nginx.git/src/http/v2, branch release-1.17.0 nginx HTTP/2: limit the number of idle state switches. 2018-11-06T13:29:49+00:00 Ruslan Ermilov ru@nginx.com 2018-11-06T13:29:49+00:00 60b93594cca9cb5d63f26e724c458ccb380ac540 An attack that continuously switches HTTP/2 connection between idle and active states can result in excessive CPU usage. This is because when a connection switches to the idle state, all of its memory pool caches are freed. This change limits the maximum allowed number of idle state switches to 10 * http2_max_requests (i.e., 10000 by default). This limits possible CPU usage in one connection, and also imposes a limit on the maximum lifetime of a connection. Initially reported by Gal Goldshtein from F5 Networks. 
An attack that continuously switches HTTP/2 connection between
idle and active states can result in excessive CPU usage.
This is because when a connection switches to the idle state,
all of its memory pool caches are freed.

This change limits the maximum allowed number of idle state
switches to 10 * http2_max_requests (i.e., 10000 by default).
This limits possible CPU usage in one connection, and also
imposes a limit on the maximum lifetime of a connection.

Initially reported by Gal Goldshtein from F5 Networks.
HTTP/2: flood detection. 2018-11-06T13:29:35+00:00 Ruslan Ermilov ru@nginx.com 2018-11-06T13:29:35+00:00 8ec4146e1aad3a4fc0b19a024f8ef3516791e30c Fixed uncontrolled memory growth in case peer is flooding us with some frames (e.g., SETTINGS and PING) and doesn't read data. Fix is to limit the number of allocated control frames. 
Fixed uncontrolled memory growth in case peer is flooding us with
some frames (e.g., SETTINGS and PING) and doesn't read data.  Fix
is to limit the number of allocated control frames.
Fixed socket leak with "return 444" in error_page (ticket #274). 2018-09-21T12:59:30+00:00 Maxim Dounin mdounin@mdounin.ru 2018-09-21T12:59:30+00:00 e4a3211e2f651c6f25466ba8a8337ea1aa020c53 Socket leak was observed in the following configuration: error_page 400 = /close; location = /close { return 444; } The problem is that "return 444" triggers termination of the request, and due to error_page termination thinks that it needs to use a posted request to clear stack. But at the early request processing where 400 errors are generated there are no ngx_http_run_posted_requests() calls, so the request is only terminated after an external event. Variants of the problem include "error_page 497" instead (ticket #695) and various other errors generated during early request processing (405, 414, 421, 494, 495, 496, 501, 505). The same problem can be also triggered with "return 499" and "return 408" as both codes trigger ngx_http_terminate_request(), much like "return 444". To fix this, the patch adds ngx_http_run_posted_requests() calls to ngx_http_process_request_line() and ngx_http_process_request_headers() functions, and to ngx_http_v2_run_request() and ngx_http_v2_push_stream() functions in HTTP/2. Since the ngx_http_process_request() function is now only called via other functions which call ngx_http_run_posted_requests(), the call there is no longer needed and was removed. 
Socket leak was observed in the following configuration:

    error_page 400 = /close;

    location = /close {
        return 444;
    }

The problem is that "return 444" triggers termination of the request,
and due to error_page termination thinks that it needs to use a posted
request to clear stack.  But at the early request processing where 400
errors are generated there are no ngx_http_run_posted_requests() calls,
so the request is only terminated after an external event.

Variants of the problem include "error_page 497" instead (ticket #695)
and various other errors generated during early request processing
(405, 414, 421, 494, 495, 496, 501, 505).

The same problem can be also triggered with "return 499" and "return 408"
as both codes trigger ngx_http_terminate_request(), much like "return 444".

To fix this, the patch adds ngx_http_run_posted_requests() calls to
ngx_http_process_request_line() and ngx_http_process_request_headers()
functions, and to ngx_http_v2_run_request() and ngx_http_v2_push_stream()
functions in HTTP/2.

