Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop HTTP session on security events #1045

Open
1 task
vankoven opened this issue Jul 24, 2018 · 2 comments
Open
1 task

Drop HTTP session on security events #1045

vankoven opened this issue Jul 24, 2018 · 2 comments
Labels
enhancement security
Milestone
1.1: TBD

Comments

@vankoven
Copy link
Contributor

vankoven commented Jul 24, 2018
edited by krizhanovsky
Loading

Linked with #598

When a security event happens TCP connection between Tempesta and client is closed. Optionally source ip is blocked.

How about HTTP session? Shall we mark HTTP session as expired to stop client from reaching us via proxies, and make him to pass java script challenge once again?

Testing

  • Drop HTTP session on security events. See #88
@vankoven vankoven added enhancement security question Questions and support tasks labels Jul 24, 2018
@vankoven vankoven added this to the backlog milestone Jul 24, 2018
@krizhanovsky
Copy link
Contributor

krizhanovsky commented Jul 25, 2018
edited
Loading

Good question. Ideally we should provide a configuration option for a system administrator: whether to block a [probably] malicious client on IP layer or challenge them next time on HTTP layer. So it's linked with #934 (Filter unification with nftables and/or XDP) and I move it to 1.2 milestone.

Linked with #598 (comment) : #1115 has introduced client differentiation by HTTP headers - such clients can work through the same TCP connection established by a proxy and we need to drop their HTTP sessions separately.

@krizhanovsky krizhanovsky modified the milestones: backlog, 1.2 Web server Jul 25, 2018
@krizhanovsky krizhanovsky modified the milestones: 1.3 Web server, 1.2 TDB v0.2 Aug 8, 2018
@krizhanovsky krizhanovsky modified the milestones: 1.2 TDB v0.3, 1.1 QUIC Feb 2, 2019
@krizhanovsky krizhanovsky mentioned this issue Feb 13, 2019
Open
@krizhanovsky krizhanovsky mentioned this issue Jun 26, 2019
Closed
@krizhanovsky
Copy link
Contributor

krizhanovsky commented Sep 19, 2019
edited
Loading

UPD.

  1. L7 IP blocking #934 updated not to block clients on IP layer since client IP on our, application HTTP layers, is very different and we don't know it on lower layers. So we do differentiate clients and won't block all clients behind the same anonymous forward proxy.

  2. With one in mind I believe there is no need to keep session for malicious user and we should evict the session. Just mark the session as expired for a blocked client, no need any additional configuration options.

@krizhanovsky krizhanovsky removed the question Questions and support tasks label Sep 19, 2019
@vankoven vankoven mentioned this issue May 5, 2020
Closed
@krizhanovsky krizhanovsky modified the milestones: 0.8 - TBD, 1.1 - TLS 1.3 Jan 3, 2022
@krizhanovsky krizhanovsky changed the title [Frang] Drop HTTP session on security events Drop HTTP session on security events Jan 26, 2022
@krizhanovsky krizhanovsky mentioned this issue Nov 11, 2022
Closed
@RomanBelozerov RomanBelozerov mentioned this issue Mar 10, 2023
Closed
33 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security
Projects
None yet
Milestone
1.1: TBD
Development

No branches or pull requests
2 participants
@krizhanovsky @vankoven