Re: contrib: auth_delay module

Jeff Janes <jeff.janes@gmail.com>

From: Jeff Janes <jeff.janes@gmail.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Stephen Frost <sfrost@snowman.net>, Jan Urbański <wulczer@wulczer.org>, Itagaki Takahiro <itagaki.takahiro@gmail.com>, KaiGai Kohei <kaigai@kaigai.gr.jp>, PostgreSQL-Hackers <pgsql-hackers@postgresql.org>, KaiGai Kohei <kaigai@ak.jp.nec.com>
Date: 2010-11-28T22:41:25Z
Lists: pgsql-hackers
On Sun, Nov 28, 2010 at 5:38 AM, Robert Haas <robertmhaas@gmail.com> wrote:
> On Sat, Nov 27, 2010 at 2:44 PM, Jeff Janes <jeff.janes@gmail.com> wrote:

>> I haven' t thought of a way to test this, so I guess I'll just ask.
>> If the attacking client just waits a few milliseconds for a response
>> and then drops the socket, opening a new one, will the server-side
>> walking-dead process continue to be charged against max_connections
>> until it's sleep expires?
>
> I'm not sure, either.  I suspect the answer is yes.  I guess you could
> test this by writing a loop like this:
>
> while true; do psql <connection parameters that will fail authentication>; done
>
> ...and then hitting ^C every few seconds during execution.  After
> doing that for a bit, run select * from pg_stat_activity or ps auxww |
> grep postgres in another window.

Right, I didn't think of using psql, I thought I'd have to wrangle my
own socket code.

I wrote up a perl script that spawns psql and immediately kills it.  I
quickly start getting "psql: FATAL:  sorry, too many clients already"
errors.  And that condition doesn't clear until the sleep expires on
the earliest ones spawned.

So it looks like the max_connections is charged until the auth_delay expires.

Cheers,

Jeff