Proper handling of slow-loris mitigation. #33440
Labels
http
Issues or PRs related to the http subsystem.
Comments
ShogunPanda
added a commit
to ShogunPanda/node
that referenced
this issue
Dec 21, 2021
This was referenced Dec 21, 2021
ShogunPanda
added a commit
to ShogunPanda/node
that referenced
this issue
Jan 11, 2022
ShogunPanda
added a commit
to ShogunPanda/node
that referenced
this issue
Jan 15, 2022
ShogunPanda
added a commit
to ShogunPanda/node
that referenced
this issue
Jan 31, 2022
ShogunPanda
added a commit
to ShogunPanda/node
that referenced
this issue
Mar 7, 2022
ShogunPanda
added a commit
to ShogunPanda/node
that referenced
this issue
Mar 18, 2022
nodejs-github-bot
pushed a commit
that referenced
this issue
Apr 13, 2022
PR-URL: #41263 Fixes: #33440 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
vmoroz
pushed a commit
to vmoroz/node
that referenced
this issue
Apr 13, 2022
PR-URL: nodejs#41263 Fixes: nodejs#33440 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
xtx1130
pushed a commit
to xtx1130/node
that referenced
this issue
Apr 25, 2022
PR-URL: nodejs#41263 Fixes: nodejs#33440 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Bug Regression in idle socket handling #24980 may be prevented for all timeout settings, if slow-loris mitigation (eb43bc0) was done properly, and client was notified about
server.headersTimeoutexpiration by closing or discarding the socket.Describe the solution you'd like
Currently the timeout is passive, i.e., resolved on next event (which may be minutes later, depending on configuration). I propose active timeout event instead, i.e., closing/discarding the connection on timeout expiration. That would send
RSTorFINpacket to the client and it would also free the resources allocated to the connection.Describe alternatives you've considered
Is there any? In fact, in rare circumstances the client may ask at the exact time the timeout expires, leading to current behaviour. This is not ideal, but various rare networking and server errors would have comparable probability, thus proper documentation should be sufficient here.
Also I have not tested that ELB would react properly on this solution. But current behaviour is misleading to many IT engineers, as the timeout does not manifest itself immediately, rather it appears as a bug in server/application implementation.
The text was updated successfully, but these errors were encountered: