Slow read attack in HTTP/2

Valentin V. Bartenev vbart at
Fri Aug 19 11:58:37 UTC 2016

On Friday 19 August 2016 17:06:41 Sharan J wrote:
> Hi,
> Would like to know what timeouts should be configured to mitigate slow read
> attack in HTTP/2.

A quote from the commit:

 | Now almost all the request timeouts work like in HTTP/1.x connections, so
 | the "client_header_timeout", "client_body_timeout", and "send_timeout" are
 | respected. These timeouts close the request.

and the documentation links:

> Referred ->
> Could not understand what you have done when all streams are stuck on
> exhausted connection or stream windows. Please can you explain me the same.

Each stream has its own timeout configured by the directives mentioned above.
If there's no progress on a stream during one of these timeouts then the stream
is closed.

  wbr, Valentin V. Bartenev

More information about the nginx mailing list