apache2/apache2-mod_reqtimeout.conf

#
# Set timeout and minimum data rate for receiving requests to limit
# the effects of denial of service attacks that connect, but let the
# server wait for the completion of the request, thereby allocating
# resources. The most commonly name for this attack method is
# slowloris.
#
# mod_reqtimeout.c must be loaded.
#
# see https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
# or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en
#
# Note:
# the RequestReadTimeout directive can also be placed into a
# virtual host context.
#
# Play around with variations of the below values if you are
# under attack from slowloris or a similar tool.

<IfModule mod_reqtimeout.c>
  # allow 10s timeout for the headers and allow 1s more until 20s upon
  # receipt of 1000 bytes.
  # almost the same with the body, except that it is tricky to
  # limit the request timeout within the body at all - it may take
  # time to generate the body.
  RequestReadTimeout header=10-20,MinRate=1000 body=20,MinRate=1000
</IfModule>
- enable mod_reqtimeout by default via APACHE_MODULES in /etc/sysconfig/apache2, configuration /etc/apache2/mod_reqtimeout.conf . Of course, the existing configuration remains unchanged. OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=354 2012-01-21 13:57:30 +01:00			`#`
			`# Set timeout and minimum data rate for receiving requests to limit`
			`# the effects of denial of service attacks that connect, but let the`
			`# server wait for the completion of the request, thereby allocating`
			`# resources. The most commonly name for this attack method is`
			`# slowloris.`
			`#`
			`# mod_reqtimeout.c must be loaded.`
			`#`
Accepting request 252298 from home:pgajdos - ServerSignature=Off and ServerTokens=Prod by request from security team [bnc#716495] - fix documentation links 2.2 -> 2.4 [bnc#888163] (internal) OBS-URL: https://build.opensuse.org/request/show/252298 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=405 2014-09-25 17:29:49 +02:00			`# see https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html`
- enable mod_reqtimeout by default via APACHE_MODULES in /etc/sysconfig/apache2, configuration /etc/apache2/mod_reqtimeout.conf . Of course, the existing configuration remains unchanged. OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=354 2012-01-21 13:57:30 +01:00			`# or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en`
			`#`
			`# Note:`
			`# the RequestReadTimeout directive can also be placed into a`
			`# virtual host context.`
			`#`
			`# Play around with variations of the below values if you are`
			`# under attack from slowloris or a similar tool.`

			`<IfModule mod_reqtimeout.c>`
			`# allow 10s timeout for the headers and allow 1s more until 20s upon`
			`# receipt of 1000 bytes.`
			`# almost the same with the body, except that it is tricky to`
			`# limit the request timeout within the body at all - it may take`
			`# time to generate the body.`
			`RequestReadTimeout header=10-20,MinRate=1000 body=20,MinRate=1000`
			`</IfModule>`