[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: Can Tomcat Disconnect HTTP Connection that is Connecting for Too Long
From:       Muhammad Edwin <edwinkun () gmail ! com>
Date:       2017-10-22 5:21:29
Message-ID: CABZxXPSY3dz3LR+bJd7nZ4nNifyUMB0NXF7vqQb5cLenrMAhcQ () mail ! gmail ! com
[Download RAW message or body]


On Sat, Oct 21, 2017 at 10:44 PM, André Warnier (tomcat) <aw@ice-sa.com>
wrote:

>
> " timeout on backend to api, is also not feasible "
>
> Why not ?
> That seems to be the real underlying issue.
>
> " my plan is, http connection from device to server, that are connected for
>  more than 10second need to be disconnected forcefully
> "
>
> This is probaly possible (through some "Listener" starting a timer etc.
> ?), but it does not seem to me to be a very clean way of resolving the
> issue.
> For one, any background connection that the tomcat thread establishes to a
> back-end server (API), will continue to run and use up resources, even if
> you kill the client connection.
> You would need to kill (and cleanup) the back-end connections too,
> otherwise you are setting yourself up for the perfect DoS scenario : a
> million client connections come in, expecting to be killed after 10
> seconds; but your server continues to wait for a million back-end things to
> happen.
> It seems more logical (and clean) to set a timeout on the back-end API,
> and return an error to the client if that timeout is exceeded.
>
> Note that if the client TCP connection is dropped (for whatever reason,
> even the client closing it unilaterally), the server will never notice,
> *until* it tries to write something to that connection. Then the server
> code will get an error, and thus notice.
>

Hi Andre,
long story short,
there is no reversal api to 3rd party, so i cannot disconnect forcefully
using timeout (yes, it's an old school api)
as for DoS concern, we are having a thread pool specifically for handling
connection, so number of connection to 3rd party is limited
idea of asynchronous request from device to server is also proposed, but it
will changed the logic of our mobile apps, a risk that management dont want
to take

thank you.

-- 
Warm Regards,


Edwin


[prev in list] [next in list] [prev in thread] [next in thread]