Age | Commit message (Collapse) | Author |
|
They replace and deprecate the {true,URI} return value.
|
|
Note: This commit makes cowboy depend on cowlib master.
Graceful shutdown for HTTP/2:
1. A GOAWAY frame with the last stream id set to 2^31-1 is sent and a
timer is started (goaway_initial_timeout, default 1000ms), to wait
for any in-flight requests sent by the client, and the status is set
to 'closing_initiated'. If the client responds with GOAWAY and closes
the connection, we're done.
2. A second GOAWAY frame is sent with the actual last stream id and the
status is set to 'closing'. If no streams exist, the connection
terminates. Otherwise a second timer (goaway_complete_timeout,
default 3000ms) is started, to wait for the streams to complete. New
streams are not accepted when status is 'closing'.
3. If all streams haven't completed after the second timeout, the
connection is forcefully terminated.
Graceful shutdown for HTTP/1.x:
1. If a request is currently being handled, it is waited for and the
response is sent back to the client with the header "Connection:
close". Then, the connection is closed.
2. If the current request handler is not finished within the time
configured in transport option 'shutdown' (default 5000ms), the
connection process is killed by its supervisor (ranch).
Implemented for HTTP/1.x and HTTP/2 in the following scenarios:
* When receiving exit signal 'shutdown' from the supervisor (e.g. when
cowboy:stop_listener/3 is called).
* When a connection process is requested to terminate using
sys:terminate/2,3.
LH: Edited tests a bit and added todos for useful tests to add.
|
|
|
|
|
|
When calling cowboy_req:reply/4 with a body a crash will occur
resulting in a 500 response. When calling cowboy_req:stream_reply/2,3
and then attempting to send a body a crash will occur.
|
|
100 is very low for current deployments. 1000 is more
appropriate as a default value.
|
|
|
|
Still seeing intermittent failures on Windows due to
timetrap so let's see if doubling the timeout again helps.
|
|
Again to avoid intermittent issues.
|
|
This happens from time to time on Windows and is partially
due to how the test is written.
|
|
|
|
This is to make up for very slow or low resource environments,
like the FreeBSD CI environment currently.
|
|
The local network is much slower so the tests take longer there.
|
|
This causes the test to get stuck because both the client and
server end up waiting in Transport:send for the other side to
read data from the socket.
|
|
|
|
|
|
|
|
|
|
To avoid intermittent test failures. We only want to make
sure the function eventually returns so we don't need to
use timeouts in the test itself, or check exactly what was
read.
|
|
The experiment was successful in Gun, let's see if it helps
with Cowboy as well.
|
|
Introduce a currently undocumented option to allow disabling
cowboy_http when using a clear listener.
|
|
We now allow spaces in cookie names.
|
|
Allow 10000 frames every 10 seconds instead of just 1000,
as the limit was too quickly reached in some deployments.
|
|
This resulted in a badarith error due to the current flow being
set to infinity when the body has been fully read. A test case
has been added reproducing the issue.
|
|
|
|
The flow control is now only set to infinity when we are
skipping the request body of the stream that is being
terminated. This fixes a bug where it was set to infinity
while reading a subsequent request's body, leading to a
crash.
The timeout is no longer reset on stream termination.
Timeout handling is already done when receiving data
from the socket and doing a reset on stream termination
was leading to the wrong timeout being set or the right
timeout being reset needlessly.
|
|
|
|
|
|
|
|
This allows changing the normal exit reason of Websocket
processes, providing a way to signal other processes of
why the exit occurred.
|
|
Better than sending messages manually.
|
|
|
|
The old interface with ok|reply|stop tuples is deprecated.
|
|
This allows disabling the UTF-8 validation check
for text and close frames.
|
|
While the protocol does not allow sending data before
receiving a successful Websocket upgrade response, we
do not want to discard that data if it does come in.
|
|
|
|
|
|
|
|
|
|
Now both HTTP/1.1 and HTTP/2 follow the documented format.
HTTP/1.1 was including an extra element containing the
StreamID before, which was unnecessary because it is also
given as argument to the callback.
HTTP/2 early_error will now include headers in its PartialReq.
|
|
|
|
|
|
|
|
This allows giving custom metadata to the metrics stream handler.
This can be useful to for example provide the name of the
module handling the request which is only known after routing.
But any user data is allowed.
When called multiple times the user data maps are merged.
|
|
Fix a case where Cowboy was waiting for more data that simply
did not come. Now Cowboy will generate an error immediately
when a header line has no colon separator.
These test cases come from known request smuggling attack
vectors. Cowboy was not vulnerable to any of them.
|
|
A number of HTTP/2 CVEs were documented recently:
https://www.kb.cert.org/vuls/id/605641/
This commit, along with a few changes and additions in Cowlib,
fix or improve protection against all of them.
For CVE-2019-9511, also known as Data Dribble, the new option
stream_window_data_threshold can be used to control how little
the DATA frames that Cowboy sends can get.
For CVE-2019-9516, also known as 0-Length Headers Leak, Cowboy
will now simply reject streams containing 0-length header names.
For CVE-2019-9517, also known as Internal Data Buffering, the
backpressure changes were already pretty good at preventing this
issue, but a new option max_connection_buffer_size was added for
even better control over how much memory we are willing to allocate.
For CVE-2019-9512, also known as Ping Flood; CVE-2019-9515, also
known as Settings Flood; CVE-2019-9518, also known as Empty Frame
Flooding; and similar undocumented scenarios, a frame rate limiting
mechanism was added. By default Cowboy will now allow 1000 frames
every 10 seconds. This can be configured via max_received_frame_rate.
For CVE-2019-9514, also known as Reset Flood, another rate limiting
mechanism was added and can be configured via max_reset_stream_rate.
By default Cowboy will do up to 10 stream resets every 10 seconds.
Finally, nothing was done for CVE-2019-9513, also known as Resource
Loop, because Cowboy does not currently implement the HTTP/2
priority mechanism (in parts because these issues were well known
from the start).
Tests were added for all cases except Internal Data Buffering,
which I'm not sure how to test, and Resource Loop, which is not
currently relevant.
|
|
|
|
|
|
|
|
|