[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [Issue 3980] serf increases server load

From: Branko Čibej <brane_at_wandisco.com>
Date: Thu, 15 Nov 2012 17:12:54 +0100

On 15.11.2012 16:09, Mark Phippard wrote:
> On Thu, Nov 15, 2012 at 10:00 AM, C. Michael Pilato <cmpilato_at_collab.net> wrote:
>> On 11/15/2012 08:49 AM, Joe Schaefer wrote:
>>> Sure it can be done via config directives:
>>> just set an env var whenever some request
>>> is inconsequential and server admins can
>>> configure their logging to ignore that request.
>>> We already do that for svn operation logging.
>> I've been considering the same sorts of approaches recently (as a result of
>> this thread). But one thing has me bothered: from the server's point of
>> view, there's no meaningful difference between "a GET that's part of a
>> checkout/update" and "a GET that's part of some other non-update-y operation".
>>
>> Does that mean that we give the client the power to mark particular GET
>> requests as "below radar"? That doesn't seem very ... audit-friendly.
>> (Granted, no one is forcing the server admin to ignore said GET requests.)
>>
>> If we don't feel comfortable giving the client this power, then I think our
>> only option is to advise admins to ignore all GET requests aimed at
>> Subversion repositories (which has the bonus feature of not requiring any
>> work on our part).
> When I do a GET using a web browser or wget, the logged request is for
> something like:
>
> /svn/repos/trunk/foo.txt
>
> But when I do a checkout using Serf, the logged request is for something like:
>
> /svn/repos/!svn/ver/2/trunk/foo.txt
>
> Could we give admins the ability to not log the requests for !svn ?
>
> We would probably also want the Subversion operational logs to not
> include the get-file log entry for these files as well.

Given that versioned resource URLs are predictable in HTTPv2, this
wouldn't really plug any holes if we're concerned about attackers
sneaking in DoS without them showing up in the server logs. And I think
we issue such requests for 'svn cat' as well.

Still, I can't think of any reason why administrators couldn't rotate
logs of specifically that kind of GET of versioned resources more often
than other access logs.

-- Brane

-- 
Branko Čibej
Director of Subversion | WANdisco | www.wandisco.com
Received on 2012-11-15 17:13:32 CET

This is an archived mail posted to the Subversion Dev mailing list.