Since the ngx_http_process_request() function is now only called via
other functions which call ngx_http_run_posted_requests(), the call
there is no longer needed and was removed.
HTTP/2: workaround for clients which fail on table size updates. 2018-08-09T17:12:17+00:00 Maxim Dounin mdounin@mdounin.ru 2018-08-09T17:12:17+00:00 0d224602e966c431674958dabcaa451c99539352 There are clients which cannot handle HPACK's dynamic table size updates as added in 12cadc4669a7 (1.13.6). Notably, old versions of OkHttp library are known to fail on it (ticket #1397). This change makes it possible to work with such clients by only sending dynamic table size updates in response to SETTINGS_HEADER_TABLE_SIZE. As a downside, clients which do not use SETTINGS_HEADER_TABLE_SIZE will continue to maintain default 4k table. 
There are clients which cannot handle HPACK's dynamic table size updates
as added in 12cadc4669a7 (1.13.6).  Notably, old versions of OkHttp library
are known to fail on it (ticket #1397).

This change makes it possible to work with such clients by only sending
dynamic table size updates in response to SETTINGS_HEADER_TABLE_SIZE.  As
a downside, clients which do not use SETTINGS_HEADER_TABLE_SIZE will
continue to maintain default 4k table.
HTTP/2: use scheme from original request for pushes (closes #1549). 2018-06-07T17:04:22+00:00 Ruslan Ermilov ru@nginx.com 2018-06-07T17:04:22+00:00 fb3a9e28b233f3c2823487378622e7cf4284857a Instead of the connection scheme, use scheme from the original request. This fixes pushes when SSL is terminated by a proxy server in front of nginx. 
Instead of the connection scheme, use scheme from the original request.
This fixes pushes when SSL is terminated by a proxy server in front of
nginx.
Added r->schema. 2018-06-07T17:01:41+00:00 Ruslan Ermilov ru@nginx.com 2018-06-07T17:01:41+00:00 f11a9cbdd0f5806131e4308d2ce98a2a97ca4007 For HTTP/1, it keeps scheme from the absolute form of URI. For HTTP/2, the :scheme request pseudo-header field value. 
For HTTP/1, it keeps scheme from the absolute form of URI.
For HTTP/2, the :scheme request pseudo-header field value.
HTTP/2: validate client request scheme. 2018-06-07T08:47:10+00:00 Ruslan Ermilov ru@nginx.com 2018-06-07T08:47:10+00:00 94a2ce426fc36a6c82411a331bb18bf129c6d014 The scheme is validated as per RFC 3986, Section 3.1. 
The scheme is validated as per RFC 3986, Section 3.1.
HTTP/2: improved frame info debugging. 2018-03-19T18:32:15+00:00 Ruslan Ermilov ru@nginx.com 2018-03-19T18:32:15+00:00 74ea120f7d7445f0874add2c4f40f13de3bd5723 






gRPC: special handling of "trailer only" responses.
2018-03-17T20:04:26+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-03-17T20:04:26+00:00

6559a420134b0f52ce2d4f147bdd92269ad5f677

The gRPC protocol makes a distinction between HEADERS frame with
the END_STREAM flag set, and a HEADERS frame followed by an empty
DATA frame with the END_STREAM flag.  The latter is not permitted,
and results in errors not being propagated through nginx.  Instead,
gRPC clients complain that "server closed the stream without sending
trailers" (seen in grpc-go) or "13: Received RST_STREAM with error
code 2" (seen in grpc-c).

To fix this, nginx now returns HEADERS with the END_STREAM flag if
the response length is known to be 0, and we are not expecting
any trailer headers to be added.  And the response length is
explicitly set to 0 in the gRPC proxy if we see initial HEADERS frame
with the END_STREAM flag set.





The gRPC protocol makes a distinction between HEADERS frame with
the END_STREAM flag set, and a HEADERS frame followed by an empty
DATA frame with the END_STREAM flag.  The latter is not permitted,
and results in errors not being propagated through nginx.  Instead,
gRPC clients complain that "server closed the stream without sending
trailers" (seen in grpc-go) or "13: Received RST_STREAM with error
code 2" (seen in grpc-c).

To fix this, nginx now returns HEADERS with the END_STREAM flag if
the response length is known to be 0, and we are not expecting
any trailer headers to be added.  And the response length is
explicitly set to 0 in the gRPC proxy if we see initial HEADERS frame
with the END_STREAM flag set.







HTTP/2: externalized various constants and interfaces.
2018-03-17T20:04:20+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-03-17T20:04:20+00:00

c554dd1434e1378ac5f83a97b6d250b772941498