security(data-plane): ingress DoS hardening + chunked body-size cap#94
Merged
Conversation
Closes the ingress-DoS gaps (area: data-plane DoS). DP-2 (ingress timeouts / connection cap): - Per-request header-read deadline (slowloris defense), which also doubles as the HTTP keep-alive idle timeout and finally wires the previously-discarded `--keepalive-timeout` flag. - TLS handshake timeout so a stalled handshake can't pin a task/FD. - HTTP/2 max_concurrent_streams cap (256) against stream floods. - Concurrent-connection ceiling with load shedding (`BARBACANE_MAX_CONNECTIONS`, default 10000). - All applied via a shared `configure_conn_builder` helper across the dev and production accept loops. The HTTP/1 builder now gets a timer (required for the header-read timeout to function). DP-3 (chunked body-size bypass): - Both request-body collection sites wrap the body in `http_body_util::Limited` so a `Transfer-Encoding: chunked` body with no Content-Length is capped while streaming instead of being fully buffered before the size check. - Body-too-large now returns 413 (RFC 9457 payload-too-large) consistently, via a dedicated response helper, instead of a generic 400. Tests: the previously-red DoS security suite is now green, including the slowloris test (un-blocked now that there is a configurable, observable header-read timeout). Docs and CHANGELOG updated for the new env var and the keepalive wiring.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Area: data-plane ingress DoS (#2)
Closes the ingress DoS gaps. Continues the sequential, one-PR-per-area security work, fail-closed by default with operator opt-outs.
DP-2 — ingress timeouts / connection cap
--keepalive-timeoutflag (_keepalive_duration→ used).acceptor.accept, so a stalled handshake can't pin a task/FD.max_concurrent_streamscap (256) against per-connection stream floods.BARBACANE_MAX_CONNECTIONS, default 10000).configure_conn_builderacross the dev + production accept loops. The HTTP/1 builder now also gets a timer (required forheader_read_timeoutto function — without it the connection task panics, which is why a missing timer would hang every request).DP-3 — chunked body-size bypass
http_body_util::Limited, so aTransfer-Encoding: chunkedbody with noContent-Lengthis capped while streaming instead of being fully buffered before the size check.payload-too-large) consistently via a dedicated helper, instead of a generic 400.Tests
The DoS security suite (
crates/barbacane-test/tests/security/dos.rs) is now green:oversized_chunked_body_rejected_with_413— rewritten to boot with--max-body-size 100so it exercises the gateway's streaming cap (its stated intent) rather than being confounded by schema validation running before the size-limit middleware.slowloris_connection_is_timed_out— un-#[ignore]d: now implementable because the header-read timeout is configurable (--keepalive-timeout) and observable.not_found_flood_does_not_explode_metric_cardinality— assertion aligned to the already-shipped<unmatched>sentinel (the cardinality fix landed in PR Security hardening pass + security test framework #85; only the sentinel string differed).CI gates verified locally green:
cargo fmt --all --check,cargo clippy --workspace --lib --bins --exclude barbacane-test -D warnings,cargo test --workspace --lib --bins --exclude barbacane-test.Note (separate finding)
While verifying, I found the integration test binaries under
crates/barbacane-test/tests/(including the entire adversarial security suite) are not run by CI — the "Integration Tests" job runs onlycargo test -p barbacane-test --lib. I verified this PR's DoS tests + the 2MB-body proxy test locally instead. Wiring the suite into CI is worth a follow-up (filing separately).Resolves the data-plane ingress DoS items tracked privately (#2).