2

We have been recommended to enable keep alive to increase site speed. However, our infrastructure team have mentioned the following security concern:

This could be used for a denial of service attack if it is not handled properly. If these keep alive sessions effectively last, say for 10 minutes, the server has to keep this connection open for 10 minutes regardless whether any requests or responses are being made. This alone would take up unnecessary server resources that could be used for active connections. An attacker could create multiple TCP connections to a server to overload it with requests to the point it cannot handle anymore because of these open sessions.

Is this something that anyone has considered and if so, is a 5 second connection worth it?

Kirsty Simms
  • 1,257
  • 8
  • 20
  • 1
    There are so many ways to increase pagepseed without touching network protocol. 1. Your site might use 50% unused css code, use google dev audit tool and check yourself 2. Your site need to use svg icons instead of jpg/png which may return into avoid extra http request 3. Your site might used un-optimized images without setting it's actual dimension(Don't use reponsive images with auto height dimension) which may return to repaint browser window again. 4. Your css and js might not minify(Use short name in function name in js/css, which may return into 20% less code. – Goyllo Feb 23 '17 at 12:24
  • By d way HTTP/2 does not use the Connection header – Goyllo Feb 23 '17 at 12:46

2 Answers2

1

Don't change it. If you do not understand what this does, don't change this type of setting. Frankly, I doubt it'll help anyway if you make any changes, as most settings on a webserver are balanced default settings. If it's off you can turn it on, but changing the settings is more of a special-case-solution.

If it's speed you're after, I suggest the following:

  • Cache everything that can be cached 1
  • Minimize css, html and javascript 2
  • Minimize the number of resources(files) you download 2
  • Optimize images with services like Kraken.io to reduce size
  • Enabled gzipping 1

That'll actually give you a noticable difference.

1Tip: You can easily do this with .htaccess
2Tip: Make a single php file to do this for you

Martijn
  • 6,806
  • 17
  • 36
  • Some good advice in your answer, but can you justify your "doubt it'll help anyway" comment? Enabling keep-alive is a common page speed recommendation for a reason. – Tim Fountain Feb 23 '17 at 12:33
  • Expanded my answer a bit. This is partly based on experience, you can (unknowingly) destroy more than you fix. Too many too persitant connections are not your friend when you have a lot of visitors :) – Martijn Feb 23 '17 at 13:33
1

Use a keepalive timeout, but do it with Nginx.

Your points about DDoS and performance are correct, but there is a fairly simple way to use a keepalive timeout for performance without worrying that attackers will open more TCP connections than your server can handle. With Nginx proxying connections for you, it uses its own local pool of keepalive conections back to your server(s) so you don't have to worry about this kind of abuse. illustration of Nginx concurrency One thing to remember though, IE closes connections after 60 seconds by itself so there's no point in setting it longer if you have many IE users.

Your question does not mention which server or protocol (HTTP / HTTPS?) you use, but you should definitely look at using HTTP/2 to serve your site over TLS if high concurrency and speed are the objective.

Tom Brossman
  • 2,291
  • 16
  • 20