Open filhodanuvem opened 11 years ago
A validation on the url can fix that, so the user can not put the own domain of the project in the url field. (will only be possible put url to another place, whose is not the domain of the application), what do you think?
This solution help us, but if the loop happens beetwen different services?
url_from | url_target |
---|---|
http://redir/live | http://bit.ly/hash1 |
http://bit.ly/hash1 | http://redir/live |
An web browser stops redirecting after N tries. But I don't know if a request with "curl", for example, has this behaviour. My scary bigger is that our goahead dies that case.
Usually this is a client problem. Even curl can follow redirects, but is not its default behavior.
If you want to avoid a denial-of-service you should implement some sort of request-throttling and a IP block list.
To do this you should track each access for a short period of time and block the client's IP if it starts overloading your daemon.
BTW, It's difficult to believe that a single looping client will overload your daemon. It should not, unless your daemon is badly implemented.
Humm. I really liked your idea about IP block list and I want code it soon. But for now, I will focus at others essential issues. :+1:
Can we avoid loop redirections ? The rfc 2616 says that the client should worry about it, but i'm worried :worried:
e.g: Supose that our goahead is running in host http://redir/ and we have the rows at redirect table:
The system would crash if some client send a request to http://redir/live. Our gohead service can't down (process down) never! And if it happens the admin must be notfied at same time. :bomb: