-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 1/13/2015 4:03 PM, Jesse Barnum wrote: >> On Jan 13, 2015, at 6:46 PM, Mark Eggers >> <its_toas...@yahoo.com.INVALID> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 1/13/2015 3:29 PM, Jesse Barnum wrote: >>> I need the ability to examine the POST data from a request, >>> examine it, and either respond to it or close the connection >>> without returning any result, not even a 200 OK status. >>> >>> The reason for this is because I’m getting overwhelmed with >>> thousands of invalid requests per second, which are racking up >>> bandwidth fees. The requests can’t be traced to an IP address, >>> so I can’t just block them in a firewall or Apache - I need to >>> actually use logic in my Tomcat app to figure out which >>> requests to respond to. >>> >>> Is there a way to force Tomcat to just drop the connection and >>> close the socket without sending a response? >>> >>> --Jesse Barnum, President, 360Works >>> >> >> Possibly with mod_security? >> >> https://www.modsecurity.org/ >> >> You can add this to Apache HTTPD if you're fronting Tomcat with >> it, or you can check out the Java implementation here: >> >> http://blog.spiderlabs.com/2013/09/modsecurity-for-java-beta-testers-needed.html >> >> >> I have used mod_security, and while it's somewhat a beast, it does a >> great job at protecting web applications. >> >> I have not used the Java version. >> >> . . . just my two cents /mde/ > > Thanks for the suggestion, but that won’t do what I need. I need to > examine the request and use business logic in my web app to > determine whether or not to respond to the request. > > --Jesse Barnum, President, 360Works http://www.360works.com Product > updates and news on http://facebook.com/360Works (770) 234-9293 == > Don't lose your data! http://360works.com/safetynet/ for FileMaker > Server ==
Yep, writing business logic as a set of custom rules might be a bit of work. I've had to write custom rules in the past, and they can get complicated quickly. On the plus side, with mod_security the Apache HTTPD server does the work, logs the requests, and you can possibly start to see patterns where you could short-circuit the tests. It's also in one place, so you wouldn't have to duplicate the effort (unless each application has a different set of failure rules). . . . just my two cents /mde/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUtbXRAAoJEEFGbsYNeTwt/80H/19/x+lWs1SxpkzqQv00aY35 tpTB9gxbJF3RGTvDiJpMbhh7bcue+P6upEPTNkxBLN5duuffztb+3yP6ZTa/dRa6 ACdk2ENNhp7y/aBtB2nDoCrQF2XAB+bj//E08p7Ap4H6ZjsCz60N+jZQ2cWwv48W KGQp3iXyZBN1Fe382YzaEdRpobQ+1evG0DGTIpeV0JCxAGk686pFMm2Tiv4YQcXl cIXjPfyhhfD7lMsxlLTNtfbrFgoLOAuw76G1V+FAOCH5VhMslA7z0QxfbumEqvR2 S37klL8QjEhYH2VeQZJDLsa5V2rELR+2Cpr2B3Wa+vH+REC4odUPkYcxMTyUJEQ= =OZ6s -----END PGP SIGNATURE----- --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
