From 2b7c654aabc3d0261f3482c1b4a1a37b91b0b2c3 Mon Sep 17 00:00:00 2001
From: Dan Scott <dan@coffeecode.net>
Date: Fri, 17 Jun 2011 12:30:12 -0400
Subject: [PATCH] Set AC timeout value to 3 seconds and describe tradeoffs

As discussed on the Evergreen Development mailing list, the higher the
AC timeout value, the greater the risk of a denial of service. 30 is
therefore too high to be comfortable as a default setting, so we're
dropping it down to 3 as a compromise between the original value of 1
(which resulted in a number of request timing out where added content
was actually available) and the much-less-safe 30.

In addition, we document inline the risk/reward of different values and
provide some justification for the default value that we chose, so that
Evergreen system administrators will have guidance when tweaking this
setting.

Signed-off-by: Dan Scott <dscott@laurentian.ca>
Signed-off-by: Mike Rylander <mrylander@gmail.com>
---
 Open-ILS/examples/opensrf.xml.example | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 6eaf225e62..fd167305c6 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -279,16 +279,28 @@ vim:et:ts=4:sw=4:
 
 
         <added_content>
-
             <!-- load the OpenLibrary added content module -->
             <module>OpenILS::WWW::AddedContent::OpenLibrary</module>
 
             <!--
             Max number of seconds to wait for an added content request to 
             return data.  Data not returned within the timeout is considered
-            a failure
+            a failure.
+
+            Note that the pool of Apache processes used by the AddedContent
+            module is the same pool used by core Evergreen processes such as
+            search, circulation, etc. Therefore, the higher you set this
+            timeout value, the more likely you are to run out of available
+            Apache processes resulting in an accidental (or purposeful) denial
+            of service - particularly if the added content server starts
+            responding abnormally slowly.
+
+            The safest option is to disable the AddedContent module completely,
+            but 3 seconds is a compromise between the threat of a denial of
+            service and the enhanced user experience offered by successful added
+            content requests.
             -->
-            <timeout>30</timeout>
+            <timeout>3</timeout>
 
             <!--
             After added content lookups have been disabled due to too many
-- 
2.11.0