2010/6/11 Dave Engberg <[email protected]> > > No, we only use HTTP Transport. For anything on the public Internet, this > is the only way to go ... it also gives you lots of extra advantages like > client firewall support, hardware load balancing, SSL "for free", etc. When > we were adopting Thrift three years ago, I did some synthetic load tests to > compare the overhead of THttpClient transport versus direct binary > transport. If the HTTP stack supports proper HTTP Keep-Alive, the overhead > was negligible (under 20%). Unfortunately, several languages don't do > proper keep-alive in their HTTP libraries by default, so your mileage may > vary drastically. >
So I take it you put your thrift server behind Apache or similar and then just proxy the requests to the actual thrift http servers (so you can let Apache take care of the SSL bit and then use regular HTTP internally?) > We mitigate against Thrift-related denial of services through a mix of > measures that should (hopefully) make a Thrift protocol attack less fruitful > than other attacks. (I.e. so that Thrift isn't the weakest link.) > For example, we use maxSkipDepth() to avoid bogus sequences of nested > structures: > > http://svn.apache.org/viewvc/incubator/thrift/trunk/lib/java/src/org/apache/thrift/protocol/TProtocolUtil.java?revision=760189&view=co > And we determine the total incoming message length via the HTTP > Content-Length header to reject big messages before parsing, and use this as > a limit to TBinaryProtocol.setReadLength() to automatically reject bogus > object length/size fields: > > http://svn.apache.org/viewvc/incubator/thrift/trunk/lib/java/src/org/apache/thrift/protocol/TBinaryProtocol.java?view=co ok, thanks. those are valuable tips. > > Our use of Thrift is obviously a bit unusual compared to most folks using > it for internal server-server communications, but we have millions of > distinct client machines talking Thrift to Evernote every month, so I can > vouch that it works. > > and as a happy (paying) Evernote customer who uses Evernote on all my machines, Android and iPhone I can tell you that it works brilliantly :-) -Bjørn
