| |||||||||||||
All modern OSes offer alternativeAll modern OSes offer alternativePosted Jun 25, 2009 4:31 UTC (Thu) by quotemstr (subscriber, #45331)In reply to: All modern OSes offer alternative by khim Parent article: Apache attacked by a "slow loris" Why do you need an entirely new web server? Couldn't you do the same thing with a caching reverse proxy like Varnish? That way, you only need to configure one set of servers.
(Log in to post comments)
All modern OSes offer alternative Posted Jun 25, 2009 4:45 UTC (Thu) by khim (subscriber, #9252) [Link] Why do you need an entirely new web server?Because you need solutions, not a buzzwords? I've explained why you need two servers below. Without "real" web server you can serve static pages (icons, images, etc) via sendfile(2) - and this is important for real-world servers. Couldn't you do the same thing with a caching reverse proxy like Varnish?You can name your frontend server "web server", "web accelerator" or use any other term, but if your frontend is "heavily threaded, with each client connection being handled by a separate worker thread" then you just added complexity without any benefits. What'll happen with your frontend if you'll have 50'000 clients with opened connections? Nginx can handle such load on medium-sized system. That way, you only need to configure one set of servers.You still need to configure server. Nginx was designed from the ground up to do two things and do them well: 1. Serve static pages. 2. Work as http-accelerator.
All modern OSes offer alternative Posted Jun 25, 2009 5:43 UTC (Thu) by quotemstr (subscriber, #45331) [Link] Because you need solutions, not a buzzwords?This coming from somebody who's hawking a specific product as the solution to a whole class of problems? I don't think I'm the one who has to worry about buzzwords here. You still need to configure server.Reading the nginx webpage, it appears you can configure nginx as a caching reverse proxy. That's fine. My issue is that you pretend it's the only game in town when really, any caching reverse proxy will do. (And feature sets may differ; Varnish, for example, appears to have a more sophisticated load balancer.) Also, I can't fathom why you would want your web accelerator serving content on its own. A caching reverse proxy setup is the only one that makes sense to me: that way, you have one place to configure what's served: the back-end servers. Because the back-end servers already mark what's static and what's not (via cache-control HTTP headers), you shouldn't have to do anything special to push static content to the front-end server, and the reverse proxy asking the back-end servers once in a while for some static content won't make a difference in the overall load.
All modern OSes offer alternative Posted Jun 26, 2009 12:21 UTC (Fri) by tcabot (subscriber, #6656) [Link]
I can imagine different case requiring different solutions. In one case (I think the one you're thinking of) the bulk of what gets served is generated by the back-end servers and the "static" assets are smaller by comparison - site icons, css, js, etc. In that case you're right: a proxy is the way to go because you're concentrating control and configuration in one place.
On the other hand, let's say that your site serves massive quantities of "interesting" image files (which I understand was the original use case for nginx). In that case the server needs to be extremely efficient because the working set is so large that a cache wouldn't do much good.
Horses for courses.
Varnish is the answer Posted Jun 26, 2009 13:04 UTC (Fri) by dion (subscriber, #2764) [Link]
Varnish only allocates a worker thread once the entire request has been received from the client, so simply slapping Varnish in front of the webserver under attack will defeat the attack.
If all you want to do is to mitigate a Slow Loris attack then just move your web server to a different port and start Varnish with the default configuration on port 80.
|
|||||||||||||