id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2235 Allow setting TLS handshake timeouts for http(/2) ltning@… "Currently only the stream_ssl module supports any kind of tuning of the TLS handshake. We are seeing frequent and high-impact DDoS attacks where part of the attack consists of opening connections to nginx but never starting or completing the TLS handshake. We could use a way to define - max time until TLS handshake begins (after TCP establish) - max time for TLS handshake to complete (after first TLS message) Both of the above should be configurable in seconds or, better, fractions of seconds. We use TCP initial timeouts on the network layer and SYN cookies in the IP stack to manage those attack vectors." enhancement closed minor nginx-module wontfix ssl tls dos ddos FreeBSD xxx.xxx.xxx 13.0-RELEASE-p1 FreeBSD 13.0-RELEASE-p1 amd64 "nginx version: nginx/1.20.1 built with OpenSSL 1.1.1k-freebsd 25 Mar 2021 TLS SNI support enabled configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --modules-path=/usr/local/libexec/nginx --with-file-aio --with-google_perftools_module --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --without-mail_pop3_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --add-module=/wrkdirs/usr/ports/www/nginx/work/nginx-module-vts-0.1.18 --with-http_image_filter_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_devel_kit-0.3.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_http_auth_pam_module-1.5.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx-fancyindex-0.5.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/lua-nginx-module-0.10.19 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ModSecurity-nginx-1.0.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/set-misc-nginx-module-4667684 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/passenger-6.0.8/src/nginx_module"