-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 7/12/13 4:16 AM, André Warnier wrote: > Harsimranjit singh Kler wrote: >> Using tomcat 6.I Always confused with >> >> connectionTimeout >> >> The number of milliseconds this *Connector* will wait, after >> accepting a connection, for the request URI line to be presented. >> The default value is 60000 (i.e. 60 seconds). >> >> Helpful if anyone can explain.? >> >> Is there any connector parameter where i can set request >> timeout.?Rather than at application level timeout i want tomcat >> to timeout after certain period if request taking long time.. >> > > The Connector's are "shared" by all Hosts and all applications. So > the connectionTimeout is already global for all requests that come > in on the corresponding Connector port. > > This parameter is there specifically to fight one type of > Denial-Of-Service attack, whereby some malicious client(s) create a > TCP connection to the server (which has the effect of reserving > some resources on the server for handling this connection), and > then just sit there without sending any HTTP request on that > connection. By making this delay shorter, you shorten the time > during which the server resources are allocated, to serve a request > that will never come. This has to be balanced against legitimate > clients which may be slow in sending the request line. But 60 > seconds is a really long time to wait for such legitimate client > requests nowadays. You can probably lower that to 5000 (= 5 s.) > without any ill effect on the legitimate clients. FWIW, it's trivial to change a TCP-connect attack to a Slowloris attack[1], which Tomcat cannot really mitigate very well. [1] http://en.wikipedia.org/wiki/Slowloris > Note that as soon as the HTTP request line has been received, this > timeout plays no role anymore. So it is not usable to limit the > time that an application requires to process and respond to the > request. As far as I know, there is no standard parameter > available in Tomcat to do that. Which is also rather > understandable, because Tomcat has no idea what kind of delay makes > sense for any particular application with any particular request > parameters. Only you would know that, on a call-by-call base. Try looking at "socket.soTimeout" if using the NIO implementation. There doesn't seem to be a reason why the blocking-connector couldn't also specify the read timeout, but I don't see an option for that connector. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR4FwCAAoJEBzwKT+lPKRYIaUQAMU/PbX1NC3nQKCm8up7fQcY S/IiCj70pdpNu+aDmIufX+KEJELQOv9WXkqht1Ie4MOX898U9LDKcHohcQ9zE6gN cU6yjlxNf051psT95zFPwhP1jweogu0rtGmgHlXxl1F2wEj30FOvm7p5FhaOyja4 OPCw/02WZpVAowBKrF2bAljCCf7JTlQGHM93KSTU31olJ3o9sEtwFv95g85ijWX5 kG7Ie8hIQ9iCmxRNuS4lTe9+ElbO+yUYTTDgHlSvWhbwJFs/ZM438p2ogaYgLw8r Jli93i6bewEyIySrDrR/gJLtEH4/v5VqEAliQchSe38rU29gZFQK6jh0p3vBZ/tg EF7M+uDNHJqxV7Q/6Q4B+v7zp/fHg4VQIl8t3q0cnCYhg7S448cXGnedrQ6yEUFw tmJRgKF61c0n0hmhu/k99Cy/YruPtf8fsyfAGiF+VHMeDC9JjDgnzp0w2ctCXH1e G0K/PKfuiMVd1i2+eoglmq3pbbvkFaiMyi6IMKXTAWC7PwCAXphaXotK2mBf2wDv SZBnY7SjcbUgXreP55b5BBkZkqsDn48uOI6G7HB+SzWF91VIrp+7Zf1Dku3DJuGS qCM49aFV/QeExoCYbWcDZI1ljkHwQxs/1EoCmvJbRXsCC4+vQ7TqCHTm6QrKTHgx EPLRPARC2SmYAXH/aRPa =jNj4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
