[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] web timeouts even with a proxy
|
From: |
Phil Pennock |
|
Subject: |
Re: [Sks-devel] web timeouts even with a proxy |
|
Date: |
Fri, 8 Mar 2013 16:04:37 -0500 |
On 2013-03-08 at 15:03 -0500, Jonathon Weiss wrote:
> initial connection. I surmise that at this point Apache forgets about
> the request, but that the proxied connection is still in sksd's queue.
Does dropping the listen queue to 1 change it? (How does Apache deal
with it when no backend will immediately accept the connection?)
wserver.ml:
----------------------------8< cut here >8------------------------------
let parse_request cin =
let line = input_line cin in (* DoS attack: input_line is unsafe on sockets *)
----------------------------8< cut here >8------------------------------
That is invoked from accept_connection; while handling arbitrary drops
without a rewrite is an issue for someone who knows as little O'Caml as
me, perhaps we can make the situation _recoverable_, instead of a death
spiral, by having the first thing that parse_request does be a
getpeername() call, and if that fails, then raise an exception that does
not cause attempts to write back to the client?
----------------------------8< cut here >8------------------------------
exception Connection_Lost of string
(* ... *)
let parse_request cin =
ignore (check_connected cin);
let line = input_line cin in (* DoS attack: input_line is unsafe on sockets *)
(* ... *)
let check_connected cin =
(* use Unix.getpeername and if it fails, raise Connection_Lost *)
(* and change accept_connection to handle Connection_Lost, such that it
* does *NOT* write anything back, just shuts down
*)
----------------------------8< cut here >8------------------------------
-Phil