[MEDIUM] introduce "timeout http-request" in frontends
In order to offer DoS protection, it may be required to lower the maximum
accepted time to receive a complete HTTP request without affecting the client
timeout. This helps protecting against established connections on which
nothing is sent. The client timeout cannot offer a good protection against
this abuse because it is an inactivity timeout, which means that if the
attacker sends one character every now and then, the timeout will not
trigger. With the HTTP request timeout, no matter what speed the client
types, the request will be aborted if it does not complete in time.
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 655a40e..b9cf62f 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -521,6 +521,7 @@
tv_eternity(&defproxy.timeout.appsession);
tv_eternity(&defproxy.timeout.queue);
tv_eternity(&defproxy.timeout.tarpit);
+ tv_eternity(&defproxy.timeout.httpreq);
}
/*
@@ -603,6 +604,7 @@
tv_eternity(&curproxy->timeout.appsession);
tv_eternity(&curproxy->timeout.queue);
tv_eternity(&curproxy->timeout.tarpit);
+ tv_eternity(&curproxy->timeout.httpreq);
curproxy->last_change = now.tv_sec;
curproxy->id = strdup(args[1]);
@@ -663,6 +665,7 @@
if (curproxy->cap & PR_CAP_FE) {
curproxy->timeout.client = defproxy.timeout.client;
curproxy->timeout.tarpit = defproxy.timeout.tarpit;
+ curproxy->timeout.httpreq = defproxy.timeout.httpreq;
curproxy->uri_auth = defproxy.uri_auth;
curproxy->mon_net = defproxy.mon_net;
curproxy->mon_mask = defproxy.mon_mask;