[sync] Efficient handling of denied CalDAV-Requests

Jens Wahnes wahnes at uni-koeln.de
Thu Mar 31 14:51:16 UTC 2016 

Hi,

in our setup, we have a number of users that use CalDAV to access both 
their own calendars and calendars that other users have shared with 
them. Of the shared calendars, of course not all allow write access.

When a CalDAV client tries to write to such a calendar for which it does 
not have permissions, then of course access to it is denied and the 
calendar remains unchanged.  However, there seem to be many clients out 
there that repeat this kind of "unsuccessful" request over and over 
again.  That is, these clients to not get the fact that they will never 
be able to write to the calendar and over time they send a huge amount 
of requests that have to be denied each and every time.  The amount of 
requests grows steadily as CalDAV users keep adding events to calendars 
that they cannot write to -- in the CalDAV client, these events are 
often displayed just fine.

These denied requests already make up a substantial amount of the total 
traffic we see on our Horde servers.  We already tried to block some of 
these requests on the webserver level, but with limited success.  In 
such an event, the clients will receive an HTTP error 403 from Apache 
when trying to write to a certain calendar that they are not supposed to 
write to, but even that does not stop them from retrying the write 
request every couple of seconds.  So having Apache block requests is a 
nice start because it costs less performance than a full-blown Horde PHP 
request with authentication and what else, but fiddling with the Apache 
config to sort out which requests to deny is pretty complicated and 
error prone.

So it looks like we have to deal with the fact that these kinds of 
requests show up often.  As a result, I am looking for other/better ways 
to handle these kinds of repeating nonsense requests.  Has anyone got 
similar trouble and found a way around it?  For example, does putting a 
Varnish server in front help?  I'm not sure if Varnish would be able to 
cache the "access denied" answer to "HTTP basic" authenticated CalDAV 
(WebDAV) requests.


Jens


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4986 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.horde.org/archives/sync/attachments/20160331/94be0ae0/attachment.bin>

More information about the sync mailing list