I am new here and new to tus. Just wondering if tus is capable of passing through security appliance, e.g. WAF, IPS or else?..I mean…em…security appliances used to treat partial HTTP requests as attack and things like slowloris…so is there any mechanism in tus that has a thought of that?
Hi there, welcome to the tus community!
I don’t have much experience with WAF or similar but what would be necessary from tus’ side to work properly with security appliances? Is it not possible to configure the firewall to let tus traffic through?
then how to label tus traffic? i mean if tus has any specific design/tag or something like that so the appliance can recognize?
There are three basic ways how you can label tus traffic:
- Match the traffic by destination URL (e.g. if your tus server lives as example.com/files/, you can mark traffic going to example.com/files/ as tus).
- Every tus request and response must contain the Tus-Resumable header.
- Every tus request with upload data (i.e. a partial upload) must contain the “Content-Type: application/octet-stream+offset” header.
hm…but is it possible to make-up a request using these?..
i mean if i write a sloworis attack using these header values…hm…will i be still successful?..
Yes, those headers can also be faked, as can happen for any HTTP request. Frankly, I am not sure what solution you are looking for? I haven’t worked a lot with WAF, so maybe you can describe how other API services are usually solving these problems.
hm…i mean tus is great because it can ‘resume’…just ‘attacks’ are bad that they trigger like ‘resume’…just wondering if i can have something best of both worlds…because big websites are always under attack…and those websites would like to have upload functions…hm…
I can understand that you want to secure your servers. However, I believe that this is not a tus-specific problem but something that every upload server has to deal with. Do you know how other upload servers are dealing with their firewalls?
hm…i don’t know much about ‘specifics’…the options in my mind is just ‘drop’ or ‘allow’…that’s why i don’t know how to figure out ‘fake’ or ‘dirty’ attacks…hm…
I can’t help you with setting up your firewall, that’s up to you. Maybe you want to get in touch with your firewall supplier and talk to them about what’s the best solution. Or maybe you want to use IP rate limiting to detect attacks.