On четверг, 31 августа 2017 г. 0:55:21 MSK Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora <[email protected]> > # Date 1504129797 25200 > # Wed Aug 30 14:49:57 2017 -0700 > # Node ID 49b677bf2ae7ab92499766e8184ddcbf7a4233f9 > # Parent c7d4017c8876af6d8570e400320537d7d39e9578 > HTTP/2: don't limit number of requests per HTTP/2 connection. > > Previous default limit (1000 requests) and lack of graceful shutdown > could result in loss of requests, when clients were unable to retry. > > Signed-off-by: Piotr Sikora <[email protected]> > [..]
This opens a vector for dos attack. There are some configurations when memory can be allocated from connection pool for each request. Removing a reasonable enough limit for requests per connection potentially allow an attacker to grow this pool until a worker process will be killed due to OOM. The problem should be solved by introducing "lingering close", similar to HTTP/1.x. wbr, Valentin V. Bartenev _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
