Skip to main content

Slowloris config on an HTTP/2 setup

SPDTeam

Hi

I'm asking for advice re https://docs.cpanel.net/knowledge-base/security/how-to-mitigate-slowloris-attacks/ on a web server with HTTP/2 setup. Along with HTTP/2 the server is using NGINX with revers proxy (also using HTTP/2) and LSAPI PHP Handler. Also have Mod_Sec and CSF/LFD installed.

mod_reqtimeout is installed but the IfModule settings from the cPanel docs page have not been added.

As HTTP/2 streams over a single connection is mod_reqtimeout affective anymore? 

Are there equivalent default settings in mod_http2 and NGINX config?

Thanks in advance.

Comments

1 comment

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  As with most security or configuration questions, there is never going to be a perfect answer.

    mod_reqtimeout is not going to be helpful here, but there is some good, recent discussion here about this:

    https://security.stackexchange.com/questions/279826/help-to-mitigate-slow-rate-slowloris-dos-attack-in-http-2

    where they recommend specific http2 ratelimits.  You could also consider adjusting the worker_connections and worker_rlimit_nofile settings as well.

    Nginx also supports client_header_timeout and client_body_timeout and those apply to http2 as well.

    With those options that should give you enough to play around with to essentially mimic mod_reqtimeout

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post