From 58cce203309386128c01b2e4efdeea51490942a76bd519ae61e4e06dfa650c27 Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Sat, 21 Jan 2012 12:57:30 +0000 Subject: [PATCH] - enable mod_reqtimeout by default via APACHE_MODULES in /etc/sysconfig/apache2, configuration /etc/apache2/mod_reqtimeout.conf . Of course, the existing configuration remains unchanged. OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=354 --- apache2-mod_reqtimeout.conf | 29 +++++++++++++++++++++++++++++ apache2.changes | 8 ++++++++ apache2.spec | 1 + sysconfig.apache2 | 2 +- 4 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 apache2-mod_reqtimeout.conf diff --git a/apache2-mod_reqtimeout.conf b/apache2-mod_reqtimeout.conf new file mode 100644 index 0000000..728516b --- /dev/null +++ b/apache2-mod_reqtimeout.conf @@ -0,0 +1,29 @@ +# +# Set timeout and minimum data rate for receiving requests to limit +# the effects of denial of service attacks that connect, but let the +# server wait for the completion of the request, thereby allocating +# resources. The most commonly name for this attack method is +# slowloris. +# +# mod_reqtimeout.c must be loaded. +# +# see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html +# or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en +# +# Note: +# the RequestReadTimeout directive can also be placed into a +# virtual host context. +# +# Play around with variations of the below values if you are +# under attack from slowloris or a similar tool. + + + # allow 10s timeout for the headers and allow 1s more until 20s upon + # receipt of 1000 bytes. + # almost the same with the body, except that it is tricky to + # limit the request timeout within the body at all - it may take + # time to generate the body. + RequestReadTimeout header=10-20,MinRate=1000 body=20,MinRate=1000 + + + diff --git a/apache2.changes b/apache2.changes index e13c514..6d37cd2 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat Jan 21 13:54:01 CET 2012 - draht@suse.de + +- enable mod_reqtimeout by default via APACHE_MODULES in + /etc/sysconfig/apache2, configuration + /etc/apache2/mod_reqtimeout.conf . + Of course, the existing configuration remains unchanged. + ------------------------------------------------------------------- Sat Dec 10 10:34:26 CET 2011 - meissner@suse.de diff --git a/apache2.spec b/apache2.spec index df51ddf..4d7d897 100644 --- a/apache2.spec +++ b/apache2.spec @@ -121,6 +121,7 @@ Source110: apache2-mod_userdir.conf Source111: apache2-server-tuning.conf Source113: apache2-ssl-global.conf Source114: apache2-mod_usertrack.conf +Source115: apache2-mod_reqtimeout.conf Source130: apache2-vhost.template Source131: apache2-vhost-ssl.template Source140: apache2-check_forensic diff --git a/sysconfig.apache2 b/sysconfig.apache2 index dadb865..46149e5 100644 --- a/sysconfig.apache2 +++ b/sysconfig.apache2 @@ -72,7 +72,7 @@ APACHE_CONF_INCLUDE_DIRS="" # apache's default installation # APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir" # your settings -APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5" +APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 reqtimeout" ## Type: string