apache2/apache2-mod_reqtimeout.conf
Roman Drahtmueller 58cce20330 - enable mod_reqtimeout by default via APACHE_MODULES in
/etc/sysconfig/apache2, configuration 
  /etc/apache2/mod_reqtimeout.conf .
  Of course, the existing configuration remains unchanged.

OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=354
2012-01-21 12:57:30 +00:00

30 lines
1020 B
Plaintext

#
# Set timeout and minimum data rate for receiving requests to limit
# the effects of denial of service attacks that connect, but let the
# server wait for the completion of the request, thereby allocating
# resources. The most commonly name for this attack method is
# slowloris.
#
# mod_reqtimeout.c must be loaded.
#
# see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
# or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en
#
# Note:
# the RequestReadTimeout directive can also be placed into a
# virtual host context.
#
# Play around with variations of the below values if you are
# under attack from slowloris or a similar tool.
<IfModule mod_reqtimeout.c>
# allow 10s timeout for the headers and allow 1s more until 20s upon
# receipt of 1000 bytes.
# almost the same with the body, except that it is tricky to
# limit the request timeout within the body at all - it may take
# time to generate the body.
RequestReadTimeout header=10-20,MinRate=1000 body=20,MinRate=1000
</IfModule>