[sync] Efficient handling of denied CalDAV-Requests

Jan Schneider jan at horde.org
Mon Apr 4 09:06:21 UTC 2016 

Zitat von Jens Wahnes <wahnes at uni-koeln.de>:

> Hi,
>
> in our setup, we have a number of users that use CalDAV to access  
> both their own calendars and calendars that other users have shared  
> with them. Of the shared calendars, of course not all allow write  
> access.
>
> When a CalDAV client tries to write to such a calendar for which it  
> does not have permissions, then of course access to it is denied and  
> the calendar remains unchanged.  However, there seem to be many  
> clients out there that repeat this kind of "unsuccessful" request  
> over and over again.  That is, these clients to not get the fact  
> that they will never be able to write to the calendar and over time  
> they send a huge amount of requests that have to be denied each and  
> every time.  The amount of requests grows steadily as CalDAV users  
> keep adding events to calendars that they cannot write to -- in the  
> CalDAV client, these events are often displayed just fine.
>
> These denied requests already make up a substantial amount of the  
> total traffic we see on our Horde servers.  We already tried to  
> block some of these requests on the webserver level, but with  
> limited success.  In such an event, the clients will receive an HTTP  
> error 403 from Apache when trying to write to a certain calendar  
> that they are not supposed to write to, but even that does not stop  
> them from retrying the write request every couple of seconds.  So  
> having Apache block requests is a nice start because it costs less  
> performance than a full-blown Horde PHP request with authentication  
> and what else, but fiddling with the Apache config to sort out which  
> requests to deny is pretty complicated and error prone.
>
> So it looks like we have to deal with the fact that these kinds of  
> requests show up often.  As a result, I am looking for other/better  
> ways to handle these kinds of repeating nonsense requests.  Has  
> anyone got similar trouble and found a way around it?  For example,  
> does putting a Varnish server in front help?  I'm not sure if  
> Varnish would be able to cache the "access denied" answer to "HTTP  
> basic" authenticated CalDAV (WebDAV) requests.
>
>
> Jens

Maybe you could talk to the developers of the affected clients and ask  
them to support the current-user-privilege-set property that we  
propagate correctly according to the user's permissions on a share.

-- 
Jan Schneider
The Horde Project
http://www.horde.org/

More information about the sync mailing list