Hi Masakazu,
Thank you for the thoughts. Sorry for the delay. I definitely agree that
iptables is certainly a helpful tool for similar problems, and they are and
will continue to be used for a number of DOS scenarios by our company. That
said, the per client connection max feature has a few things
I wonder if the max number of connections should be limited by ATS. I guess
it could be done by iptables if the connections are going to be just
closed. It'd be even better because TCP handshake would not be completed.
It would be a nice addition if iptables or firewalls cannot handle QUIC
connecti
Oh, I just realized that the setting for the max number of connections
already exists and just the exempt setting is new... but I'm still not sure
if we should invest in the setting because of the questions on my previous
email.
-- Masakazu
On Thu, Apr 17, 2025 at 6:41 PM Masakazu Kitajo wrote:
Leif suggested in slack using "exempt" instead of "allow" terminology. I
agree. It communicates the idea of the behavior better. I'll update the PR
with *proxy.config.http.per_client.connection.exempt_list.filename* and
update the docs accordingly in the PR.
On Thu, Apr 17, 2025 at 3:38 PM Brian N
Hi dev@trafficserver.apache.org,
ATS has a feature to restrict the number of per client connections ATS will
receive:
proxy.config.net.per_client.max_connections_in
The intention of the configuration is to mitigate certain DOS situations
via malicious or otherwise misbehaving clients which consum
