Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add vmod_h2 to control http rapid reset rate limits per session #3999

Merged
merged 2 commits into from
Oct 18, 2023
Merged

Add vmod_h2 to control http rapid reset rate limits per session #3999

merged 2 commits into from
Oct 18, 2023

Conversation

nigoroll
Copy link
Member

@nigoroll nigoroll commented Oct 16, 2023
edited
Loading

(edit: reduced to just two commits now that #3997 has been merged)

During bugwash on 2023-10-16, I suggested to support overrides of the rate limits from VCL, because nowadays many environments can provide friend/foe metrics like "has a valid session" or "has passed a Turing test".

Using tight rate limits is important to keep adversaries in check, but for (likely) known good clients, one might want to lift limits.

This patch adds such per-session controls in the form of vmod h2.

The implementation via a custom vmod was preferred during bugwash over adding session variables like sess.h2_rapid_reset because they are transport specific. During the last VDD, we also agreed to move protocols into extensions with additional controls provided by vmods. This patch is a first step in this direction.

Ref #3996

@nigoroll nigoroll force-pushed the vmod_builtin_http2 branch 2 times, most recently from 1cb8b08 to 98c06b9 Compare October 17, 2023 14:07
@nigoroll nigoroll mentioned this pull request Oct 17, 2023
Closed
@nigoroll
Copy link
Member Author

nigoroll commented Oct 18, 2023
edited
Loading

Agreed on irc. Will merge after issues with previous commits have been addressed in the interest of future bisects.

@nigoroll nigoroll changed the title Add vmod builtin_http2 to control http rapid reset rate limits per session Add vmod_h2 to control http rapid reset rate limits per session Oct 18, 2023
@nigoroll
Copy rapid reset parameters to the h2 session
f820f80 
This will allow per-session adjustments and also significantly
lower the risk of inconsistent calculations in the rate limit
code during parameter changes.

Ref varnishcache#3996
@nigoroll
Add vmod_h2 to control rapid_reset parameters per session
2cfb561
@nigoroll nigoroll merged commit 2cfb561 into varnishcache:master Oct 18, 2023
1 check passed
@nigoroll nigoroll deleted the vmod_builtin_http2 branch October 18, 2023 13:15
This was referenced Oct 18, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nigoroll