Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop HTTP session on security events #1045

Open
1 task
vankoven opened this issue Jul 24, 2018 · 2 comments
Open
1 task

Drop HTTP session on security events #1045

vankoven opened this issue Jul 24, 2018 · 2 comments

Comments

@vankoven
Copy link
Contributor

vankoven commented Jul 24, 2018

Linked with #598

When a security event happens TCP connection between Tempesta and client is closed. Optionally source ip is blocked.

How about HTTP session? Shall we mark HTTP session as expired to stop client from reaching us via proxies, and make him to pass java script challenge once again?

Testing

  • Drop HTTP session on security events. See #88
@vankoven vankoven added enhancement security question Questions and support tasks labels Jul 24, 2018
@vankoven vankoven added this to the backlog milestone Jul 24, 2018
@krizhanovsky
Copy link
Contributor

krizhanovsky commented Jul 25, 2018

Good question. Ideally we should provide a configuration option for a system administrator: whether to block a [probably] malicious client on IP layer or challenge them next time on HTTP layer. So it's linked with #934 (Filter unification with nftables and/or XDP) and I move it to 1.2 milestone.

Linked with #598 (comment) : #1115 has introduced client differentiation by HTTP headers - such clients can work through the same TCP connection established by a proxy and we need to drop their HTTP sessions separately.

@krizhanovsky krizhanovsky modified the milestones: backlog, 1.2 Web server Jul 25, 2018
@krizhanovsky krizhanovsky modified the milestones: 1.3 Web server, 1.2 TDB v0.2 Aug 8, 2018
@krizhanovsky krizhanovsky modified the milestones: 1.2 TDB v0.3, 1.1 QUIC Feb 2, 2019
@krizhanovsky
Copy link
Contributor

krizhanovsky commented Sep 19, 2019

UPD.

  1. L7 IP blocking #934 updated not to block clients on IP layer since client IP on our, application HTTP layers, is very different and we don't know it on lower layers. So we do differentiate clients and won't block all clients behind the same anonymous forward proxy.

  2. With one in mind I believe there is no need to keep session for malicious user and we should evict the session. Just mark the session as expired for a blocked client, no need any additional configuration options.

@krizhanovsky krizhanovsky removed the question Questions and support tasks label Sep 19, 2019
@krizhanovsky krizhanovsky modified the milestones: 0.8 - TBD, 1.1 - TLS 1.3 Jan 3, 2022
@krizhanovsky krizhanovsky changed the title [Frang] Drop HTTP session on security events Drop HTTP session on security events Jan 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants