diff options
| author | Stefan Fritsch <sf@debian.org> | 2010-11-14 17:58:26 +0000 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2012-01-02 10:37:10 +0100 |
| commit | 172585ed8a8f6c5b164a2b9aed4cdfc8783fe57b (patch) | |
| tree | 80f4427d0f323c462c84c20bd1ec02c1bb909aa4 | |
| parent | 00492bf07b92b4d5e6edfd74c945f1256da6e879 (diff) | |
| download | apache2-172585ed8a8f6c5b164a2b9aed4cdfc8783fe57b.tar.gz | |
Increase the mod_reqtimeout default timeouts to avoid potential problems
with CRL-requesting browsers.
git-svn-id: svn+ssh://svn.debian.org/svn/pkg-apache/trunk/apache2@1249 01b336ce-410b-0410-9a02-a0e7f243c266
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/config-dir/mods-available/reqtimeout.conf | 19 |
2 files changed, 19 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog index f19de343..4fd18c58 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,11 @@ apache2 (2.2.16-4) UNRELEASED; urgency=low + * Increase the mod_reqtimeout default timeouts to avoid potential problems + with CRL-requesting browsers. Also extend the comments in reqtimeout.conf. * Remove bogus comment in conf.d/security about default in the "release after Lenny". - -- Stefan Fritsch <sf@debian.org> Mon, 08 Nov 2010 21:20:46 +0100 + -- Stefan Fritsch <sf@debian.org> Sun, 14 Nov 2010 18:56:05 +0100 apache2 (2.2.16-3) unstable; urgency=high diff --git a/debian/config-dir/mods-available/reqtimeout.conf b/debian/config-dir/mods-available/reqtimeout.conf index 5620d62c..615e81ed 100644 --- a/debian/config-dir/mods-available/reqtimeout.conf +++ b/debian/config-dir/mods-available/reqtimeout.conf @@ -1,9 +1,22 @@ <IfModule reqtimeout_module> -# Wait max 10 seconds for the first byte of the request line+headers +# mod_reqtimeout limits the time waiting on the client to prevent an +# attacker from causing a denial of service by opening many connections +# but not sending requests. This file tries to give a sensible default +# configuration, but it may be necessary to tune the timeout values to +# the actual situation. Note that it is also possible to configure +# mod_reqtimeout per virtual host. + + +# Wait max 20 seconds for the first byte of the request line+headers # From then, require a minimum data rate of 500 bytes/s, but don't -# wait longer than 20 seconds in total. -RequestReadTimeout header=10-20,minrate=500 +# wait longer than 40 seconds in total. +# Note: Lower timeouts may make sense on non-ssl virtual hosts but can +# cause problem with ssl enabled virtual hosts: This timeout includes +# the time a browser may need to fetch the CRL for the certificate. If +# the CRL server is not reachable, it may take more than 10 seconds +# until the browser gives up. +RequestReadTimeout header=20-40,minrate=500 # Wait max 10 seconds for the first byte of the request body (if any) # From then, require a minimum data rate of 500 bytes/s |