Opened 3 years ago
Closed 3 years ago
#2235 closed enhancement (wontfix)
Allow setting TLS handshake timeouts for http(/2)
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | |
| Keywords: | ssl tls dos ddos | Cc: | |
| uname -a: | FreeBSD xxx.xxx.xxx 13.0-RELEASE-p1 FreeBSD 13.0-RELEASE-p1 amd64 | ||
| nginx -V: |
nginx version: nginx/1.20.1
built with OpenSSL 1.1.1k-freebsd 25 Mar 2021 TLS SNI support enabled configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --modules-path=/usr/local/libexec/nginx --with-file-aio --with-google_perftools_module --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --without-mail_pop3_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --add-module=/wrkdirs/usr/ports/www/nginx/work/nginx-module-vts-0.1.18 --with-http_image_filter_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_devel_kit-0.3.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_http_auth_pam_module-1.5.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx-fancyindex-0.5.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/lua-nginx-module-0.10.19 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ModSecurity-nginx-1.0.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/set-misc-nginx-module-4667684 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/passenger-6.0.8/src/nginx_module |
||
Description
Currently only the stream_ssl module supports any kind of tuning of the TLS handshake. We are seeing frequent and high-impact DDoS attacks where part of the attack consists of opening connections to nginx but never starting or completing the TLS handshake.
We could use a way to define
- max time until TLS handshake begins (after TCP establish)
- max time for TLS handshake to complete (after first TLS message)
Both of the above should be configurable in seconds or, better, fractions of seconds.
We use TCP initial timeouts on the network layer and SYN cookies in the IP stack to manage those attack vectors.
Note:
See TracTickets
for help on using tickets.
SSL handshake time in the HTTP module is limited by the client_header_timeout time. Given there is no real difference between completed SSL handshake and incomplete HTTP request header and incomplete SSL handshake, there are no plans to introduce additional timeouts here.