aboutsummaryrefslogtreecommitdiffstats
path: root/doc
AgeCommit message (Collapse)Author
2019-10-03Document media type wildcard in content_types_acceptedLoïc Hoguin
2019-10-03Document stopping the listener in App:stop/1Loïc Hoguin
2019-10-02Fix HTTP/2 CVEsLoïc Hoguin
A number of HTTP/2 CVEs were documented recently: https://www.kb.cert.org/vuls/id/605641/ This commit, along with a few changes and additions in Cowlib, fix or improve protection against all of them. For CVE-2019-9511, also known as Data Dribble, the new option stream_window_data_threshold can be used to control how little the DATA frames that Cowboy sends can get. For CVE-2019-9516, also known as 0-Length Headers Leak, Cowboy will now simply reject streams containing 0-length header names. For CVE-2019-9517, also known as Internal Data Buffering, the backpressure changes were already pretty good at preventing this issue, but a new option max_connection_buffer_size was added for even better control over how much memory we are willing to allocate. For CVE-2019-9512, also known as Ping Flood; CVE-2019-9515, also known as Settings Flood; CVE-2019-9518, also known as Empty Frame Flooding; and similar undocumented scenarios, a frame rate limiting mechanism was added. By default Cowboy will now allow 1000 frames every 10 seconds. This can be configured via max_received_frame_rate. For CVE-2019-9514, also known as Reset Flood, another rate limiting mechanism was added and can be configured via max_reset_stream_rate. By default Cowboy will do up to 10 stream resets every 10 seconds. Finally, nothing was done for CVE-2019-9513, also known as Resource Loop, because Cowboy does not currently implement the HTTP/2 priority mechanism (in parts because these issues were well known from the start). Tests were added for all cases except Internal Data Buffering, which I'm not sure how to test, and Resource Loop, which is not currently relevant.
2019-09-28Add persistent_term support to the routerLoïc Hoguin
2019-09-14Implement backpressure on cowboy_req:stream_bodyLoïc Hoguin
This should limit the amount of memory that Cowboy is using when a handler is sending data much faster than the network. The new max_stream_buffer_size is a soft limit and only has an effect when the cowboy_stream_h handler is used.
2019-09-06Fix using custom fields in ReqLoïc Hoguin
2019-09-06Document unit for options that are in bytesLoïc Hoguin
2019-09-05Minor grammar correctionAlastair Hole
Noun 'setup' -> verb phrase 'set up'
2019-09-05Fix and optimize sending of WINDOW_UPDATE framesLoïc Hoguin
For long-running connections it was possible for the connection window to become larger than allowed by the protocol because the window increases claimed by stream handlers were never reclaimed even if no data was consumed. The new code applies heuristics to fix this and reduce the number of WINDOW_UPDATE frames that are sent. It includes six new options to control that behavior: margin, max and threshold for both the connection and stream windows. The margin is some extra space added on top of the requested read size. The max is the maximum window size at any given time. The threshold is a minimum window size that must be reached before we even consider sending more WINDOW_UPDATE frames. We also avoid sending WINDOW_UPDATE frames when there is already enough space in the window, or when the read size is 0. Cowlib is set to master until a new tag is done.
2019-07-22Add more related specsLoïc Hoguin
2019-07-12Add two related specsLoïc Hoguin
2019-05-27Add two new RFCs to the listLoïc Hoguin
2019-05-13Fix a few examples using cert instead of certfileLoïc Hoguin
2019-04-24Add RFC 8586Loïc Hoguin
2019-04-05Cowboy 2.6.32.6.3Loïc Hoguin
2019-04-04Cowboy 2.6.22.6.2Loïc Hoguin
Updates Cowlib to 2.7.2.
2019-04-03Describe what star represent in the REST flowchartsLoïc Hoguin
2019-04-03Clarify what the private directory isGinetom
2019-04-02Fix calling convention for set_resp_cookie/3Jesper Louis Andersen
If not providing optional values, they are set to `#{}` and are the last parameter according to the source code. Reflect this in the documentation.
2019-04-02Add this year's April Fool's RFCLoïc Hoguin
2019-03-25Add a related RFCLoïc Hoguin
2018-11-28Cowboy 2.6.12.6.1Loïc Hoguin
2018-11-18Document cowboy_stream_h/cowboy_compress_hLoïc Hoguin
2018-11-18Add the chunked option for HTTP/1.1Loïc Hoguin
It allows disabling the chunked transfer-encoding. It can also be disabled on a per-request basis, although it will be ignored for responses that are not streamed.
2018-11-17Prepare the Cowboy 2.6 releaseLoïc Hoguin
2018-11-16Add the idle_timeout option to HTTP/2Loïc Hoguin
2018-11-14Document using undefined as content_types_provided callbackLoïc Hoguin
This is a convention that indicates the callback will never be called, for example because the methods HEAD or GET are not accepted.
2018-11-14Add some missing items to a few module changelogsLoïc Hoguin
2018-11-14Allow disabling keep-alive for HTTP/1.0 connectionsLoïc Hoguin
2018-11-14Document some undefined behavior in cowboy_routerLoïc Hoguin
2018-11-14Add a use case to loop handlersLoïc Hoguin
2018-11-14Document the proxy_header protocol optionLoïc Hoguin
2018-11-12Add deflate options for Websocket compressionLoïc Hoguin
They allow the server to configure what it is willing to accept for both the negotiated configuration (takeover and window bits) and the other zlib options (level, mem_level and strategy). This can be used to reduce the memory and/or CPU footprint of the compressed data, which comes with a cost in compression ratio.
2018-11-09Add sendfile support to cowboy_req:stream_bodyLoïc Hoguin
It is now possible to stream one or more sendfile tuples. A simple example of what can now be done would be for example to build a tar file on the fly using the sendfile syscall for sending the files, or to support Range requests with more than one range with the sendfile syscall. When using cowboy_compress_h unfortunately we have to read the file in order to send it. More options will be added at a later time to make sure users don't read too much into memory. This is a new feature however so existing code is not affected. Also rework cowboy_http's data sending to be flatter.
2018-11-05Test stop against all relevant REST callbacksLoïc Hoguin
2018-11-04Add the rate_limited/2 REST callbackLoïc Hoguin
2018-11-03Add an option to disable sendfile for a listenerLoïc Hoguin
2018-11-02Add a charset option to cowboy_staticLoïc Hoguin
2018-11-02Add RFC6657 to the list of related documentsLoïc Hoguin
2018-11-02Add tests for charsets_providedLoïc Hoguin
Fix cases where the q-value is 0 and where a wildcard was sent in the accept-charset header. Also don't send a charset in the content-type of the response if the media type is not text. Thanks to Philip Witty for help figuring this out.
2018-11-02Better handle content negotiation when accept contains charsetsLoïc Hoguin
Thanks to Philip Witty for help figuring this out.
2018-10-28Exit gracefully on parent exit/sys:terminate/2,3Loïc Hoguin
2018-10-26Add yet another RFC to the listLoïc Hoguin
2018-10-02Fix Cowboy version in the getting started chapter2.5.0Loïc Hoguin
2018-09-23Update Ranch to 1.6.2getong
2018-09-23Add a spec to the listLoïc Hoguin
2018-09-21Update Cowlib to 2.6.0Loïc Hoguin
2018-09-21Add the {active, boolean()} Websocket commandLoïc Hoguin
This command is currently not documented. It allows disabling the reading of incoming data from the socket, and can be used as a poor man's flow control.
2018-09-20Remove an outdated note about cowboy_loop timeoutLoïc Hoguin
2018-09-19Add RFC 8441 to the listLoïc Hoguin