Hello,
I vaguely remember there has been some discussions around the subject. What is the current status?
We’ve found that Webrick 1.3 which is the highest possible version for Ruby 2.0 does not timeout HTTPS endpoint leaving sockets opened forever. A simple telnet proxy 9090/8443 simply hangs forever consuming valuable webrick resources. This makes all HTTPS services more vulnerable to slow DoS attacks. It’s not huge problem itself because webrick is generally one of the slower web servers therefore it’s vulnerable to these kind of attacks itself (and proxy is not supposed to be exposed to wild public), but this bug needs to be fixed because security network scanners are able to bring smart-proxy down during scanning of HTTPS endpoint. Those scanners are pretty common in the enterprise.
https://projects.theforeman.org/issues/24634
I don’t see a commit in 1.3 - 1.4.2 time frame that would allow backporting this issue, there’s been tremendous amount of work in that window around waiting, synchronization, timeouts and concurrency in general. The only reasonable thing is upgrading, thus SCLing smart-proxy.
Longer term we should make timeout configurable in smart proxy (currently 30 seconds) which should give users more flexibility when dealing with DoS and ultimately we should be considering using a different web server, but I don’t expect much from this (better performance but same performance “class”). Ideally the alternative should offer some DoS prevention, there might be some Rack modules/plugins to do that compatible with webrick tho: