Limit Incoming Connections

book

Article ID: 49213

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Solution:

This article explains the approach to limit incoming connections to a SPS instance. This is achieved using the existing core Multi-Processing Modules (MPM) modules that are used to build apache in SPS.

Administrator will be provided with the configuration parameters for limiting incoming connections to SPS. These are the configurations provided by apache to achieve this feature.

List of parameters that can be configured by an Administrator are, per platform:

PlatformPlatform Specific MPM moduleParameters
Windowsmpm_winntThreadsPerChild
MaxRequestPerChild
RHEL and SolarisworkerStartServers MaxClients
MinSpareThreads
MaxSpareThreads
ThreadsPerChild
MaxRequestsPerChild

Administrator can configure these parameters either using SPS UI or manually editing the disk file (<SPS_INSTALL_LOCATION>\secure-proxy\httpd\conf\extra\httpd-mpm.conf).

Below configurations describes the configurations on selected MPM module basis:

WinNT MPM for Windows Platform:

This MPM is the default for the Windows NT operating systems. It uses a single control process which launches a single child process which in turn creates threads to handle requests.

Parameters available under this module are:

ParameterDefault valueDescription
ThreadsPerChild150Number of worker threads in the server process.
MaxRequestPerChild0Maximum number of requests a server process servers. Zero defines unlimited.

Worker MPM for Solaris Platform and RHEL platform:

This MPM implements a hybrid multi-process multi-threaded server. By using threads to serve requests, it is able to serve a large number of requests with fewer system resources than a process-based server. However, it retains much of the stability of a process-based server by keeping multiple processes available, each with many threads.

ParameterDefault valueDescription
StartServers2Initial number of server processes to start
MaxClients150Maximum number of simultaneous client connections
MinSpareThreads25Minimum number of worker threads which are kept spare
MaxSpareThreads75Maximum number of worker threads which are kept spare
ThreadsPerChild25Constant number of worker threads in each server process
MaxRequestsPerChild0Maximum number of requests a server process serves

The most important directives used to control this MPM are

ThreadsPerChild: controls the number of threads deployed by each child process

MaxClients: controls the maximum total number of threads that may be launched.

Administrator may want to lower the maximal number of clients (MaxClients) if the server does not have enough memory to handle 150 Apache instances at one time. When a server instance reaches the limit, it will be shut down and replaced with a fresh copy. A high value such as 1000 (or even more) will not affect web server operation but will help if an Apache module has a memory leak. Interestingly, when the Keep-Alive feature (which allows many requests to be performed over a single network connection) is used, all requests performed over a single Keep-Alive connection will be counted as one for the purposes of MaxRequestsPerChild handling.

All the configuration parameters discussed above are available in file httpd-mpm.conf which is located by default at location <SPS_INSTALL_LOCATION>\secure-proxy\httpd\conf\extra\httpd-mpm.conf. These are provided with default values as described above. Administrator can configure these according to the need.

Apart from the above, following configuration directives show default Apache configuration values and defines how long the server will wait for a slow client:

ParameterDefault valueDescription
TimeOut300Wait up to 300 seconds for slow clients
KeepAliveONAllow connections to be reused between requests
MaxKeepAliveRequests100Allow a maximum of 100 requests per connection
KeepAliveTimeout15Waits up to 15 seconds for next request on an open connection.

The following directives impose limits on various aspects of an HTTP request:

ParameterDefault valueDescription
LimitRequestBody0Impose no limits on the request body
LimitRequestFields100Allow up to 100 headers in a request
LimitRequestFieldsize8190Each header may be up to 8190 bytes long
LimitRequestLine8190First line of the request can be up to 8190 bytes long
LimitXMLRequestBody10000Limit XML request body to 10000 bytes (Apache 2.x only)

LimitXMLRequestBody is an Apache 2 directive and is used by the mod_dav module to limit the size of its command requests (which are XML-based). Seeing that the maximal size of the request body is unlimited by default (2 GB in practice), you may wish to specify a more sensible value for LimitRequestBody. You can go as low as 64 KB if you do not plan to support file uploads in the installation.

Environment

Release:
Component: SMSPS