Closed valintinr closed 9 years ago
What is your value of 'robot_mitigation_timeout' ?
On 10/30/2014 06:08 PM, valintinr wrote:
Hello. We currently using senginx with HTTP Robot Mitigation on second cluster (4 servers). Our first cluster using perl Roboo on 5 server. Load balancing via BGP (yes, Its a dummy balancing w/o session support but its working and easy to use) so one request (ex /) can be routed via 3-4-5 servers (ex / via 1-st server, some images via 2-nd server, some css/js via 3-rd server...).
robot_mitigation_secret static and same on each server. So now we have next issue: After rechallenge client getting different cookie value, but it can be rechallenged not at all cluster servers. Ex. - clear cache and cookie value changed (robot_mitigation_secret static).
On first cluster with perl Roboo this not happens, after rechallenge (clear cache, timeout...) cookie value is same until secret changed, using Roboo_secret static too.
— Reply to this email directly or view it on GitHub https://github.com/NeusoftSecurity/SEnginx/issues/32.
robot_mitigation_timeout 3600;
BTW, I can provide 2 domains so you can reproduce this: first domain configured on first cluster with perl Roboo second domain configured on second cluster with robot_mitigation
Good, what are the 2 domains?
You can write me an email to tell me the domains if you don't want to expose them to the public. Thanks
Sorry, didn't saw 2 previous messages. Send domain names via email.
You can check cookie value (TANGRAM-DDOS-FILTER). If you clean cookies on browser: 1-st domain - cookie value after rechallange will be same 2-nd domain - cookie value after rechallange will be changed. > its caused issues. Ex admin page etc...
All cluster servers have same static secret.
Seems issue didn't happening again, closing this issue
Hello. We currently using senginx with HTTP Robot Mitigation on second cluster (4 servers). Our first cluster using perl Roboo on 5 server. Load balancing via BGP (yes, Its a dummy balancing w/o session support but its working and easy to use) so one request (ex /) can be routed via 3-4-5 servers (ex / via 1-st server, some images via 2-nd server, some css/js via 3-rd server...).
robot_mitigation_secret static and same on each server. So now we have next issue: After rechallenge client getting different cookie value, but it can be rechallenged not at all cluster servers. Ex. - clear cache and cookie value changed (robot_mitigation_secret static).
On first cluster with perl Roboo this not happens, after rechallenge (clear cache, timeout...) cookie value is same until secret changed, using Roboo_secret static too.