[PATCH] HTTP/2: don't limit number of requests per HTTP/2 connection
piotrsikora at google.com
Mon Mar 12 20:37:34 UTC 2018
just as reminder, limiting HTTP/2 connections to 1000 requests without
graceful shutdown via 2-stage GOAWAY is still an issue and while this
might work with browsers, you're going to break gRPC-based
microservices proxied via NGINX pretty badly, so you should either
implement graceful shutdown or stop limiting number of requests by
On Wed, Aug 30, 2017 at 4:14 PM, Piotr Sikora <piotrsikora at google.com> wrote:
> Hey Valentin,
>> This opens a vector for dos attack. There are some configurations
>> when memory can be allocated from connection pool for each request.
>> Removing a reasonable enough limit for requests per connection
>> potentially allow an attacker to grow this pool until a worker
>> process will be killed due to OOM.
>> The problem should be solved by introducing "lingering close",
>> similar to HTTP/1.x.
> Yes, the proper solution is graceful shutdown via 2-stage GOAWAY,
> as defined in RFC7540, Section 6.8, but I don't have capacity to
> work on it now, and above patch is IMHO better than lost requests.
> Best regards,
> Piotr Sikora
More information about the nginx-devel