Information
The 'RequestReadTimeout' directive allows setting timeout values for the body portion of a request. The directive provides for an initial timeout value, a maximum timeout, and a minimum rate. The minimum rate specifies that after the initial timeout, the server will wait an additional second for each N bytes received. The recommended setting is to have a maximum timeout of '20' seconds or less.
Rationale:
It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks like the OWASP Slow 'POST' attack, which provide the body of the request very slowly. Therefore, the body portion of the request must have a timeout as well. A timeout of '20' seconds or less is recommended.
Solution
Perform the following to implement the recommended state:
1. Load the 'mod_requesttimeout' module in the Apache configuration with the following.
LoadModule reqtimeout_module modules/mod_reqtimeout.so
2. Add a 'RequestReadTimeout' directive similar to the one below with the maximum request body timeout value of '20' seconds or less.
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500