open-nomad/vendor/github.com
Michael Schurter c82b14b0c4 core: add limits to unauthorized connections
Introduce limits to prevent unauthorized users from exhausting all
ephemeral ports on agents:

 * `{https,rpc}_handshake_timeout`
 * `{http,rpc}_max_conns_per_client`

The handshake timeout closes connections that have not completed the TLS
handshake by the deadline (5s by default). For RPC connections this
timeout also separately applies to first byte being read so RPC
connections with TLS enabled have `rpc_handshake_time * 2` as their
deadline.

The connection limit per client prevents a single remote TCP peer from
exhausting all ephemeral ports. The default is 100, but can be lowered
to a minimum of 26. Since streaming RPC connections create a new TCP
connection (until MultiplexV2 is used), 20 connections are reserved for
Raft and non-streaming RPCs to prevent connection exhaustion due to
streaming RPCs.

All limits are configurable and may be disabled by setting them to `0`.

This also includes a fix that closes connections that attempt to create
TLS RPC connections recursively. While only users with valid mTLS
certificates could perform such an operation, it was added as a
safeguard to prevent programming errors before they could cause resource
exhaustion.
2020-01-30 10:38:25 -08:00
..
agext/levenshtein
apparentlymart/go-textseg
appc/spec
armon test case for 5540 (#5590) 2019-04-30 10:31:35 -04:00
aws/aws-sdk-go Update AWS SDK library to v1.25.41 2019-12-03 13:35:03 -05:00
Azure vendor: Update go-discover for AWS SDK change 2019-12-03 13:49:52 -05:00
beorn7/perks
bgentry
boltdb/bolt
BurntSushi/toml update consul-template to latest version 2019-08-12 16:34:48 -04:00
checkpoint-restore/go-criu vendor upstream opencontainers/runc 2019-04-19 09:49:04 -04:00
circonus-labs
containerd ar: refactor network bridge config to use go-cni lib (#6255) 2019-09-04 16:33:25 -04:00
containernetworking vendor: add cni libs 2019-07-31 01:04:07 -04:00
coreos ar: ensure network forwarding is allowed for bridged allocs (#6196) 2019-08-28 10:51:34 -04:00
cyphar/filepath-securejoin
DataDog/datadog-go
davecgh/go-spew
docker vendor docker/docker volume utils 2019-04-25 08:55:21 -04:00
dustin/go-humanize
elazarl/go-bindata-assetfs
fatih
fsouza/go-dockerclient
go-ini/ini
go-ole/go-ole
godbus/dbus
gogo/protobuf
golang vendor: Update go-discover for AWS SDK change 2019-12-03 13:49:52 -05:00
google vendor: Update go-discover for AWS SDK change 2019-12-03 13:49:52 -05:00
googleapis/gax-go govendor fetch github.com/hashicorp/go-getter@f5101da, protobuf 1.2 2019-08-26 17:54:21 -04:00
gorhill/cronexpr
gorilla vendor github.com/gorilla/websocket 2019-05-09 16:49:08 -04:00
hashicorp core: add limits to unauthorized connections 2020-01-30 10:38:25 -08:00
hpcloud/tail
jmespath/go-jmespath
konsorten/go-windows-terminal-sequences update logrus and go-windows-terminal-sequences 2019-06-18 14:55:19 -04:00
kr vendor github.com/kr/pty 2019-05-10 19:17:14 -04:00
LK4D4/joincontext
mattn
matttproud/golang_protobuf_extensions
Microsoft/go-winio vendor: Use dani fork of go-winio 2019-06-28 13:47:18 +02:00
miekg/dns
mitchellh
moby/moby
mrunalp/fileutils
NVIDIA/gpu-monitoring-tools
Nvveen/Gotty
NYTimes/gziphandler update go-hclog dep 2019-11-05 09:51:52 -05:00
oklog/run
onsi
opencontainers Update github.com/opencontainers/selinux 2019-06-18 14:49:11 -04:00
pkg/errors
pmezard/go-difflib
posener/complete
prometheus metrics: upgraded prometheus http client to 0.9.4 to address label conflict in Nomad 0.9.x reported in #5345 2019-06-18 18:34:22 +00:00
rs/cors
ryanuber
sean-/seed
seccomp/libseccomp-golang
sethgrid/pester
shirou
sirupsen/logrus update logrus and go-windows-terminal-sequences 2019-06-18 14:55:19 -04:00
skratchdot/open-golang
spf13/pflag
StackExchange/wmi
stretchr vendor: update testify to v1.4.0 2019-08-19 15:36:04 -07:00
syndtr/gocapability
tonnerre/golang-text
tv42/httpunix
ugorji/go Fix hashicorp/go-msgpack import 2019-09-27 09:08:30 -04:00
ulikunitz/xz
vishvananda/netlink
vmihailenco/msgpack
zclconf/go-cty