[PATCH] HTTP/2: don't limit number of requests per HTTP/2 connection
Valentin V. Bartenev
vbart at nginx.com
Wed Aug 30 22:54:31 UTC 2017
On четверг, 31 августа 2017 г. 0:55:21 MSK Piotr Sikora via nginx-devel wrote:
> # HG changeset patch
> # User Piotr Sikora <piotrsikora at google.com>
> # Date 1504129797 25200
> # Wed Aug 30 14:49:57 2017 -0700
> # Node ID 49b677bf2ae7ab92499766e8184ddcbf7a4233f9
> # Parent c7d4017c8876af6d8570e400320537d7d39e9578
> HTTP/2: don't limit number of requests per HTTP/2 connection.
> Previous default limit (1000 requests) and lack of graceful shutdown
> could result in loss of requests, when clients were unable to retry.
> Signed-off-by: Piotr Sikora <piotrsikora at google.com>
This opens a vector for dos attack. There are some configurations
when memory can be allocated from connection pool for each request.
Removing a reasonable enough limit for requests per connection
potentially allow an attacker to grow this pool until a worker
process will be killed due to OOM.
The problem should be solved by introducing "lingering close",
similar to HTTP/1.x.
wbr, Valentin V. Bartenev
More information about the nginx-devel