|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2004
/
2004-01
/
feature suggestions
[
Config grammar - RFC / Robert Segall ... ]
[
Q: about 'svc.c:upd_session()' / Alexander Lazic ... ]
feature suggestions
Pavel Merdine <pounduser(at)merdin.com> |
2004-01-29 14:48:03 |
[ SNIP ]
|
Hello,
I'd like to suggest some features for pound.
Sorry if they are already discussed here.
1. Accept filter
No comments.
2. Throttle control
To protect against DoS attacks. (in addition to first suggestion).
3. PCRE
I think it would me more convenient to use PCRE in config options.
--
/ Pavel Merdine
|
|
|
Re: feature suggestions
Robert Segall <roseg(at)apsis.ch> |
2004-01-29 16:34:24 |
[ SNIP ]
|
On Thu, 2004-01-29 at 14:48, Pavel Merdine wrote:
> Hello,
>
> I'd like to suggest some features for pound.
> Sorry if they are already discussed here.
>
> 1. Accept filter
This is already available: define an URL group with no back-ends.
> 2. Throttle control
> To protect against DoS attacks. (in addition to first suggestion).
Suggestions? What is considered a DoS? How do you protect against one?
Going by what I see I don't know of any method that would reliably
identify a DoS, with no false positives, and that would allow you to
effectively throttle down the requests.
> 3. PCRE
> I think it would me more convenient to use PCRE in config options.
What is PCRE?
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904
|
|
|
Re[2]: feature suggestions
Pavel Merdine <pounduser(at)merdin.com> |
2004-01-29 16:56:16 |
[ SNIP ]
|
Hello ,
Thursday, January 29, 2004, 6:34:24 PM, you wrote:
> On Thu, 2004-01-29 at 14:48, Pavel Merdine wrote:
>> Hello,
>>
>> I'd like to suggest some features for pound.
>> Sorry if they are already discussed here.
>>
>> 1. Accept filter
> This is already available: define an URL group with no back-ends.
I meant accept_filter
(http://www.google.com/search?q=accept_filter)
You can see example in apache. (notes too)
In short, it allows saving resources in case of DoS. Connection is
passed by system to application in case when proper http request
received only.
>> 2. Throttle control
>> To protect against DoS attacks. (in addition to first suggestion).
> Suggestions? What is considered a DoS? How do you protect against one?
> Going by what I see I don't know of any method that would reliably
> identify a DoS, with no false positives, and that would allow you to
> effectively throttle down the requests.
Usually, administrator can set a limit. E.g. number of requests per
second (+per IP?). This limit is different in each case.
Without such a limit any website can be forced to be down anytime by
anyone. :(
>> 3. PCRE
>> I think it would me more convenient to use PCRE in config options.
> What is PCRE?
http://www.google.com/search?q=pcre
--
/ Pavel Merdine
|
|
|
Re: Re[2]: feature suggestions
Robert Segall <roseg(at)apsis.ch> |
2004-01-29 18:31:25 |
[ SNIP ]
|
On Thu, 2004-01-29 at 16:56, Pavel Merdine wrote:
> Hello ,
>
> Thursday, January 29, 2004, 6:34:24 PM, you wrote:
>
> > On Thu, 2004-01-29 at 14:48, Pavel Merdine wrote:
> >> Hello,
> >>
> >> I'd like to suggest some features for pound.
> >> Sorry if they are already discussed here.
> >>
> >> 1. Accept filter
>
> > This is already available: define an URL group with no back-ends.
>
> I meant accept_filter
> (http://www.google.com/search?q=accept_filter)
> You can see example in apache. (notes too)
> In short, it allows saving resources in case of DoS. Connection is
> passed by system to application in case when proper http request
> received only.
If you mean Pound should make use of the accept_filter facilities: no,
simply because they are unavailable on a lot of systems.
Pound effectively implements accept_filter-like functionality internally
- it only passes the request to a back-end if the request is correctly
formed (otherwise not even the socket is opened).
> >> 2. Throttle control
> >> To protect against DoS attacks. (in addition to first suggestion).
>
> > Suggestions? What is considered a DoS? How do you protect against one?
>
> > Going by what I see I don't know of any method that would reliably
> > identify a DoS, with no false positives, and that would allow you to
> > effectively throttle down the requests.
>
> Usually, administrator can set a limit. E.g. number of requests per
> second (+per IP?). This limit is different in each case.
> Without such a limit any website can be forced to be down anytime by
> anyone. :(
>
> >> 3. PCRE
> >> I think it would me more convenient to use PCRE in config options.
>
> > What is PCRE?
> http://www.google.com/search?q=pcre
Oh, _that_ PCRE (Perl regex). Why would that be better than the plain
POSIX regex which is used now?
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904
|
|
|
Re: Re[2]: feature suggestions
Alexander Lazic <al-pound(at)none.at> |
2004-01-30 08:34:25 |
[ SNIP ]
|
On Don 29.01.2004 18:31, Robert Segall wrote:
>
>Oh, _that_ PCRE (Perl regex). Why would that be better than the plain
>POSIX regex which is used now?
Performance and some easier Regex syntax.
Imho.
al ;-)
|
|
|
Re[4]: feature suggestions
Pavel Merdine <pounduser(at)merdin.com> |
2004-01-30 09:46:52 |
[ SNIP ]
|
Hello ,
ok. I see...
Thursday, January 29, 2004, 8:31:25 PM, you wrote:
> On Thu, 2004-01-29 at 16:56, Pavel Merdine wrote:
>> Hello ,
>>
>> Thursday, January 29, 2004, 6:34:24 PM, you wrote:
>>
>> > On Thu, 2004-01-29 at 14:48, Pavel Merdine wrote:
>> >> Hello,
>> >>
>> >> I'd like to suggest some features for pound.
>> >> Sorry if they are already discussed here.
>> >>
>> >> 1. Accept filter
>>
>> > This is already available: define an URL group with no back-ends.
>>
>> I meant accept_filter
>> (http://www.google.com/search?q=accept_filter)
>> You can see example in apache. (notes too)
>> In short, it allows saving resources in case of DoS. Connection is
>> passed by system to application in case when proper http request
>> received only.
> If you mean Pound should make use of the accept_filter facilities: no,
> simply because they are unavailable on a lot of systems.
> Pound effectively implements accept_filter-like functionality internally
> - it only passes the request to a back-end if the request is correctly
> formed (otherwise not even the socket is opened).
>> >> 2. Throttle control
>> >> To protect against DoS attacks. (in addition to first suggestion).
>>
>> > Suggestions? What is considered a DoS? How do you protect against one?
>>
>> > Going by what I see I don't know of any method that would reliably
>> > identify a DoS, with no false positives, and that would allow you to
>> > effectively throttle down the requests.
>>
>> Usually, administrator can set a limit. E.g. number of requests per
>> second (+per IP?). This limit is different in each case.
>> Without such a limit any website can be forced to be down anytime by
>> anyone. :(
>>
>> >> 3. PCRE
>> >> I think it would me more convenient to use PCRE in config options.
>>
>> > What is PCRE?
>> http://www.google.com/search?q=pcre
> Oh, _that_ PCRE (Perl regex). Why would that be better than the plain
> POSIX regex which is used now?
--
/ Pavel Merdine
|
|
|
|
