Re: [mod-security-users] Retry-After header not being set?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Retry-After header not being set?
|
From: Reindl H. <h.r...@th...> - 2022-02-18 15:14:25
|
Am 18.02.22 um 10:27 schrieb Jamie Burchell:
> Hi Reindl
>
>> your expectation is simply wrong
>> when you use a PHP script for error-pages the default response is 200
> because you override the error
>
> This is not true. I have the ErrorDocument for a 429 set to a very basic
> PHP page which outputs the unique request ID for diagnostic purposes and
> the response code is 429, not 200. The PHP script does not do anything
> else.
>
> Further, headers I am setting in Apache are in that same response:
>
> Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> X-UA-Compatible: IE=edge
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1; mode=block
> ...
>
> If I add Header always set Retry-After "10" in the virtual host block,
> that header is in the response for all requests (including those handled
> by PHP) and for 200 and 429 responses.
>
> The part that seems not to work is the condition based on the environment
> variable in combination with processing the PHP file
anyways, ratelimits in the webserver are pretty pointless
iptables xt_recent with DROP is the solution
especially with small bursts because it don't break clients which hit
the limit by accident - the TCP layer can't decide between drop and
packet loss
so it's a short "hang" for a client behind a shared IP instead of random
errors and load is completly taken away from the webserver
have fun with apllication prcoessed ratelimts under real load where you
need them most
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
DROP all -- * * 0.0.0.0/0 0.0.0.0/0
recent: UPDATE seconds: 2 reap hit_count: 150 name: all side: source
mask: 255.255.255.255
all -- * * 0.0.0.0/0 0.0.0.0/0
recent: SET name: all side: source mask: 255.255.255.255
|
