-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 7/10/14, 5:40 PM, André Warnier wrote: > Christopher Schultz wrote: ... > >> >> Interesting... load average is a crude measure of activity; I >> suppose that having those timeouts means that there is activity >> on a thread even when there is no real "work" to be done. I do >> recommend leaving the timeouts set to their defaults (-1 = >> infinite). > > In general terms, I would definitely not put the connectionTimeout > nor the keepAliveTimeout to infinite, if that is what you meant > here. In fact, it is exactly what I meant. > ConnectionTimeout infinite seems like a perfect setup for a DOS > attack. Keep-alive timeout infinite seems like the perfect way to > block a lot of threads doing nothing (and opening yourself to > another kind of DOS attack). Anyone allowing outsiders to make AJP connections to their Tomcat backends deserves to be DOS'd. > However, in this case, we are talking about the AJP Connector, > which processes requests coming in via Apache httpd and mod_jk, so > I guess that one can rely on the Apache front-end not to relay > anything nasty to Tomcat. Right. > Presumably, the Apache httpd configuration does not have infinite > connection timeout nor keep-alive timeout. I certainly wouldn't set things up this way. > Which in a way, raises the question of why these parameters are > even available for setting on the AJP Connector. Should these not > better be left to the discretion of Apache httpd and mod_jk in the > first place ? These configuration directives help deal with firewalls that close connections without either party knowing that the connection is no longer valid. If you could not set a timeout, then the Tomcat side could have a thread waiting forever on a connection that would never have any data arrive ever again. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTwBftAAoJEBzwKT+lPKRYKj4P/2HY0TDBRKaij3bDcqbItWrg aDYE8glav8UD589/cGjzoFiIuOqPXa8k2Mp1vqn9jj1K3SrndcKZzUKZARC0sGSR 6L0dTRZhYsTCnxJ5SH77d6dukuElrf82c73DbtVUQU3ZBrsk9x7iKX2V/w978wrS jknziJ2xO5+oW+/n6Uri8zp57I2wzYLyCK3+MhyuEDqfDo3deBvsUefWiHqGJ/27 lVkhM+LLL1cgM8xddVXsbP9/Sj+bVP3k6pLdvmxx76n5KO1Og6Ib2Hg0cSH9vsJs ++Y+YVqKVzvDTGOHuUqINP6UT0eJPueaIDJzAMePDQpCcobB4iEOjHU7kqOuff5/ pWiXy0I15aPmtsQxdcGqA2ZXa0GjIKuuDH3B6QCxbsasXbt8RQ3IrfIsaB7uVW4Z pNSNBVxxW3Vdw8//8/YV5rOAf5UxdFPkrNeYfg2l8XeK+nDV0Ioly/KDRy5V6UbR EWZFJLLYgUsz9c39/uRpEVhbVrd7mrouswAcAPc6SQHobcymBmEsJycKab3h6HWU 2Wa+otuNVt6LGOGdfZRB7VfNwdU1ksUNd8dNmQ86ar/MtjRV5EzF4vEqGnL17l1N PuHlHL0UlCYJRfOZcRdUHbAeP/8qYN2uaPC/uoNxv5OM3cI0Sr3PIHspDF5uv0ne SL5SS/b2I/ursp1Ov61e =cHY9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
