2012年(272)
分类: 网络与安全
2012-06-26 15:55:02
> 这两天调研了下apache层面解决server limit dos的可行性,结论是基本认定除
> 了修改apache源代码之外,没办法解决。
>
> 下面是具体的一些分析,大家看看有没有问题:
>
> apache的server/protocol.c里关于http请求头处理相关代码:
>
> 837 request_rec *ap_read_request(conn_rec *conn)
>
> 838 {
>
> 839 request_rec *r;
>
> ...
>
> 880 r->status = HTTP_REQUEST_TIME_OUT; /* Until we get a request */
>
> ...
>
> 917 if (!r->assbackwards) {
>
> 918 ap_get_mime_headers_core(r, tmp_bb);
>
> 919 if (r->status != HTTP_REQUEST_TIME_OUT) {
>
> 920 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>
> 921 "request failed: error reading the headers");
>
> 922 ap_send_error_response(r, 0);
>
> 923 ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
>
> 924 ap_run_log_transaction(r);
>
> 925 apr_brigade_destroy(tmp_bb);
>
> 926 return r;
>
> 927 }
>
> 这里通过调用ap_get_mime_headers_core函数处理http头,如果处理后的status
> 不是之前设置的HTTP_REQUEST_TIME_OUT的话,就立即返回错误了,进去
> ap_get_mime_headers_core看:
>
> 670 AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
> apr_bucket_brigade *bb)
>
> 671 {
>
> ...
>
> 722 apr_size_t fold_len = last_len + len + 1; /* trailing null */
>
> 723
>
> 724 if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) {
>
> 725 r->status = HTTP_BAD_REQUEST;
>
> 这里如果设置大于limit_req_fieldsize值(core模块的配置
> LimitRequestFields)的话,则设置HTTP_BAD_REQUEST。
>
> 那么也就是说客户端过来的请求头超长的话,就立即返回错误了,ap_hook函数
> 和apache的filter都没有在这之间插入(写了hook和filter的 module测试过确
> 实这样),apache模块就没法解决这个问题,除非修改源代码,这也不是个好办
> 法,所以我们得想其他办法了。
| Limits the size of the HTTP request header allowed from the client | |
LimitRequestFieldsize bytes | |
LimitRequestFieldsize 8190 | |
| server config | |
| Core | |
| core |
This directive specifies the number of bytes that will be allowed in an HTTP request header.
The LimitRequestFieldSize directive allows the server administrator to reduce or increase the limit on the allowed size of an HTTP request header field. A server needs this value to be large enough to hold any one header field from a normal client request. The size of a normal request header field will vary greatly among different client implementations, often depending upon the extent to which a user has configured their browser to support detailed content negotiation. SPNEGO authentication headers can be up to 12392 bytes.
This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.
For example:
LimitRequestFieldSize 4094
