aboutsummaryrefslogtreecommitdiffstats
path: root/doc/src/manual/cowboy_http2.asciidoc
AgeCommit message (Collapse)Author
2020-01-06Use active,NLoïc Hoguin
This reduces the number of times we need to ask for more packets, and as a result we get a fairly large boost in performance, especially with HTTP/1.1. Unfortunately this makes Cowboy require at least Erlang/OTP 21.3+ because the ssl application did not have active,N. For simplicity the version required will be Erlang/OTP 22+. In addition this change improves hibernate handling in cowboy_websocket. Hibernate will now work for HTTP/2 transport as well, and stray or unrelated messages will no longer cancel hibernate (the process will handle the message and go back into hibernation). Thanks go to Stressgrid for benchmarking an early version of this commit: https://stressgrid.com/blog/cowboy_performance_part_2/
2019-10-07Document the logger optionLoïc Hoguin
2019-10-02Fix HTTP/2 CVEsLoïc Hoguin
A number of HTTP/2 CVEs were documented recently: https://www.kb.cert.org/vuls/id/605641/ This commit, along with a few changes and additions in Cowlib, fix or improve protection against all of them. For CVE-2019-9511, also known as Data Dribble, the new option stream_window_data_threshold can be used to control how little the DATA frames that Cowboy sends can get. For CVE-2019-9516, also known as 0-Length Headers Leak, Cowboy will now simply reject streams containing 0-length header names. For CVE-2019-9517, also known as Internal Data Buffering, the backpressure changes were already pretty good at preventing this issue, but a new option max_connection_buffer_size was added for even better control over how much memory we are willing to allocate. For CVE-2019-9512, also known as Ping Flood; CVE-2019-9515, also known as Settings Flood; CVE-2019-9518, also known as Empty Frame Flooding; and similar undocumented scenarios, a frame rate limiting mechanism was added. By default Cowboy will now allow 1000 frames every 10 seconds. This can be configured via max_received_frame_rate. For CVE-2019-9514, also known as Reset Flood, another rate limiting mechanism was added and can be configured via max_reset_stream_rate. By default Cowboy will do up to 10 stream resets every 10 seconds. Finally, nothing was done for CVE-2019-9513, also known as Resource Loop, because Cowboy does not currently implement the HTTP/2 priority mechanism (in parts because these issues were well known from the start). Tests were added for all cases except Internal Data Buffering, which I'm not sure how to test, and Resource Loop, which is not currently relevant.
2019-09-14Implement backpressure on cowboy_req:stream_bodyLoïc Hoguin
This should limit the amount of memory that Cowboy is using when a handler is sending data much faster than the network. The new max_stream_buffer_size is a soft limit and only has an effect when the cowboy_stream_h handler is used.
2019-09-06Document unit for options that are in bytesLoïc Hoguin
2019-09-05Fix and optimize sending of WINDOW_UPDATE framesLoïc Hoguin
For long-running connections it was possible for the connection window to become larger than allowed by the protocol because the window increases claimed by stream handlers were never reclaimed even if no data was consumed. The new code applies heuristics to fix this and reduce the number of WINDOW_UPDATE frames that are sent. It includes six new options to control that behavior: margin, max and threshold for both the connection and stream windows. The margin is some extra space added on top of the requested read size. The max is the maximum window size at any given time. The threshold is a minimum window size that must be reached before we even consider sending more WINDOW_UPDATE frames. We also avoid sending WINDOW_UPDATE frames when there is already enough space in the window, or when the read size is 0. Cowlib is set to master until a new tag is done.
2018-11-18Document cowboy_stream_h/cowboy_compress_hLoïc Hoguin
2018-11-16Add the idle_timeout option to HTTP/2Loïc Hoguin
2018-11-14Add some missing items to a few module changelogsLoïc Hoguin
2018-11-14Document the proxy_header protocol optionLoïc Hoguin
2018-11-03Add an option to disable sendfile for a listenerLoïc Hoguin
2018-05-02Fix cowboy_http2 manual page formattingLoïc Hoguin
[ci skip]
2018-04-28Add SETTINGS ack timeout and option settings_timeoutLoïc Hoguin
2018-04-27Add options controlling maximum h2 frame sizesLoïc Hoguin
2018-04-26Add options controlling initial control flow windowsLoïc Hoguin
2018-04-25Add the max_concurrent_streams h2 optionLoïc Hoguin
2018-04-25Add options to control h2's SETTINGS_HEADER_TABLE_SIZELoïc Hoguin
2018-04-04Add initial implementation of Websocket over HTTP/2Loïc Hoguin
Using the current draft: https://tools.ietf.org/html/draft-ietf-httpbis-h2-websockets-01
2017-06-07Remove NumAcceptors argument from start_clear/tlsLoïc Hoguin
They are now cowboy:start_clear/3 and cowboy:start_tls/3. The NumAcceptors argument can be specified via the num_acceptor transport option. Ranch has been updated to 1.4.0 to that effect.
2017-05-05Add inactivity_timeout and other options improvementsLoïc Hoguin
2016-12-22Update cowboy_websocket_manualLoïc Hoguin
2016-12-22Add the manual for cowboy_http2Loïc Hoguin