That seems to be the only thing we can do. This indeed
significantly reduces the bandwidth usage on
403-responses. However, we would still like to see a
zero-bandwidth solution. Thanks.
Block port 80 in your firewall. Zero bandwidth.
Joost
-Original Message-
From: dtufs [mailto:[EMAIL PROTECTED]
If current (often outdated) standards do not allow us
to solve everyday issues, then they must be changed
(not adored or worshipped).
Where did I say I adored or worshipped specs? I simply interpreted the specs
for you to
Ok, as I have said before what you want to do can be easily done using
Patch-o-matic. When you have patched your kernel with this patch you can use
firewall rule which will open and examine the packets before it transmit it
to the applications. This way I have setup a hosting machine and have
--- Boyle Owen [EMAIL PROTECTED] wrote:
Apache is an application
and can only block at the HTTP layer - it can't
interfere with TCP/IP.
That is certainly true, but Apache must be capable of
closing a connection -- that seems to be an elementary
operation for a web server (and possibly also
-Original Message-
From: dtufs [mailto:[EMAIL PROTECTED]
Sent: Montag, 20. Juni 2005 11:48
To: users@httpd.apache.org
Subject: RE: [EMAIL PROTECTED] How to close connection instead of sending
403?
--- Boyle Owen [EMAIL PROTECTED] wrote:
Apache is an application
and can
I'm not sure apache can do that but I have one linux
box setup as firewall,
patched with patch-o-matic and I do this what you
want with iptables.
Thanks for the reply. I'm not sure I understand it
correctly, but this sounds like you are using the IP
addresses as the basis for the ban.
Have you tried mod_security? - http://www.modsecurity.org/
I've not tried to do anything like this before with it, but it might
help. Worth a look...
regards
Rich.
dtufs wrote:
I'm not sure apache can do that but I have one linux
box setup as firewall,
patched with patch-o-matic and I do
--- Rich [EMAIL PROTECTED] wrote:
Have you tried mod_security? -
http://www.modsecurity.org/
Thanks Rich. It certainly is an interesting module,
however, it does not seem to be capable of closing a
connection (it only supports the 'deny' action, which
normally is just 403).
No, it won't let you kill the connection, but it probably WILL allow you
to detect the conditions that would lead you to want to kill the
connection. Once it you know this, you can configure it to prevent
further communication with the client (not actually killing the
connection, but the
Once it you know this, you can configure it to
prevent further communication with the client
(not actually killing the connection, but the
affect will be the same - the client will give up).
Unfortunately, the client will not give up. The
result will be that our (very expensive) bandwidth
--- Rich [EMAIL PROTECTED] wrote:
You can configure mod_securiy so that it will not
respond at all - ie -
it will just leave the client hanging waiting for a
response (which it
will never get). Much like a 'silent' firewall.
As I said, not ideal (the connection is still live),
but at
Yes, I see where you're coming from...
Actually, thinking further, you CAN set up mod_security so that it drops
the connection - for example, I have this as a default action in my
mod_security setup...
SecFilterDefaultAction
deny,log,status:403,system:/usr/local/pft/add_httpd_block %s
The
--- Rich [EMAIL PROTECTED] wrote:
The 'add_httpd_block' script is something I wrote
myself to drop the connection and block the IP for
a while.
But how do you block it? 403 is possible, but not what
we want. Firewall is possible, but our hosting
provider doesn't allows us to configure it
13 matches
Mail list logo