The default setting for wserver_timeout is 180 seconds.
Does setting it to a lower value in sksconf help?
I just tested with 10 instead of 180.
if i revert my nginx changes and allow sks back to listening on public
ports, set wserver_timeout: 10 in /etc/sks/sksconf, and restart the sks
daemons, then yes: a single malingering connection can only block the
server for 10 seconds instead of 180 seconds.
The downside of this, of course, is that bandwidth-constrained clients
(like the one i mentioned earlier as performing an accidental DoS) will
probably just fail in their connections, however, since their tcp
streams are often stuttered with pauses>= 10 seconds.
So wserver_timeout: 10 is something of an improvement over the default
of 180, but it introduces its own problems. And the bar for a malicious
attacker isn't significantly raised -- they just need to make a new
request every 10 seconds instead of every 180 seconds, since the
settings change doesn't address the underlying concurrent requests issue).
As workarounds go, i think a reverse HTTP proxy is a better workaround,
but setting "wserver_timeout: 10" is probably a worthwhile improvement
if there's some reason that folks can't afford to just "apt-get install
nginx" (or whatever the equivalent is for your OS or your reverse proxy
of choice) immediately.
Regards,
--dkg