wood burning stoves*
The moose likes Tomcat and the fly likes need to change requestTimeout and test it Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "need to change requestTimeout and test it" Watch "need to change requestTimeout and test it" New topic
Author

need to change requestTimeout and test it

manikandan jayakumar
Ranch Hand

Joined: Aug 20, 2011
Posts: 44

Hi,


I want to reduce the default requestTimeout in Tomcat, is it possible?

i have changed connectionTimeout in connector tag,

connectionTimeout="1" and expecting it should timeout. But its not working as i expected.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16019
    
  20

The first question is: "Why"?

The second question is: "What do you mean by 'request timeout'?".

The third question is: "Why do you think that a Connector has a 'connectionTimeout'" property when the Tomcat docs (at least for Tomcat 6) don't define one?

Request timeout to be means the amount of time that the client will wait for a response before giving up, and that isn't set in Tomcat, it's part of the client. These days, most client programs such as web browsers have pretty long timeout intervals.

The only case I can think of offhand where you'd routinely set a request timeout on Tomcat would actually not be on Tomcat, it would be on something like a Connection Pool where you want database requests to time out if the database doesn't respond quickly enough.


Customer surveys are for companies who didn't pay proper attention to begin with.
manikandan jayakumar
Ranch Hand

Joined: Aug 20, 2011
Posts: 44

Hi Tim,

Thanks for the reply.

1. "Why" - one of our customer reported Dos attack presents on our application. If a request takes too long time the server waits for 10mins before invalidating the request(closing the connection) need to reduce this.

2. "request timeout" - if a client takes too long time (may be due to slow internet connection or a hacker gives (n) slow request to make server unavailable for others) to make request we need not to handle that request and need to close that connection. ie., time taken for the server(tomcat) to completely read the request.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16019
    
  20

Ah. Thank you. Sometimes we assume a certain solution and ask questions relating to that solution when actually the underlying problem has other (and possibly simpler) solutions.

Not that I ever do that myself.

It sounds like you have something like a SYN flood attack problem in the cases of #1 and some #2 cases as well. You may want to consider dealing with them in a more general and powerful way, especially since Tomcat may not be the only target. If your server is a Linux machine, the IPTABLES firewall subsystem deals with things like that, and in fact, most of the sets of sample IPTABLES rules you'll find on the Internet (and almost all rule-generator apps) include that sort of protection as a matter of course.

Anyone who has an inbound request that ties up the listening socket for excessive lengths of time probably has system problems on their end or at least is trying to upload something obscenely large. Anyone who is opening a connection to deliberately "hang" it can generally be taken care of using something like IPTABLES.

What I really recommend is that you get a network expert to analyse your situation and see what system-wide measures you can take. Once that is done, if there are still Tomcat-specific problems, we may be able to provide some more precise remedies.
manikandan jayakumar
Ranch Hand

Joined: Aug 20, 2011
Posts: 44

Tim,

Customer also suggested this(http://httpd.apache.org/docs/trunk/mod/mod_reqtimeout.html)

Can I integrate this(if yes, how?) or is their any other thing similar to this?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16019
    
  20

The equivalent in Tomcat seems to be the "connectionTimeout". I believe that its value as originally supplied is 20 seconds. If you have set it to 1 second, that's probably too short, since the interval is the amount of time that Tomcat will allow for an entire request to come in, and a slow client with a fairly large form might need a few seconds more at least.

Note that this parameter only limits single requests. If you have someone who is deliberately abusing you and it's DDOS (no single port you can firewall), one thing that an IPTABLES firewall can do is throttle the number of incoming requests per second.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: need to change requestTimeout and test it