[GitHub] [nifi] exceptionfactory commented on pull request #4972: NIFI-7912 - Added a Denial of Service filter wrapper called NiFiDoSFi…
exceptionfactory commented on pull request #4972: URL: https://github.com/apache/nifi/pull/4972#issuecomment-814876578 > @thenatog Thanks for the review changes! > @exceptionfactory I have no more comments, +1 from my side too. Thanks for the confirmation @turcsanyip! Merging. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #4972: NIFI-7912 - Added a Denial of Service filter wrapper called NiFiDoSFi…
exceptionfactory commented on pull request #4972: URL: https://github.com/apache/nifi/pull/4972#issuecomment-814520389 Thanks for making the documentation updates @thenatog! With these changes, I am +1. Do you have any additional feedback @turcsanyip? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #4972: NIFI-7912 - Added a Denial of Service filter wrapper called NiFiDoSFi…
exceptionfactory commented on pull request #4972: URL: https://github.com/apache/nifi/pull/4972#issuecomment-814106145 > I agree that the IP whitelisting is more representative of how the DoS should work rather than excluding the S2S paths. Testing this out it seems like the whitelist is only applied to the request rate tracking, as the timeout method onRequestTimeout() doesn't seem to call checkWhitelist(), confirmed by docs http://archive.eclipse.org/jetty/8.0.0.M1/apidocs/org/eclipse/jetty/servlets/DoSFilter.html That's a good point about `DoSFilter.onRequestTimeout()` still enforcing the maximum value as configured using the `maxRequestMs`. With the addition of the new property `nifi-web.request.timeout` and one more property to exclude IP addresses or subnets from rate limiting, it seems like that should provide sufficient ability to configure the filter. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org