Feature: Early access control knob to block connection floods

  • Goal: A new access directive executed immediately after accepting a connection, before reading the request, allowing unwanted or malicious clients do be dropped as soon as possible without tying up connection resources.

  • Status: Not started

  • ETA: one day at most

  • Version: None assigned

  • Priority: None assigned

  • Developer:

  • More:

Details

This is a proposal for a new tcp_access directive, to be executed immediately when a new connection is accepted, before reading any HTPT request. As no HTTP data is yet available it's limited to src, myport, myaddr, time and maxconn type acls, maybe one or two more.

Should probably reset the connection by default rather than sending av HTTP error, but that's subjective. Some may prefer an error page..

This can be thougt of as application level firewalling of the proxy service.

Needs to be a "slow/async" acl match like http_access so external acls may be plugged in for extra functionality such as integration with packet level firewalls, cluster wide connection accounting etc.

Discussion

To answer, use the "Discussion" link in the main menu

See Discussed Page

Nice!. I suggest adding dst and port directives, which are quite useless in forward proxy scenarios, but could be useful in transaprent and reverse proxy setups.

-- FrancescoChemolli 2008-11-02 20:45:51

CategoryFeature

Features/TCPAccess (last edited 2009-03-08 09:56:56 by AmosJeffries)