TTLimit directive

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TTLimit directive

Donatas Abraitis
Hi,

I would like to propose this patchset allowing to set maximum TTL value for incoming requests. This is not a usual use case, but I'm interested (maybe others too) to have this in place. The real use case would be like this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/. 

TL;DR: if you want to deny requests bypassing proxy layer (in this case Apache operates as a backend). Hence set TTLimit to 1 and Apache will be able to handle requests coming almost from the local network, because packets with TTL usually come from local networks.


I don't know which place is the right place to put patches, but original patch is here: https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
https://bz.apache.org/bugzilla/attachment.cgi?id=35048

--
Donatas
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TTLimit directive

Nick Kew-3
On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote:

> I would like to propose this patchset allowing to set maximum TTL value for incoming requests. This is not a usual use case, but I'm interested (maybe others too) to have this in place. The real use case would be like this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/.

Thanks!  I'm not sure I follow your exact scenario, but it
looks like a modest enhancement at very low cost or risk!

> TL;DR: if you want to deny requests bypassing proxy layer (in this case Apache operates as a backend). Hence set TTLimit to 1 and Apache will be able to handle requests coming almost from the local network, because packets with TTL usually come from local networks.
>
>
> I don't know which place is the right place to put patches, but
> original patch is here:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
> https://bz.apache.org/bugzilla/attachment.cgi?id=35048

That's exactly the right place.

At first glance, patch looks interesting, and I'm minded to
adopt (some version of) it for trunk.  Though I think I'd
default it to 0 (off) rather than your 255.  Any other views?

--
Nick Kew


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TTLimit directive

Donatas Abraitis
Hey Nick,

it must be 0, not 255. I updated it in patch attached 👍

Sent from my iPhone

> On 13 Jun 2017, at 13:52, Nick Kew <[hidden email]> wrote:
>
>> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote:
>>
>> I would like to propose this patchset allowing to set maximum TTL value for incoming requests. This is not a usual use case, but I'm interested (maybe others too) to have this in place. The real use case would be like this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/.
>
> Thanks!  I'm not sure I follow your exact scenario, but it
> looks like a modest enhancement at very low cost or risk!
>
>> TL;DR: if you want to deny requests bypassing proxy layer (in this case Apache operates as a backend). Hence set TTLimit to 1 and Apache will be able to handle requests coming almost from the local network, because packets with TTL usually come from local networks.
>>
>>
>> I don't know which place is the right place to put patches, but
>> original patch is here:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
>> https://bz.apache.org/bugzilla/attachment.cgi?id=35048
>
> That's exactly the right place.
>
> At first glance, patch looks interesting, and I'm minded to
> adopt (some version of) it for trunk.  Though I think I'd
> default it to 0 (off) rather than your 255.  Any other views?
>
> --
> Nick Kew
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TTLimit directive

Donatas Abraitis
Hey Nick,

anything else is missing from me regarding this patch?

On Tue, Jun 13, 2017 at 2:20 PM, Donatas Abraitis <[hidden email]> wrote:
Hey Nick,

it must be 0, not 255. I updated it in patch attached 👍

Sent from my iPhone

> On 13 Jun 2017, at 13:52, Nick Kew <[hidden email]> wrote:
>
>> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote:
>>
>> I would like to propose this patchset allowing to set maximum TTL value for incoming requests. This is not a usual use case, but I'm interested (maybe others too) to have this in place. The real use case would be like this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/.
>
> Thanks!  I'm not sure I follow your exact scenario, but it
> looks like a modest enhancement at very low cost or risk!
>
>> TL;DR: if you want to deny requests bypassing proxy layer (in this case Apache operates as a backend). Hence set TTLimit to 1 and Apache will be able to handle requests coming almost from the local network, because packets with TTL usually come from local networks.
>>
>>
>> I don't know which place is the right place to put patches, but
>> original patch is here:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
>> https://bz.apache.org/bugzilla/attachment.cgi?id=35048
>
> That's exactly the right place.
>
> At first glance, patch looks interesting, and I'm minded to
> adopt (some version of) it for trunk.  Though I think I'd
> default it to 0 (off) rather than your 255.  Any other views?
>
> --
> Nick Kew
>
>



--
Donatas
Loading...