On Wed, Apr 4, 2018, 22:18 Alex Ivanov <gnidorah at ya.ru> wrote: > Hi. > I want to use systemd as fastcgi spawner for gitweb + nginx. > The traffic is low and number of users is limited + traversal bots. For > that reason I've decided to use following mimimal services > > gitweb.socket: > [Unit] > Description=GitWeb Socket > > [Socket] > ListenStream=/run/gitweb.sock > Accept=false > > [Install] > WantedBy=sockets.target > > gitweb.service: > [Unit] > Description=GitWeb Service > > [Service] > Type=simple > ExecStart=/path/to/gitweb.cgi --fcgi > StandardInput=socket > > However this scheme is not resistant to simple DDOS. > E.g. traversal bots often kill the service by opening non existing path > (e.g http://host/?p=repo;a=blob;f=nonexisting/path;hb=HEAD showing in > browser 404 - Cannot find file) many times consecutively, which leads to > Apr 03 21:32:10 host systemd[1]: gitweb.service: Start request repeated > too quickly. > Apr 03 21:32:10 host systemd[1]: gitweb.service: Failed with result > 'start-limit-hit'. > Apr 03 21:32:10 host systemd[1]: Failed to start GitWeb service. > in journal and 502 Bad Gateway in browser. > > Could someone please show me how to correct this issue? > I don't quite understand how gitweb.cgi is designed and how it's supposed to behave here. You use Accept=no, which implies that gitweb.cgi should start *once* and keep accepting connections in a loop forever. So why does it keep exiting and restarting *at all*? Why does a simple 404 make it exit the whole event loop? If it doesn't accept connections on its own, but needs to be passed in an already-accepted connection, that'd be Accept=yes... And I'm not sure if systemd activation like this is suitable for very high request rates. > -- Mantas MikulÄ?nas <grawity at gmail.com> Sent from my phone -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180404/54903dc8/attachment.html>
Socket activation (for GitWeb)?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Socket activation (for GitWeb)?
- From: grawity@xxxxxxxxx (Mantas Mikulėnas)
- Date: Wed, 04 Apr 2018 20:38:32 +0000
- In-reply-to: <1439091522869002@web24g.yandex.ru>
- References: <1439091522869002@web24g.yandex.ru>
- References:
- Socket activation (for GitWeb)?
- From: Alex Ivanov
- Socket activation (for GitWeb)?
- Prev by Date: Socket activation (for GitWeb)?
- Next by Date: journald fsync() errors
- Previous by thread: Socket activation (for GitWeb)?
- Next by thread: Socket activation (for GitWeb)?
- Index(es):
 |