-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jesse,
On 1/15/15 5:06 PM, Jesse Barnum wrote:
>> On Jan 14, 2015, at 12:29 AM, Konstantin Kolinko
>> <knst.koli...@gmail.com> wrote:
>>
>> 2015-01-14 6:28 GMT+03:00 Christopher Schultz > Jesse,
>>> On 1/13/15 6:29 PM, Jesse Barnum wrote:
>>>> I need the ability to examine the POST data from a request,
>>>> examine it, and either respond to it or close the connection
>>>> without returning any result, not even a 200 OK status.
>>>>
>>>> The reason for this is because I’m getting overwhelmed with
>>>> thousands of invalid requests per second, which are racking
>>>> up bandwidth fees. The requests can’t be traced to an IP
>>>> address, so I can’t just block them in a firewall or Apache -
>>>> I need to actually use logic in my Tomcat app to figure out
>>>> which requests to respond to.
>>>>
>>>> Is there a way to force Tomcat to just drop the connection
>>>> and close the socket without sending a response?
>>>
>>> You can't close the stream form your code, Tomcat will ignore
>>> it, so a response flush, and return a 200 response anyway.
>>>
>>> I'm curious, what's wrong with an empty 200 response? It's only
>>> a couple of bytes, but I suppose if you are getting millions
>>> per hous, you could still incur bandwidth costs...
>>
>> response.setHeader("Connection", "close") will cause Tomcat to
>> close the connection (i.e. do not use keep-alive that is default
>> for HTTP/1.1 requests).
>>
>> Response body may be empty but by default the response includes
>> HTTP status code and reason phrase and some headers. Is that too
>> much?
>>
>>> You might be able to do this with a Valve, but then you might
>>> have problems with your web application needing to provide the
>>> logic to determine whether or not to accept the request.
>>
>> It can be implemented in two tiers:
>>
>> a) an application sets an attribute on request or uses some
>> specific status code on the response.
>>
>> b) a valve detects presence of the attribute or status code and
>> closes the connection.
>>
>> You have not mentioned your version of Tomcat.
>>
>> For a pointer, note the following enum value in the source code
>> (available in the current 7.0.x, 8.0.x):
>>
>> org.apache.coyote.ErrorState.CLOSE_NOW
>>
>> org.apache.coyote.ErrorState.isIoAllowed()
>>
>> Best regards, Konstantin Kolinko
>
> Thank you very much for all the help. After reading all of these
> responses, I concluded that it was not that bad to just return an
> empty response, especially by using mod_header to se the server and
> date headers to empty value.
>
> I forgot to mention - I’m running Tomcat 7.052 with an Apache 2.2
> front-end. I have a feeling that even if I did implement the Valve
> trick, Apache would still return some response to the user (likely
> an error 500 or 503 that the AJP connector had failed to respond),
> so returning a very small response from Tomcat is actually probably
> less outbound bandwidth.
You might want to look into mod_evasive.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUuIPAAAoJEBzwKT+lPKRYsiQP/RWcv8w5nmJucMDmPRtNkF3s
qx7y7puZH5ZZJLaKf9PUAD8boT8UHJZ21R/IUGV243k/mSVbZkBTVYgBjBNKl4nZ
3gXJvHCpWRvJzlvZ+NP7fjtPG6+uyhQBmAGDTxOVSdL9UvXCYWFPjLWFgE6M64pF
0KUcH299fXbBe+t0kX1mW108N0epTOo4XJXTVdO9mqBqozPpgmEH911uF0Dl9+ve
H7syjcjKHKATBeIfdEyPGMHt7firDcQVS7NsiYKJV4hq7frZcS6eSByMcWPjXsDI
a0cEyXYO53y4fO3GdaiI3Yr2N8pMQcqHPZNy6iNgBe1TYeuC9QH9ndwdrIrRZezD
FYS8QqSRw/DAHW5PBjPK4wsMAz7XJ3qN/DoqOSe4rUo4CxiRKNdxYD9cOMPPBgWL
T/lH5KvRmRNGNiP2SO/JePfvvGggwxYhyHEINiI/W4hhGB2Vdt3xqtBIp4T4xE67
f0VvX+B2bu3GQEsBFa1jIYSskGtylt32x6oyLvJLDpEQY59eZhHYuy/IsH2P+ch5
x+Jx29VHX0dfQS+EALoSxc6bT98wgUJxMNa7fyWMb+cnnY6kF8cmqOgcb5x1JCly
rP/Wc7JbjACiJNxPsR+OaD+fVdwrKGO4e3m7IRyFD5u5nk5zV4WbL155L2t+WGaI
4stKItkZ2uL9p9tYxKcS
=OEGV
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
