In NGINX, is there a directive to limit the time it takes to establish new client connections?

user2464424

7/18/24, 11:36 AM

In Nginx there's the client_header_timeout directive that sets a timeout for receiving the complete headers of an http request from a client. In the docs it is not specified if this timeout includes the connection opening/ssl handshake period. Perhaps there's another directive that controls it or client_header_timeout perhaps already includes it?

0 + 8

http

configuration

nginx

timeout

symcbean

7/18/24, 12:41 PM

Curious as to the use-case here.

Nikita Kipriyanov

7/18/24, 3:46 PM

The process of TCP handshake is performed by the kernel and is not controlled by Nginx. It is handed to Nginx only when the connection is established (the 3-way handshake succeeded).

user2464424

7/19/24, 9:42 AM

@symcbean The Slowloris ddos attack [can target the SSL handshake](https://www.powerwaf.com/learning/ddos-attacks/slowloris-attack/#the-types-and-variants-of-slowloris-attacks). One way to mitigate it is to set a strict timeout on SSL negotiations and handshakes. In addition, one of the major selling points of even deploying a proxy server is to handle SSL Termination such that your app doesn't have to, and I think it's important to have better control over this process in general.

user2464424

7/19/24, 9:43 AM

@NikitaKipriyanov The SSL handshake however is not and I think it's important to have fine control over SSL termination. Also, it's not entirely true that the user has no control over the tcp handshake: for example the [tcp_syn_retries](https://man7.org/linux/man-pages/man7/tcp.7.html) parameter exists and a few other interesting ones.

symcbean

7/19/24, 9:52 AM

I was under the impression that client_header_timeout explicitly dealt with this case (e.g. https://blog.qualys.com/vulnerabilities-threat-research/2011/11/02/how-to-protect-against-slow-http-attacks) . Do you have reason to believe otherwise?

user2464424

7/19/24, 10:23 AM

@symcbean I think the article you linked doesn't in any way imply that client_header_timeout includes the initial tcp handshake nor the ssl handshake...

Nikita Kipriyanov

7/19/24, 11:41 AM

I think SSL handshake is also out of control of Nginx as it is controlled by the OpenSSL library. But I didn't find any references on timeouts in the OpenSSL manuals (which are awful). Ok, the answer is: there is **no such directive in Nginx**.

symcbean

7/19/24, 11:48 AM

Would it be so hard to test?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: In NGINX, is there a directive to limit the time it takes to establish new client connections?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.