[PATCH] HTTP/2: don't limit number of requests per HTTP/2 connection
piotrsikora at google.com
Wed Aug 30 23:14:03 UTC 2017
> This opens a vector for dos attack. There are some configurations
> when memory can be allocated from connection pool for each request.
> Removing a reasonable enough limit for requests per connection
> potentially allow an attacker to grow this pool until a worker
> process will be killed due to OOM.
> The problem should be solved by introducing "lingering close",
> similar to HTTP/1.x.
Yes, the proper solution is graceful shutdown via 2-stage GOAWAY,
as defined in RFC7540, Section 6.8, but I don't have capacity to
work on it now, and above patch is IMHO better than lost requests.
More information about the nginx-devel