diff options
| author | Igor Drozdov <idrozdov@gitlab.com> | 2022-05-19 13:10:14 +0400 |
|---|---|---|
| committer | Igor Drozdov <idrozdov@gitlab.com> | 2022-05-19 18:53:08 +0400 |
| commit | 5b94726b822b52ffe256820df1a24307b2e2072f (patch) | |
| tree | c069f3096f02b441b4a7802bf4998cd98ae4c9c0 | |
| parent | cbce19dac2b5033e6b969b3e82ec6aad2e247757 (diff) | |
| download | gitlab-shell-5b94726b822b52ffe256820df1a24307b2e2072f.tar.gz | |
Make ProxyHeaderTimeout configurable
Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/576
ProxyHeaderTimeout must be small to avoid DoS risk
Let's make the value configurable and 500ms by default
| -rw-r--r-- | config.yml.example | 2 | ||||
| -rw-r--r-- | internal/config/config.go | 2 | ||||
| -rw-r--r-- | internal/config/config_test.go | 13 | ||||
| -rw-r--r-- | internal/sshd/sshd.go | 3 | ||||
| -rw-r--r-- | internal/testhelper/testdata/testroot/config.yml | 1 |
5 files changed, 13 insertions, 8 deletions
diff --git a/config.yml.example b/config.yml.example index 6c4bf0f..0e75d75 100644 --- a/config.yml.example +++ b/config.yml.example @@ -80,6 +80,8 @@ sshd: client_alive_interval: 15 # The server waits for this time (in seconds) for the ongoing connections to complete before shutting down. Defaults to 10. grace_period: 10 + # A short timeout to decide to abort the connection if the protocol header is not seen within it. Defaults to 500ms + proxy_header_timeout: 500ms # The endpoint that returns 200 OK if the server is ready to receive incoming connections; otherwise, it returns 503 Service Unavailable. Defaults to "/start". readiness_probe: "/start" # The endpoint that returns 200 OK if the server is alive. Defaults to "/health". diff --git a/internal/config/config.go b/internal/config/config.go index 69158b0..9e95931 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -31,6 +31,7 @@ type ServerConfig struct { ConcurrentSessionsLimit int64 `yaml:"concurrent_sessions_limit,omitempty"` ClientAliveInterval yamlDuration `yaml:"client_alive_interval,omitempty"` GracePeriod yamlDuration `yaml:"grace_period"` + ProxyHeaderTimeout yamlDuration `yaml:"proxy_header_timeout"` ReadinessProbe string `yaml:"readiness_probe"` LivenessProbe string `yaml:"liveness_probe"` HostKeyFiles []string `yaml:"host_key_files,omitempty"` @@ -86,6 +87,7 @@ var ( ConcurrentSessionsLimit: 10, GracePeriod: yamlDuration(10 * time.Second), ClientAliveInterval: yamlDuration(15 * time.Second), + ProxyHeaderTimeout: yamlDuration(500 * time.Millisecond), ReadinessProbe: "/start", LivenessProbe: "/health", HostKeyFiles: []string{ diff --git a/internal/config/config_test.go b/internal/config/config_test.go index b3e1a2e..9d9e20a 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -5,9 +5,9 @@ import ( "testing" "time" - yaml "gopkg.in/yaml.v2" "github.com/prometheus/client_golang/prometheus" "github.com/stretchr/testify/require" + yaml "gopkg.in/yaml.v2" "gitlab.com/gitlab-org/gitlab-shell/client/testserver" "gitlab.com/gitlab-org/gitlab-shell/internal/testhelper" @@ -67,14 +67,15 @@ func TestNewFromDir(t *testing.T) { cfg, err := NewFromDir(testhelper.TestRoot) require.NoError(t, err) - require.Equal(t, 10 * time.Second, time.Duration(cfg.Server.GracePeriod)) - require.Equal(t, 1 * time.Minute, time.Duration(cfg.Server.ClientAliveInterval)) + require.Equal(t, 10*time.Second, time.Duration(cfg.Server.GracePeriod)) + require.Equal(t, 1*time.Minute, time.Duration(cfg.Server.ClientAliveInterval)) + require.Equal(t, 500*time.Millisecond, time.Duration(cfg.Server.ProxyHeaderTimeout)) } func TestYAMLDuration(t *testing.T) { - testCases := []struct{ - desc string - data string + testCases := []struct { + desc string + data string duration time.Duration }{ {"seconds assumed by default", "duration: 10", 10 * time.Second}, diff --git a/internal/sshd/sshd.go b/internal/sshd/sshd.go index a9cd302..4d4d6d5 100644 --- a/internal/sshd/sshd.go +++ b/internal/sshd/sshd.go @@ -26,7 +26,6 @@ const ( StatusReady StatusOnShutdown StatusClosed - ProxyHeaderTimeout = 90 * time.Second ) type Server struct { @@ -97,7 +96,7 @@ func (s *Server) listen(ctx context.Context) error { sshListener = &proxyproto.Listener{ Listener: sshListener, Policy: s.requirePolicy, - ReadHeaderTimeout: ProxyHeaderTimeout, + ReadHeaderTimeout: time.Duration(s.Config.Server.ProxyHeaderTimeout), } log.ContextLogger(ctx).Info("Proxy protocol is enabled") diff --git a/internal/testhelper/testdata/testroot/config.yml b/internal/testhelper/testdata/testroot/config.yml index c100621..89d7b73 100644 --- a/internal/testhelper/testdata/testroot/config.yml +++ b/internal/testhelper/testdata/testroot/config.yml @@ -1,3 +1,4 @@ sshd: grace_period: 10 client_alive_interval: 1m + proxy_header_timeout: 500ms |