Re: [mod-security-users] Retry-After header not being set?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Retry-After header not being set?
|
From: Jamie B. <ja...@ib...> - 2022-02-18 16:04:21
|
You can't achieve simple URL specific rate limiting with iptables. I am
not trying to thwart DoS attacks - you do not understand my use case.
-----Original Message-----
From: Reindl Harald <h.r...@th...>
Sent: 18 February 2022 15:14
To: mod...@li...
Subject: Re: [mod-security-users] Retry-After header not being set?
Am 18.02.22 um 10:27 schrieb Jamie Burchell:
> Hi Reindl
>
>> your expectation is simply wrong
>> when you use a PHP script for error-pages the default response is 200
> because you override the error
>
> This is not true. I have the ErrorDocument for a 429 set to a very
> basic PHP page which outputs the unique request ID for diagnostic
> purposes and the response code is 429, not 200. The PHP script does
> not do anything else.
>
> Further, headers I am setting in Apache are in that same response:
>
> Strict-Transport-Security: max-age=63072000; includeSubDomains;
> preload
> X-UA-Compatible: IE=edge
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1; mode=block
> ...
>
> If I add Header always set Retry-After "10" in the virtual host block,
> that header is in the response for all requests (including those
> handled by PHP) and for 200 and 429 responses.
>
> The part that seems not to work is the condition based on the
> environment variable in combination with processing the PHP file
anyways, ratelimits in the webserver are pretty pointless iptables
xt_recent with DROP is the solution
especially with small bursts because it don't break clients which hit the
limit by accident - the TCP layer can't decide between drop and packet
loss
so it's a short "hang" for a client behind a shared IP instead of random
errors and load is completly taken away from the webserver
have fun with apllication prcoessed ratelimts under real load where you
need them most
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
DROP all -- * * 0.0.0.0/0 0.0.0.0/0
recent: UPDATE seconds: 2 reap hit_count: 150 name: all side: source
mask: 255.255.255.255
all -- * * 0.0.0.0/0 0.0.0.0/0
recent: SET name: all side: source mask: 255.255.255.255
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
|
