[PATCH] HTTP/2: don't limit number of requests per HTTP/2 connection

Valentin V. Bartenev vbart at nginx.com
Wed Aug 30 22:54:31 UTC 2017

On четверг, 31 августа 2017 г. 0:55:21 MSK Piotr Sikora via nginx-devel wrote:
> # HG changeset patch
> # User Piotr Sikora <piotrsikora at google.com>
> # Date 1504129797 25200
> #      Wed Aug 30 14:49:57 2017 -0700
> # Node ID 49b677bf2ae7ab92499766e8184ddcbf7a4233f9
> # Parent  c7d4017c8876af6d8570e400320537d7d39e9578
> HTTP/2: don't limit number of requests per HTTP/2 connection.
> Previous default limit (1000 requests) and lack of graceful shutdown
> could result in loss of requests, when clients were unable to retry.
> Signed-off-by: Piotr Sikora <piotrsikora at google.com>

This opens a vector for dos attack.  There are some configurations
when memory can be allocated from connection pool for each request.
Removing a reasonable enough limit for requests per connection
potentially allow an attacker to grow this pool until a worker
process will be killed due to OOM.

The problem should be solved by introducing "lingering close",
similar to HTTP/1.x.

  wbr, Valentin V. Bartenev

More information about the nginx-devel mailing list