Mobile app version of vmapp.org
Login or Join
Angela700

: Is 21 seconds too little for a connection timeout instead of the Apache default of 300 seconds? I currently have apache timeout incomplete requests after 21 seconds because I don't want bad

@Angela700

Posted in: #Apache #Configuration #Error #Timeout

I currently have apache timeout incomplete requests after 21 seconds because I don't want bad bots holding up the available connection slots, and I feel people would rather wait 21 seconds for a slot to free up than (apache timeout default of) 300 seconds.

After log research, I see entries like this:

(remote ip address) - - [17/Mar/2016:10:29:13 -0400] "-" 408 - "-" "-"


Most of the time, they come from mobile devices connected to mobile networks, and a 408 code suggests to me to increase the timeout, but I thought 21 seconds is plenty for a local mobile device to connect to a local server. By local, I mean within about 1000 km (from central ontario to central quebec). The funny thing is when I tested from various locations from California USA via webpagetest.org, the entire webpage, ads and all load on all devices in well under 21 seconds.

Am I still specifying too low of a timeout? if so? why? or is it just some networks that are trying to connect to my site are poorly configured? or is it just that some mobile devices themselves are that terrible with connecting to websites?

These lines appear between 10% and 30% of the time.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Angela700

1 Comments

Sorted by latest first Latest Oldest Best

 

@Nickens628

Ok I figured it out from hard research. The answer is 21 seconds is WAY TOO HIGH! This is because an attack called Slowloris exists. What it does in a nutshell is hold up apache slots for about as long as the timeout value specified in apache config. This in turn prevents legit users from even connecting to the website. Because connections now need less than 1 second to setup, a timeout over 3 seconds for me is bad. (of course I'm trying to help some mobile clients with somewhat weak connections which is why I'm not going to a flat 1 second timeout)

Here's an article on slowloris.
www.incapsula.com/ddos/attack-glossary/slowloris.html

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme