github-mirrors/VictoriaMetrics
1
0
Fork 0
mirror of https://github.com/VictoriaMetrics/VictoriaMetrics.git synced 2024-11-21 14:44:00 +00:00
Code Issues Projects Releases Packages Wiki Activity

lib/netutil: limit the time needed for reading proxy protocol headers

Browse source 
This should prevent from misconfigured proxies and from possible Slowloris-type DoS attacks
(see https://en.wikipedia.org/wiki/Slowloris_(computer_security) )

Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/3335
This commit is contained in:
Aliaksandr Valialkin 2023-01-26 23:45:36 -08:00
parent cb374677a9
commit 28d92a2f31
No known key found for this signature in database
GPG key ID: A72BEC6CD3D0DED1
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
lib/netutil/proxyprotocol.go
View file

@ -5,6 +5,7 @@ import (
"fmt"
"io"
"net"
"time"
"github.com/VictoriaMetrics/VictoriaMetrics/lib/bytesutil"
)
@ -15,6 +16,12 @@ type proxyProtocolConn struct {
}
func newProxyProtocolConn(c net.Conn) (net.Conn, error) {
// Limit the time needed for reading the proxy protocol header.
d := time.Now().Add(5 * time.Second)
if err := c.SetReadDeadline(d); err != nil {
return nil, fmt.Errorf("cannot set deadline for reading proxy protocol header: %s", err)
}
remoteAddr, err := readProxyProto(c)
if err != nil {
return nil, fmt.Errorf("proxy protocol error: %w", err)
@ -22,6 +29,12 @@ func newProxyProtocolConn(c net.Conn) (net.Conn, error) {
if remoteAddr == nil {
remoteAddr = c.RemoteAddr()
}
// Reset the read deadline.
if err := c.SetReadDeadline(time.Time{}); err != nil {
return nil, fmt.Errorf("cannot reset deadline after reading proxy protocol header: %s", err)
}
return &proxyProtocolConn{
Conn: c,
remoteAddr: remoteAddr,