-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jesse,
On 1/15/15 5:06 PM, Jesse Barnum wrote: >> On Jan 14, 2015, at 12:29 AM, Konstantin Kolinko >> <knst.koli...@gmail.com> wrote: >> >> 2015-01-14 6:28 GMT+03:00 Christopher Schultz > Jesse, >>> On 1/13/15 6:29 PM, Jesse Barnum wrote: >>>> I need the ability to examine the POST data from a request, >>>> examine it, and either respond to it or close the connection >>>> without returning any result, not even a 200 OK status. >>>> >>>> The reason for this is because I’m getting overwhelmed with >>>> thousands of invalid requests per second, which are racking >>>> up bandwidth fees. The requests can’t be traced to an IP >>>> address, so I can’t just block them in a firewall or Apache - >>>> I need to actually use logic in my Tomcat app to figure out >>>> which requests to respond to. >>>> >>>> Is there a way to force Tomcat to just drop the connection >>>> and close the socket without sending a response? >>> >>> You can't close the stream form your code, Tomcat will ignore >>> it, so a response flush, and return a 200 response anyway. >>> >>> I'm curious, what's wrong with an empty 200 response? It's only >>> a couple of bytes, but I suppose if you are getting millions >>> per hous, you could still incur bandwidth costs... >> >> response.setHeader("Connection", "close") will cause Tomcat to >> close the connection (i.e. do not use keep-alive that is default >> for HTTP/1.1 requests). >> >> Response body may be empty but by default the response includes >> HTTP status code and reason phrase and some headers. Is that too >> much? >> >>> You might be able to do this with a Valve, but then you might >>> have problems with your web application needing to provide the >>> logic to determine whether or not to accept the request. >> >> It can be implemented in two tiers: >> >> a) an application sets an attribute on request or uses some >> specific status code on the response. >> >> b) a valve detects presence of the attribute or status code and >> closes the connection. >> >> You have not mentioned your version of Tomcat. >> >> For a pointer, note the following enum value in the source code >> (available in the current 7.0.x, 8.0.x): >> >> org.apache.coyote.ErrorState.CLOSE_NOW >> >> org.apache.coyote.ErrorState.isIoAllowed() >> >> Best regards, Konstantin Kolinko > > Thank you very much for all the help. After reading all of these > responses, I concluded that it was not that bad to just return an > empty response, especially by using mod_header to se the server and > date headers to empty value. > > I forgot to mention - I’m running Tomcat 7.052 with an Apache 2.2 > front-end. I have a feeling that even if I did implement the Valve > trick, Apache would still return some response to the user (likely > an error 500 or 503 that the AJP connector had failed to respond), > so returning a very small response from Tomcat is actually probably > less outbound bandwidth. You might want to look into mod_evasive. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUuIPAAAoJEBzwKT+lPKRYsiQP/RWcv8w5nmJucMDmPRtNkF3s qx7y7puZH5ZZJLaKf9PUAD8boT8UHJZ21R/IUGV243k/mSVbZkBTVYgBjBNKl4nZ 3gXJvHCpWRvJzlvZ+NP7fjtPG6+uyhQBmAGDTxOVSdL9UvXCYWFPjLWFgE6M64pF 0KUcH299fXbBe+t0kX1mW108N0epTOo4XJXTVdO9mqBqozPpgmEH911uF0Dl9+ve H7syjcjKHKATBeIfdEyPGMHt7firDcQVS7NsiYKJV4hq7frZcS6eSByMcWPjXsDI a0cEyXYO53y4fO3GdaiI3Yr2N8pMQcqHPZNy6iNgBe1TYeuC9QH9ndwdrIrRZezD FYS8QqSRw/DAHW5PBjPK4wsMAz7XJ3qN/DoqOSe4rUo4CxiRKNdxYD9cOMPPBgWL T/lH5KvRmRNGNiP2SO/JePfvvGggwxYhyHEINiI/W4hhGB2Vdt3xqtBIp4T4xE67 f0VvX+B2bu3GQEsBFa1jIYSskGtylt32x6oyLvJLDpEQY59eZhHYuy/IsH2P+ch5 x+Jx29VHX0dfQS+EALoSxc6bT98wgUJxMNa7fyWMb+cnnY6kF8cmqOgcb5x1JCly rP/Wc7JbjACiJNxPsR+OaD+fVdwrKGO4e3m7IRyFD5u5nk5zV4WbL155L2t+WGaI 4stKItkZ2uL9p9tYxKcS =OEGV -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org