Re: how to block the duplicated requests?
David kerber wrote: On 5/19/2015 8:09 AM, javalishixml wrote: Just understood you. Really appreciate for your feedback. How do we judge it's a robot? item1: we find the request IP is always the same one. item2: our page may contains several keep-alive connections. But the attack connection only focus on connection. Based on these 2 items, we think the client is a robot. I think maybe putting these 2 items together to consider it as a robot is a bit complex. Let's do it from the simple point. If we alway find there is a same IP request our website the same url for many times, can I block this request at httpd level? Yes, it's easy to block a request from a specific IP address. You can do it either with httpd, or further upstream at your firewall. I don't use httpd, so can't help you with the specific instructions on how to do it, but I know it's not difficult. See here : http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow Also maybe read this : http://en.wikipedia.org/wiki/CAPTCHA Thanks, At 2015-05-19 20:01:00, David kerber dcker...@verizon.net wrote: On 5/19/2015 7:53 AM, javalishixml wrote: I doubt you're going to be able to do this in httpd, unless you have a very simple, straight forward way of identifying the robots. Yes. I just want to have a way to block the duplicated requests at httpd level. After all, my website has to face the the big concurrency issue. I understand that's what you want. What we're telling you is that you probably won't be able to do that. Let me ask the question again, that Chris asked before: how do you tell that a given request is from a robot? The answer to that question will determine if you can block it with httpd. At 2015-05-19 19:35:26, David kerber dcker...@verizon.net wrote: On 5/19/2015 1:03 AM, javalishixml wrote: Thanks a lot for your information. This solution is based on tomcat level. If I always handle this issue at java level, I'm afraid it has performance issue. Because this web site afford a very big concurrency access. Taking a consideration on its basic architect tomcat+apache, I think the best way to move this solution from tomcat to apache. So do you have some good solution at apache's configuration? I understand this is a mail list for tomcat.. but just want to get any information I doubt you're going to be able to do this in httpd, unless you have a very simple, straight forward way of identifying the robots. Thanks, At 2015-05-19 04:00:28, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 5/18/15 11:44 AM, javalishixml wrote: I have a website. It is built by apache + tomcat. Now we make a lottery activity at this website. But we find that some robots always raise the duplicated requests to hit this lottery activity. It causes that robots almost get all the awards. So we just want to block these kind of duplicated requests at every interval unit. For example, we set the interval unit is 3 seconds. The if the robot want to hit the lottery activity in 3 seconds, the website could block this action. So how to do it? I suppose if we do it at tomcat level, is it a very low performance? Can I do it at apache level? how to do it? If I could not do it apache level, can I do it by setting sth at tomcat? If you have a way to identify a duplicate request (e.g. using a fingerprint of the request that you can check during that 3-second interval), then this is conceptually very easy. It may not be great for performance, but you'll have to weigh that against your own requirements. (For example, which is worse: poor performance, or a site where only robots ever win the lottery?) This will not be something you can configure in Apache httpd or Tomcat. This will have to be an application thing (unless you can describe the fingerprint technique to some httpd module such as mod_security or mod_qos and then allow it to discard duplicates). Back to the solution: 1. Take a fingerprint of the request 2. Lookup the fingerprint in a database of previous requests ( fingerprint - latest timestamp ) 3. If the fingerprint appears in your database and the timestamp is less than 3 seconds ago, discard the request 4. Otherwise, store the current timestamp and fingerprint in the databas e For a database, I might recommend something like memcached or another in-memory-style database. An in-memory key-value store is really what you are looking for. Memcached has a nice feature where values can automatically time-out (e.g. they are invalid after 3 seconds), so you can make your application code a bit simpler because you'll never have a value in the database that is not valid. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVWkTcAAoJEBzwKT+lPKRYnW0QAIeRbfJtsTKtUZHUig9sIRre
Re: how to convert https to http by using mod_jk
