<div dir="auto">Are there *new* security implications of allowing keep-alive?<div dir="auto"><br></div><div dir="auto">Slowloris DoS comes to mind:</div><div dir="auto"><a href="https://en.wikipedia.org/wiki/Slowloris_(computer_security)">https://en.wikipedia.org/wiki/Slowloris_(computer_security)</a><br></div><div dir="auto"><br></div><div dir="auto">And the article mentions a number of tools.</div><div dir="auto"><br></div><div dir="auto">Older devices are likely somewhat trivially DoS-able without this patch; but maybe include a config option to disable keep-alive?</div><div dir="auto"><br></div><div dir="auto">What happens to RAM and CPU usage when there are multiple tabs open with keep-alive on?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 13, 2020, 8:20 AM Jo-Philipp Wich <<a href="mailto:jo@mein.io">jo@mein.io</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Allow POST requests via persistent connections to improve performance<br>
especially when using HTTPS on older devices.<br>
<br>
After this change, average page load times in LuCI improve significantly<br>
once the TLS connections are initiated.<br>
<br>
When testing an ar71xx 19.07.2 build on an ethernet connected TL-WR1043nd<br>
using luci-ssl-openssl and the ustream-openssl backend, the average page<br>
load time for the main status page decreased to 1.3s compared to 4.7s<br>
before, the interface and wireless configuration pages loaded in 1.2s<br>
seconds each compared to the 4.2s and 4.9s respectively before.<br>
<br>
Signed-off-by: Jo-Philipp Wich <<a href="mailto:jo@mein.io" target="_blank" rel="noreferrer">jo@mein.io</a>><br>
---<br>
 client.c | 3 +--<br>
 1 file changed, 1 insertion(+), 2 deletions(-)<br>
<br>
diff --git a/client.c b/client.c<br>
index 92f7609..2a2393f 100644<br>
--- a/client.c<br>
+++ b/client.c<br>
@@ -194,8 +194,7 @@ static int client_parse_request(struct client *cl, char *data)<br>
<br>
        req->method = h_method;<br>
        req->version = h_version;<br>
-       if (req->version < UH_HTTP_VER_1_1 || req->method == UH_HTTP_MSG_POST ||<br>
-           !conf.http_keepalive)<br>
+       if (req->version < UH_HTTP_VER_1_1 || !conf.http_keepalive)<br>
                req->connection_close = true;<br>
<br>
        return CLIENT_STATE_HEADER;<br>
-- <br>
2.25.1<br>
<br>
<br>
_______________________________________________<br>
openwrt-devel mailing list<br>
<a href="mailto:openwrt-devel@lists.openwrt.org" target="_blank" rel="noreferrer">openwrt-devel@lists.openwrt.org</a><br>
<a href="https://lists.openwrt.org/mailman/listinfo/openwrt-devel" rel="noreferrer noreferrer" target="_blank">https://lists.openwrt.org/mailman/listinfo/openwrt-devel</a><br>
</blockquote></div>