/Desktop]$ cat http-timeout.php
#!/usr/bin/php
<?php
if(!empty($argv[1]))
{
$host = $argv[1];
}
else
{
$host = 'localhost';
}
$errno = 0;
$errstr = '';
echo $host . "\n";
echo "test with request: ";
flush();
$start = time();
$fp = fsockopen ($host, '80', $errno, $errstr, 180);
fwrite($fp, "echo 'GET / HTTP/1.1\n");
while (!feof($fp))
{
$buffer = fgets($fp, 128);
}
echo (time() - $start) . " seconds\n";
flush();
echo "test without request: ";
flush();
$start = time();
$fp = fsockopen ($host, '80', $errno, $errstr, 180);
while (!feof($fp))
{
$buffer = fgets($fp, 128);
}
echo (time() - $start) . " seconds\n";
flush();
?>
Am 11.05.2013 15:08, schrieb Reindl Harald:
> Hi
>
> http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
> i am missing such a option for Trafficserver
> this would mitigate a lot of Slowloris-like DOS-attacks
>
> <IfModule mod_reqtimeout.c>
> RequestReadTimeout "header=10-15,MinRate=500"
> </IfModule>
> ____________________________________________________
>
> the same request as below is terminated by httpd after 10 seconds
> while Trafficserver waits "no_activity_timeout" to close it
>
> CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
>
> is in no way compareable, because if you lower this to 10 seconds
> you kill any request targeted to a longer running PHP script on
> the origin server what happens application and load-dependent
>
> httpd does even not terminate the following script with
> "Timeout 30" and "RequestReadTimeout" with setting above
>
> <?php
> sleep(90);
> echo 'TEST';
> ?>
> ____________________________________________________
>
> [harry@srv-rhsoft:~/Desktop]$ ./timeout.sh
> Sa 11. Mai 14:50:43 CEST 2013
> Trying 10.0.0.4...
> Connected to proxy.
> Escape character is '^]'.
> GET / HTTP/1.1
> Connection closed by foreign host.
> Sa 11. Mai 14:51:46 CEST 2013
>
> [harry@srv-rhsoft:~/Desktop]$ ./timeout.sh
> Sa 11. Mai 15:00:37 CEST 2013
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET / HTTP/1.1
> HTTP/1.1 408 Request Timeout
> Server: Apache
> Content-Length: 545
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> Connection closed by foreign host.
> Sa 11. Mai 15:00:48 CEST 2013
> ____________________________________________________
>
> that is the test-script
> after call it simply paste "GET / HTTP/1.1" in the telnet
> session and press enter and look how long timeout takes
>
> [harry@srv-rhsoft:~/Desktop]$ cat timeout.sh
> #!/bin/bash
> date
> telnet localhost 80
> date
signature.asc
Description: OpenPGP digital signature