chenk818 wrote: Hi Warnier: Thank you for your reply??I always thought there was AJPs,now I understood?? but there's another question: In configuration 7, if the backend tomcat provide both http and https,which protocal will be used?Is it determined by httpd's protocol? Take a look at the standard Tomcat server.xml configuration file. There are 3 Connector defined there (2 are commented-out). Each of these Connectors accepts connections (and requests) for one protocol. It is the client which chooses to which port (Connector) it connects. In a configuration like browser - HTTP - Apache httpd + mod_jk - AJP - Tomcat AJP Connector - Tomcat webapp the Tomcat client is Apache httpd + mod_jk. It is thus Apache httpd + mod_jk which chooses to which port of Tomcat it connects (by default, 8009), and which protocol it uses (in this case, always AJP). (Look at the settings for mod_jk, in Apache). In a configuration like browser - HTTP/HTTPS - Apache httpd + mod_proxy_ajp - AJP - Tomcat AJP Connector - Tomcat webapp the Tomcat client is Apache httpd + mod_proxy_ajp. It is thus Apache httpd + mod_proxy_ajp which chooses to which port of Tomcat it connects (by default, 8009), and which protocol it uses (in this case also, always AJP). (Look at the settings for mod_proxy_ajp, in Apache). Imagine this analogy : There is a company in Germany which makes motorbikes and sells them to clients in the whole world. The factory is in Germany, and there are the workers making the motorbikes. The workers speak only German. For international clients to call, there are 3 telephone numbers : - on telephone number 8080, there is a lady speaking English and German - on telephone number 8443, there is a lady speaking Chinese and German - on telephone number 8009, there is a lady speaking Italian and German Each of these ladies can take a call in the language that she knows, and translate the customer wishes to German, for the factory workers. If a Chinese client calls on number 8009, the lady there will not understand what he says, and he will get no motorbike. But if he calls the number 8443, the lady will understand him; she will relay his order properly to the factory, in German; and the client will get his motorbike. The factory is Tomcat; the factory workers are the webapps; the ladies are the Connector's; the Connector ladies translate the customer calls from their language (HTTP, HTTPS or AJP) into a HttpServletRequest that the webapps understand. The factory workers do not need to speak English (HTTP), Chinese (HTTPS) or Italian (AJP), because they always get the requests in German (HttpServletRequest), as translated by the appropriate Connector. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat7's welcome-file-list seems not to work fine on my server
?? wrote: Here is my env: Server version: Apache Tomcat/7.0.47 Server built: Oct 18 2013 01:07:38 Server number: 7.0.47.0 OS Name:Linux OS Version: 2.6.32-358.el6.x86_64 Architecture: amd64 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. The problem: my application layout: root root, or ROOT ? (case matters) |-/WEB-INF/web.xml |-/WEB-INF/classes |-/bar/index.jsp |-/META-INF |-/index.jsp and In $CATALINA_BASE/conf/web.xml, a welcome-file-list was defined as: welcome-file-list welcome-fileindex.html/welcome-file welcome-fileindex.htm/welcome-file welcome-fileindex.jsp/welcome-file /welcome-file-list I didn't mapping any servlet on the /bar. So when I request http://127.0.0.1:8080/bar, it was mapped to the default servlet, and get a 302 response.() Like this: #curl 127.0.0.1:8080/bar -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: http://127.0.0.1:8080/bar/ Transfer-Encoding: chunked Date: Tue, 30 Sep 2014 07:27:19 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 But when I further make a request to the http://127.0.0.1:8080/bar/ . A 404 was responsed, like #curl 127.0.0.1:8080/bar/ -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar/ HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 949 Date: Tue, 30 Sep 2014 07:27:22 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 I suggest that the /bar/index.jsp should be responsed for the welcome file mechanism. But why i get a 404? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat bug 53814 - PDF plugin in IE cannot download correctly
Mark Thomas wrote: On 16/10/2012 18:54, David Wall wrote: By the way, the web.xml change we made was suggested in the bug report and seems to resolve it for our IE site visitors. Glad to head that disabling support for range requests works. That seems like a reasonable short-term workaround until someone experiencing this error contacts Adobe. This is not exactly the same issue, but I thought I'd share this. Just to give one an idea of what one is up against (and maybe also the difference between open-source and not-open-source) I found this while searching Google for things related to : Adobe Reader plugin +Range +boundary. http://forums.iis.net/p/1161071/1986957.aspx Summary : - an issue between IIS 7.5 and Adobe Reader plugin, related to byteranges, made it impossible to retrieve PDFs - first reported on Sep 21 2009 - it took MS until Dec 12 2009 (2 months) to come up with an explanation that the problem was in the Adobe plugin - MS hotfix released March 21 2010 (6 months later), in which they apparently acknowledge that the problem was theirs after all (http://support.microsoft.com/kb/979543) - as far as I can tell Adobe never did anything And here is another similar issue on an Adobe forum: http://forums.adobe.com/thread/948331?start=0tstart=0 - first reported Jan 12 2012 - fix released by Adobe on April 26 2012 (3.5 months later), after strong pressure from some very large organisations (e.g., Citibank) And I'll note that the present thread was opened yesterday, and at least a workaround was provided the same day. And the original bug #53814 took 3 days to be tackled. I wouldn't raise my hopes too high about Adobe ever fixing the underlying bug in the plugin though. It seems it is not only the banks that should be broken up before they get too big to fail. I would suggest that one also includes large dominant software companies. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org