[Pkg-apache-commits] r1249 - in /trunk/apache2: changelog config-dir/mods-available/reqtimeout.conf

sf at alioth.debian.org sf at alioth.debian.org
Sun Nov 14 17:58:27 UTC 2010 

Author: sf
Date: Sun Nov 14 17:58:26 2010
New Revision: 1249

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1249
Log:
Increase the mod_reqtimeout default timeouts to avoid potential problems
with CRL-requesting browsers.

Modified:
    trunk/apache2/changelog
    trunk/apache2/config-dir/mods-available/reqtimeout.conf

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1249&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Sun Nov 14 17:58:26 2010
@@ -1,9 +1,11 @@
 apache2 (2.2.16-4) UNRELEASED; urgency=low
 
+  * Increase the mod_reqtimeout default timeouts to avoid potential problems
+    with CRL-requesting browsers. Also extend the comments in reqtimeout.conf.
   * Remove bogus comment in conf.d/security about default in the "release
     after Lenny".
 
- -- Stefan Fritsch <sf at debian.org>  Mon, 08 Nov 2010 21:20:46 +0100
+ -- Stefan Fritsch <sf at debian.org>  Sun, 14 Nov 2010 18:56:05 +0100
 
 apache2 (2.2.16-3) unstable; urgency=high
 

Modified: trunk/apache2/config-dir/mods-available/reqtimeout.conf
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/config-dir/mods-available/reqtimeout.conf?rev=1249&op=diff
==============================================================================
--- trunk/apache2/config-dir/mods-available/reqtimeout.conf (original)
+++ trunk/apache2/config-dir/mods-available/reqtimeout.conf Sun Nov 14 17:58:26 2010
@@ -1,9 +1,22 @@
 <IfModule reqtimeout_module>
 
-# Wait max 10 seconds for the first byte of the request line+headers
+# mod_reqtimeout limits the time waiting on the client to prevent an
+# attacker from causing a denial of service by opening many connections
+# but not sending requests. This file tries to give a sensible default
+# configuration, but it may be necessary to tune the timeout values to
+# the actual situation. Note that it is also possible to configure
+# mod_reqtimeout per virtual host.
+
+
+# Wait max 20 seconds for the first byte of the request line+headers
 # From then, require a minimum data rate of 500 bytes/s, but don't
-# wait longer than 20 seconds in total.
-RequestReadTimeout header=10-20,minrate=500
+# wait longer than 40 seconds in total.
+# Note: Lower timeouts may make sense on non-ssl virtual hosts but can
+# cause problem with ssl enabled virtual hosts: This timeout includes
+# the time a browser may need to fetch the CRL for the certificate. If
+# the CRL server is not reachable, it may take more than 10 seconds
+# until the browser gives up.
+RequestReadTimeout header=20-40,minrate=500
 
 # Wait max 10 seconds for the first byte of the request body (if any)
 # From then, require a minimum data rate of 500 bytes/s

More information about the Pkg-apache-commits mailing list