correct hook function after accepting connection

[Robert Schulze <rs...@bytecamp.net>]

Hi,

is there a hook for dealing with connections *before* any http data is 
read? The reason for this todo would be dropping connections from hosts 
without ever reading the request - keeping slowloris in mind.

With kind regards,

Robert Schulze

-- 
/7\ bytecamp GmbH
Geschwister-Scholl-Str. 10, 14776 Brandenburg a.d. Havel
HRB15752, Amtsgericht Potsdam, Geschaeftsfuehrer:
Bjoern Barnekow, Frank Rosenbaum, Sirko Zidlewitz
tel +49 3381 79637-0 werktags 10-12,13-17 Uhr, fax +49 3381 79637-20
mail rs@bytecamp.net, web http://bytecamp.net/

Re: correct hook function after accepting connection

[Eric Covener <co...@gmail.com>]

On Fri, Aug 28, 2009 at 10:06 AM, Robert Schulze<rs...@bytecamp.net> wrote:
> Hi,
>
> is there a hook for dealing with connections *before* any http data is read?
> The reason for this todo would be dropping connections from hosts without
> ever reading the request - keeping slowloris in mind.

ap_hook_pre_connection() is a RUN_ALL.

(not really pre_connection of course, that'd be some feat!)

-- 
Eric Covener
covener@gmail.com

Re: correct hook function after accepting connection

[Robert Schulze <rs...@bytecamp.net>]

Hi,

Sorin Manolache schrieb:
> 
> You have a choice among these:
> 
> pre_connection(conn_rec *, void *)
> process_connection(conn_rec *)
> 
> If return != OK && != DECLINED => connection is not processed.
> 

thanks a lot.


Robert Schulze

RE: correct hook function after accepting connection

["Houser, Rick" <Ho...@aoins.com>]

> However, I would suggest that connections are better dropped at
> IP-level (by firewall rules/iptables) or by using

I agree for blocking access, however a module that was to add something
like a per-IP connection-rate or simultaneous connection limit could be
a nice gem for the toolbox, too :).


Thanks,

Rick Houser
Auto-Owners Insurance
Systems Support
 

> -----Original Message-----
> From: Sorin Manolache [mailto:sorinm@gmail.com] 
> Sent: Friday, August 28, 2009 10:34 AM
> To: modules-dev@httpd.apache.org
> Subject: Re: correct hook function after accepting connection
> 
> On Fri, Aug 28, 2009 at 16:06, Robert Schulze<rs...@bytecamp.net> wrote:
> > Hi,
> >
> > is there a hook for dealing with connections *before* any 
> http data is read?
> > The reason for this todo would be dropping connections from 
> hosts without
> > ever reading the request - keeping slowloris in mind.
> >
> > With kind regards,
> >
> > Robert Schulze
> >
> 
> You have a choice among these:
> 
> pre_connection(conn_rec *, void *)
> process_connection(conn_rec *)
> 
> If return != OK && != DECLINED => connection is not processed.
> 
> However, I would suggest that connections are better dropped at
> IP-level (by firewall rules/iptables) or by using
> 
> Order allow,deny
> Allow from all
> Deny from the_ips_you_want_to_reject
> 
> Regards,
> S
> 
> -- 
> A: Because it reverses the logical flow of conversation.
> Q: Why is top-posting frowned upon?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> 
> 

Re: correct hook function after accepting connection

[Sorin Manolache <so...@gmail.com>]

On Fri, Aug 28, 2009 at 16:06, Robert Schulze<rs...@bytecamp.net> wrote:
> Hi,
>
> is there a hook for dealing with connections *before* any http data is read?
> The reason for this todo would be dropping connections from hosts without
> ever reading the request - keeping slowloris in mind.
>
> With kind regards,
>
> Robert Schulze
>

You have a choice among these:

pre_connection(conn_rec *, void *)
process_connection(conn_rec *)

If return != OK && != DECLINED => connection is not processed.

However, I would suggest that connections are better dropped at
IP-level (by firewall rules/iptables) or by using

Order allow,deny
Allow from all
Deny from the_ips_you_want_to_reject

Regards,
S

-- 
A: Because it reverses the logical flow of conversation.
Q: Why is top-posting frowned upon?
A: Top-posting.
Q: What is the most annoying thing in e-mail?