DDEV is the official local development tool of Drupal. And like Drupal, DDEV depends on the support of the open source community.
By bertboerland on
[posted this as a blog on http://www.drupal.org/module.php?mod=comment&op=reply&id=684]
have noticed that my cron.php script on my site can take quite some time; up to minutes and some cpu cycles.
now i was thinking, if i would wget the cron.php's on these known drupal sites, i will make it harder on these sites and harder on drupal.org as well, since these sites will update drupal.org pages as well.
it seems rather easy to DoS the known drupal sites and kindof DDoS drupal.org/ am i right on this one?
solutions, someobscurecronname.php, .htaccess, naming it on cron page on drupal handbook? what is your idea?
Comments
these
missing link, these known drupal sites, should have been these known drupal sites
--
groets
bert boerland
Maybe a submitted 'passphrase
Maybe a submitted 'passphrase' could do this.
for local cron-jobs it does not even has to be encrypted necessarily.
The security is needed, the more complex the given passphrase could be:
-rot13 for not real secure but looks nice to not so smart hackers
-secret-key or oublic key encryption
-known hosts: create a table knownhoste (e.g.) and insert all hosts where update-requests may come from an let cron.php against it.
- and so on
local cron jobs
For local cron jobs you can restrict http access to cron.php to your own IP address. You can also do this for remote hosts - as long as the calling host has a static address. Even with a dynamic address you can limit the access to the whole subnet of your provider, locking out the rest of the world.
If you have to call cron.php from very random IP addresses and you have SSH access to your web server you can use get some security by limiting access to cron.php to localhost, SSHing to the web server with a passwordless key and starting wget there. On the ather hand chances are good if you have SSH access that you can also set up local cron jobs...
Or implement security through obscurity (of course that doesn't work but one may want to use it anyway) as the easiest approach - instead of giving an always-the-same password in the URL you could simply rename cron.php to MySup3rsecr3Tcr0n.php and feel safe, but not too safe.
And a last thought on this: Cron jobs can run long, but they seldom eat up many CPU cycles. Most time is spent waiting for RSS feeds to answer. If all RSS feeds are up to date the cron run takes about one or two seconds on my ancient machine, so I doubt that you can easily DOS someone by calling cron.php. I have not tested what happens if cron.php gets called multiple times at once...
I forgot
drupal.module:
function drupal_cron() {
if (time() - variable_get("drupal_cron_last", 0) > inser_a_suitable_time) {
...}
..}
So a multiple call wouldnt (shouldnt) cause the function to update if the suitable time did
Is this an old thread or what
Is this an old thread or what?
the numbers give it away
"October 20, 2002", those numbers are called a "date"
btw: happy hollidays
--
groets
bert boerland
--
groets
bert boerland