ktoso
commented
7 years ago Marking as pick next to discuss it soon.
Open ktoso opened 7 years ago
ktoso
commented
7 years ago Marking as pick next to discuss it soon.
jrudolph
commented
7 years ago 
lhotari
commented
7 years ago "So you want to expose Go on the Internet", 26 Dec 2016 by Filippo Valsorda. contains information about hardening Go for exposing it on the internet. That information could be helpful in designing similar features for Akka Http.
jrudolph
commented
7 years ago Thanks, @lhotari, good information in there.
nadavwr
commented
6 years ago Currently, based on default settings, a slowloris attack would be able to hold each connection open for 64(headers) * 60s(idle-timeout) + 20s(request-timeout), or just over an hour--correct?
This can only be somewhat mitigated by reducing max-header-count and idle-timeout—you immediately run into request-limit, which must be shorter than idle-timeout.
The timeout proposed by this ticket sounds like an ideal solution. Any chance to see it implemented?
johanandren
commented
6 years ago It's not in the current plans for the Akka team, best chance for it to happen soon would be if someone in the community picks it up.
ktoso
commented
6 years ago Marked as help wanted. We currently are not going to work on this specific task (others in the queue), so help would be defienitely very welcome
This is different than the request timeout or the idle timeout.
This is about a timeout that counts from beginning of a request being incoming, to the moment in time when the request is done streaming in. This is to mitigate slowloris style attacks,
Details here: