Integrate apache mod reqtimeout use if requested #388
Conversation
…fault request timeouts in order to help foil slowloris-style attacks where all workers and resources are gradually depleted by attacker or busy-idling clients of other sorts. Matches modern Debian/Ubuntu and RHEL/Rocky Apache installation defaults, but requires explicit enabling until further tested.
jonasbardino
added this to the
Python3 support for general research data sites milestone
| enable_jupyter=False, | ||
| enable_cloud=False, | ||
| enable_hsts=True, | ||
| enable_reqtimeout=False, |
There was a problem hiding this comment.
I think we should consider naming this 'enable_http_reqtimeout' or 'enable_apache_reqtimeout' to keep the namespace open for other types of 'reqtimeout' options ?
There was a problem hiding this comment.
Thanks for reviewing.
I did in fact start out with an apache_ prefix here and on the mod_evasive PR #389 but dropped it again looking at how enable_wsgi, enable_hsts, enable_openid, etc. are very similar for other Apache modules. I agree that it is perhaps ambiguous and to general here - although one could cheekily say the same about enable_quota ;-)
Perhaps we should again call this what it does rather than what it uses for the purpose? E.g. enable_slowloris_guard.
The same decision will be relevant for the QoS module addition we talked about off-list, btw.
Integrate apache mod reqtimeout use if requested to enable various default request timeouts in order to help foil slowloris-style attacks where all workers and resources are gradually depleted by attacker or busy-idling clients of other sorts. Matches modern Debian/Ubuntu and RHEL/Rocky Apache installation defaults, but requires explicit enabling until further tested.