Re: [Zope] Zope Best Possible Installation
Jaroslav Lukesh wrote:
I wrote: : Oh? How do you define request size limits using pound?
I dont need it. But if you need, it is possible to ask pound author for new feature ;-)
Zope requires a proxy server which can place limits request length for secure operation. If pound doesn't provide them, then pound is not suitable where secure operation is required. -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby
On Fri, Jun 13, 2003 at 01:15:13AM -0700, Jamie Heilman wrote:
Zope requires a proxy server which can place limits request length for secure operation. If pound doesn't provide them, then pound is not suitable where secure operation is required.
Hmm, the pound readme claims that it assures only "well formed" requests get passed to Zope... don't know if there's a limit, but it seems the authors thought of just that. Regards, uwe -- Uwe Schuerkamp, Nionex GmbH http://www.nionex.com/ Uwe.Schuerkamp@nionex.net FON: +49 (0)5241 / 80 10 66, FAX: / 806 23 38 GnuPG KeyID: 5887047D Avenwedder Str. 55, 33311 Guetersloh GnuPG Fingerprint: 2E 13 20 22 9A 3F 63 7F 67 6F E9 B1 A8 36 A4 61
On Friday 13 June 2003 13:23, you wrote:
On Fri, Jun 13, 2003 at 01:15:13AM -0700, Jamie Heilman wrote:
Zope requires a proxy server which can place limits request length for secure operation. If pound doesn't provide them, then pound is not suitable where secure operation is required.
Hmm,
the pound readme claims that it assures only "well formed" requests get passed to Zope... don't know if there's a limit, but it seems the authors thought of just that.
Regards,
uwe
To set everybody's mind to rest: Pound does set a limit (albeit large - by default almost 16K) on the size of a request. In addition only "correctly formed" requests (as per RFC) are passed to the back-end servers. In practice this means that Pound routinely rejects (for example) Nimda-style requests - see the log files for "Bad request" messages. Clarification: "request size" means the size of the request _string_, not the total size of an HTTP request. There is no limit on the total size of the _data_ (in a POST request, for example) that a client can send to a server. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-1-920 4904
On Friday 13 June 2003 12:33, Robert Segall wrote:
To set everybody's mind to rest: Pound does set a limit (albeit large - by default almost 16K) on the size of a request. In addition only "correctly formed" requests (as per RFC) are passed to the back-end servers.
In practice this means that Pound routinely rejects (for example) Nimda-style requests - see the log files for "Bad request" messages.
Clarification: "request size" means the size of the request _string_, not the total size of an HTTP request. There is no limit on the total size of the _data_ (in a POST request, for example) that a client can send to a server.
Squid also has a configurable limit on the size of the request body, and the size of request headers. I think both of these offer valuable protection. -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson
On Friday 13 June 2003 13:49, you wrote:
Squid also has a configurable limit on the size of the request body, and the size of request headers. I think both of these offer valuable protection.
Pound also enforces a limit on the size and number of headers in a request - again quite large. As to the request body: that's a very different can of worms. With the addition of chunked/MIME encodings in HTTP 1.1 the only way of enforcing a size limit on the request body is to read the complete request in the proxy before passing it to the actual server. Unfortunately that exposes you to a nasty DOS attack - all an attacker needs to do is to send you one (or several - in parallel) never-ending request(s). You may want to look at a similar attack against Apache (published about 5 months ago - google for apache and chunked encoding vulnerability). -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-1-920 4904
On Friday 13 June 2003 13:03, Robert Segall wrote:
On Friday 13 June 2003 13:49, you wrote:
Squid also has a configurable limit on the size of the request body, and the size of request headers. I think both of these offer valuable protection.
Pound also enforces a limit on the size and number of headers in a request - again quite large.
woohooo. Im looking forward to having an opportunity to try Pound.
As to the request body: that's a very different can of worms. With the addition of chunked/MIME encodings in HTTP 1.1 the only way of enforcing a size limit on the request body is to read the complete request in the proxy before passing it to the actual server. Unfortunately that exposes you to a nasty DOS attack - all an attacker needs to do is to send you one (or several - in parallel) never-ending request(s).
Im not sure how squid would handle the chunked request case. It handles the limit on non-chunked request body sizes by counting bytes, and severing the TCP connection when the counter gets too big. No buffering. I guess that would work with chunks too. (from memory, I didnt think chunked encoding was permitted for request bodies. For interoperability with http/1.0)
You may want to look at a similar attack against Apache (published about 5 months ago - google for apache and chunked encoding vulnerability).
I must have missed that one, but I dont keep up to date with apache these days. I cant see anything in Google, unless you mean this 12-month-old one. http://httpd.apache.org/info/security_bulletin_20020617.txt -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson
Robert Segall wrote:
On Fri, Jun 13, 2003 at 01:15:13AM -0700, Jamie Heilman wrote:
Zope requires a proxy server which can place limits request length for secure operation. If pound doesn't provide them, then pound is not suitable where secure operation is required.
To set everybody's mind to rest: Pound does set a limit (albeit large - by default almost 16K) on the size of a request. In addition only "correctly formed" requests (as per RFC) are passed to the back-end servers.
In practice this means that Pound routinely rejects (for example) Nimda-style requests - see the log files for "Bad request" messages.
Clarification: "request size" means the size of the request _string_, not the total size of an HTTP request. There is no limit on the total size of the _data_ (in a POST request, for example) that a client can send to a server.
No, no, request size means the whole request, I'm the one who used that term, and thats what I ment. Request header length limits are all well and good, and as of 2.6 Zope even has some of its own: http://collector.zope.org/Zope/606 Nevertheless header limits are not sufficient by themselves, body length limits are requisite for reliable operation. ZServer will read an entire POST request into memory, so without a protective proxy it is trivial for a client to run the Zope process into the rlimit or worse. If Pound does not provide this protection then Pound is not suitable where secure (read as: reliable) operation is required. -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
On Friday 13 June 2003 23:11, you wrote:
Robert Segall wrote:
On Fri, Jun 13, 2003 at 01:15:13AM -0700, Jamie Heilman wrote:
Zope requires a proxy server which can place limits request length for secure operation. If pound doesn't provide them, then pound is not suitable where secure operation is required.
To set everybody's mind to rest: Pound does set a limit (albeit large - by default almost 16K) on the size of a request. In addition only "correctly formed" requests (as per RFC) are passed to the back-end servers.
In practice this means that Pound routinely rejects (for example) Nimda-style requests - see the log files for "Bad request" messages.
Clarification: "request size" means the size of the request _string_, not the total size of an HTTP request. There is no limit on the total size of the _data_ (in a POST request, for example) that a client can send to a server.
No, no, request size means the whole request, I'm the one who used that term, and thats what I ment. Request header length limits are all well and good, and as of 2.6 Zope even has some of its own: http://collector.zope.org/Zope/606 Nevertheless header limits are not sufficient by themselves, body length limits are requisite for reliable operation. ZServer will read an entire POST request into memory, so without a protective proxy it is trivial for a client to run the Zope process into the rlimit or worse. If Pound does not provide this protection then Pound is not suitable where secure (read as: reliable) operation is required.
Thanks for the clarification. That kind of limit is scheduled for the next official release of Pound - feel free to download http://www.apsis.ch/pound/Pound-current.tgz if you want to give it a try. I'd greatly appreciate your feedback on it. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-1-920 4904
participants (4)
-
Jamie Heilman -
Robert Segall -
Toby Dickenson -
Uwe Schuerkamp