SCLing smart-proxy


I vaguely remember there has been some discussions around the subject. What is the current status?

We’ve found that Webrick 1.3 which is the highest possible version for Ruby 2.0 does not timeout HTTPS endpoint leaving sockets opened forever. A simple telnet proxy 9090/8443 simply hangs forever consuming valuable webrick resources. This makes all HTTPS services more vulnerable to slow DoS attacks. It’s not huge problem itself because webrick is generally one of the slower web servers therefore it’s vulnerable to these kind of attacks itself (and proxy is not supposed to be exposed to wild public), but this bug needs to be fixed because security network scanners are able to bring smart-proxy down during scanning of HTTPS endpoint. Those scanners are pretty common in the enterprise.

I don’t see a commit in 1.3 - 1.4.2 time frame that would allow backporting this issue, there’s been tremendous amount of work in that window around waiting, synchronization, timeouts and concurrency in general. The only reasonable thing is upgrading, thus SCLing smart-proxy.

Longer term we should make timeout configurable in smart proxy (currently 30 seconds) which should give users more flexibility when dealing with DoS and ultimately we should be considering using a different web server, but I don’t expect much from this (better performance but same performance “class”). Ideally the alternative should offer some DoS prevention, there might be some Rack modules/plugins to do that compatible with webrick tho:

The current status is that we’ve not done any work in this area. Generally, this should be do-able if we keep the proxy in sync SCL wise with Foreman core (e.g. using the same Ruby and Rails SCL). Why use a Rails SCL for a Sinatra project? Largely due to the dependencies mostly all having already been built and having less overhead that way. Given current projected work, I don’t see this happening for the 1.20 timeframe unless the reasons you are citing are bad enough to warrant taking on this work.

Thanks for the update, I will comment in the BZ.