[AOLSERVER] TIP: configuring "maxinput" for nsopenssl

Tue, 08 Jun 2004 18:10:32 -0700 

In recent versions of AOLserver 4.0, there's a new config parameter for
socket drivers (nssock, nsopenssl) called "maxinput" that limits the
size of the HTTP request, defaulting to 1,024,000 bytes.  For most
sites, this may be a suitable default to prevent resource-starvation
style Denial of Service attacks.  However, if your application allows
for large HTTP requests (such as file uploads that exceed 1MB in size),
you will need to crank the knob on the "maxinput" parameter suitably
high for your needs.

For nssock, this is pretty straightforward:

    ns_section "ns/server/${servername}/module/nssock"
    ns_param   maxinput              [expr 1024 * 1024 * 100]

This would set "maxinput" to 100MB.  However, if you're using nsopenssl,
you may think that a similar config section like this should work:

    ns_section "ns/server/${servername}/module/nsopenssl"
    ns_param   maxinput              [expr 1024 * 1024 * 100]

But, it doesn't!  (Ross Simpson and I found this out the hard way, with
two hours of much gnarly debugging and head-scratching.)  So, how DO you
set "maxinput" for nsopenssl?

Well, nsopenssl has a "ssldrivers" config section, that might look like
the following:

    ns_section "ns/server/${servername}/module/nsopenssl/ssldrivers"
    ns_param example   "an example server"

That defines the ssldriver named "example".  You set parameters for it
(like you do for nssock) in this config section:

    ns_section "ns/server/${servername}/module/nsopenssl/ssldriver/example"
    ns_param   sslcontext            example_ctx
    ns_param   port                  443
    # ... etc ...

    ns_param   maxinput              [expr 1024 * 1024 * 100]

Yes, you define parameters like "maxinput" and "recvwait" and other
socket-related settings in THIS section!  Yes, this is where those
settings belong.


Interesting bug: in at least nsopenssl (and perhaps nssock), if maxinput
is reached, the server seems to sleep or simply spin, instead of
returnign some kind of error ("400 Bad Request / request exceeds
maxinput" or somesuch).  So, the diagnostic behavior is if you're
uploading a large file that exceeds maxinput, the browser just appears
to be still sending the file and it never finishes (until "recvwait"
seconds elapse, I believe).

-- Dossy

--
Dossy Shiobara                       mail: [EMAIL PROTECTED]
Panoptic Computer Network             web: http://www.panoptic.com/
  "He realized the fastest way to change is to laugh at your own
    folly -- then you can let go and quickly move on." (p. 70)


--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of 
your email blank.

Reply via email to