-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jesse,
On 1/16/15 9:02 AM, Jesse Barnum wrote: > >> On Jan 16, 2015, at 4:37 AM, André Warnier <a...@ice-sa.com> >> wrote: >> >> If you do have an Apache httpd front-end anyway, it still seems a >> bit of a shame to have to use any Tomcat bandwidth and resources >> in order to catch this kind of thing, and not be able to do it at >> the Apache httpd level, before you even decide to proxy the >> request to Tomcat. Apache httpd also has a lot of add-ons to >> catch and deny things like obstreperous clients etc.. Are you >> sure that there is nothing which you could "export" from Tomcat >> to Apache httpd, to allow httpd to catch these unwanted requests >> earlier ? (not necessarily all of them; but whatever you catch >> there, saves resources in Tomcat). >> >> Some info, if it can be useful : unlike a servlet or filter in >> Tomcat, Apache-based code does not necessarily "consume" the >> whole request in order to examine for example some POST >> parameters. So it can do that, and still proxy (or not) the >> whole request to Tomcat if appropriate. It is probably a fair >> bet, that many of these unwanted requests follow some kind of >> general pattern that could be relatively easily filtered out >> early, isn't it ? > > This is for a license check phone-home server. Old versions of our > products had bugs that could cause them to endlessly make > phone-home requests as fast as possible. We need to examine the > POST data, check the product code parameter to see which product it > is, as well as a version parameter to see which version of the > product it is. We then consult a lookup table (hard-coded into > Java) to see whether to reject the request or respond to it. > > I would assume that is beyond the scope of configurable filters in > Apache, maybe I’m wrong? Apache httpd 2.4 has Lua built right into it. Perhaps you could knock-up a "filter" using that? Does your product not set a User-Agent header with a version number when phoning-home? Perhaps you should start doing that, then you could filter based upon HTTP headers instead of part of the message body. Another thing you might be able to do would be to have Apache httpd pull-out the data from the request body and pop it into a header, which Tomcat could check without processing the body. Something is still examining the body, but it will make your Java code simpler. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUuTBgAAoJEBzwKT+lPKRYkhsP/Ay0rWa+C94kqz6fl2xtWyho ffaxRI/CDHwMz9u5lW/eatM2yRGP+cQg3vZn4Sn1ip8yuMiB4HVOB/AfYslv7Z2V eZy55CnTT0ywE1bOZGobT6Wu4uYInp8tBdPU2cZqKkWkwsgwpifwr3lPRD0B3EqB f+xFWHVndumfwG5/zyFaJcycPuCcHgTF5m1hNaaQknhQzOPZd/sJxmjcyiEVaIDB njJqcr97hF6SXoHRqmTktfHb2mPE71Sn7QYETRhzwGT+tXlZLQQCJW1PDWhf5k1Y 6w5AeKw7Geptu/VZ3B2D6dM3g8eM5Rtal+1JwktnlZoM/UdVwFIBLHEERIqFI7Qm JGDY1HktqBY9T8gaF1iItkSCpo4uZxc8xzv5h9vp1dKYfOFCrEyws1Pyt/X7ZBiI wJ/nqO767ElxN66v+p+4DUfLmcD2lqCWElbVAkUxDaMTYO1wiB7i9bTgoqkabUmg vAAQSVCSCvokVwT4yZdn9Avg4nUAOU74USxJ9YM0hkDFE2Yh6NjJ9//2gbaeNDhh Jwk9RRX/dok6glPBmGiBsmORjske7JxB3P9cr9wH/d2FacR2w4fxVYd0Rf1sAJVj PvuXYGwMORVVcJ/VS+3KjqvSDJ45138q36Nc5Or4vMFK/Q//FoeU+jQUBQ3m3yAE XPVp1F/LxWm/Twgs1YpG =bqDu -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
