c82b14b0c4
Introduce limits to prevent unauthorized users from exhausting all
ephemeral ports on agents:
* `{https,rpc}_handshake_timeout`
* `{http,rpc}_max_conns_per_client`
The handshake timeout closes connections that have not completed the TLS
handshake by the deadline (5s by default). For RPC connections this
timeout also separately applies to first byte being read so RPC
connections with TLS enabled have `rpc_handshake_time * 2` as their
deadline.
The connection limit per client prevents a single remote TCP peer from
exhausting all ephemeral ports. The default is 100, but can be lowered
to a minimum of 26. Since streaming RPC connections create a new TCP
connection (until MultiplexV2 is used), 20 connections are reserved for
Raft and non-streaming RPCs to prevent connection exhaustion due to
streaming RPCs.
All limits are configurable and may be disabled by setting them to `0`.
This also includes a fix that closes connections that attempt to create
TLS RPC connections recursively. While only users with valid mTLS
certificates could perform such an operation, it was added as a
safeguard to prevent programming errors before they could cause resource
exhaustion.
28 lines
671 B
Go
28 lines
671 B
Go
package connlimit
|
|
|
|
import "net"
|
|
|
|
// WrappedConn wraps a net.Conn and free() func returned by Limiter.Accept so
|
|
// that when the wrapped connections Close method is called, its free func is
|
|
// also called.
|
|
type WrappedConn struct {
|
|
net.Conn
|
|
free func()
|
|
}
|
|
|
|
// Wrap wraps a net.Conn's Close method so free() is called when Close is
|
|
// called. Useful when handing off tracked connections to libraries that close
|
|
// them.
|
|
func Wrap(conn net.Conn, free func()) net.Conn {
|
|
return &WrappedConn{
|
|
Conn: conn,
|
|
free: free,
|
|
}
|
|
}
|
|
|
|
// Close frees the tracked connection and closes the underlying net.Conn.
|
|
func (w *WrappedConn) Close() error {
|
|
w.free()
|
|
return w.Conn.Close()
|
|
}
|