Add ReadHeaderTimeout to prevent Slowloris attacks

gatewayd-io · Sep 24, 2023 · 2b6f503 · 2b6f503
1 parent 6563cee
commit 2b6f503
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 11 deletions.
diff --git a/cmd/run.go b/cmd/run.go
@@ -402,8 +402,9 @@ var runCmd = &cobra.Command{
 
 			// Create a new metrics server.
 			metricsServer = &http.Server{
-				Addr:    metricsConfig.Address,
-				Handler: handler,
+				Addr:              metricsConfig.Address,
+				Handler:           handler,
+				ReadHeaderTimeout: metricsConfig.GetReadHeaderTimeout(),
 			}
 
 			// Start the metrics server.
@@ -414,7 +415,6 @@ var runCmd = &cobra.Command{
 		}(conf.Global.Metrics[config.Default], logger)
 
 		// This is a notification hook, so we don't care about the result.
-		// TODO: Use a context with a timeout
 		if data, ok := conf.GlobalKoanf.Get("loggers").(map[string]interface{}); ok {
 			_, err = pluginRegistry.Run(
 				pluginTimeoutCtx, data, v1.HookName_HOOK_NAME_ON_NEW_LOGGER)

diff --git a/config/config.go b/config/config.go
@@ -101,9 +101,10 @@ func (c *Config) LoadDefaults(ctx context.Context) {
 	}
 
 	defaultMetric := Metrics{
-		Enabled: true,
-		Address: DefaultMetricsAddress,
-		Path:    DefaultMetricsPath,
+		Enabled:           true,
+		Address:           DefaultMetricsAddress,
+		Path:              DefaultMetricsPath,
+		ReadHeaderTimeout: DefaultReadHeaderTimeout,
 	}
 
 	defaultClient := Client{

diff --git a/config/constants.go b/config/constants.go
@@ -123,8 +123,9 @@ const (
 	ChecksumBufferSize = 65536
 
 	// Metrics constants.
-	DefaultMetricsAddress = "localhost:9090"
-	DefaultMetricsPath    = "/metrics"
+	DefaultMetricsAddress    = "localhost:9090"
+	DefaultMetricsPath       = "/metrics"
+	DefaultReadHeaderTimeout = 10 * time.Second
 
 	// Sentry constants.
 	DefaultTraceSampleRate  = 0.2

diff --git a/config/getters.go b/config/getters.go
@@ -269,3 +269,10 @@ func GetDefaultConfigFilePath(filename string) string {
 	// The fallback is the current directory.
 	return filepath.Join("./", filename)
 }
+
+func (m Metrics) GetReadHeaderTimeout() time.Duration {
+	if m.ReadHeaderTimeout <= 0 {
+		return DefaultReadHeaderTimeout
+	}
+	return m.ReadHeaderTimeout
+}
diff --git a/config/getters_test.go b/config/getters_test.go
@@ -128,3 +128,9 @@ func TestGetPlugins(t *testing.T) {
 func TestGetDefaultConfigFilePath(t *testing.T) {
 	assert.Equal(t, GlobalConfigFilename, GetDefaultConfigFilePath(GlobalConfigFilename))
 }
+
+// TestGetReadTimeout tests the GetReadTimeout function.
+func TestGetReadHeaderTimeout(t *testing.T) {
+	metrics := Metrics{}
+	assert.Equal(t, DefaultReadHeaderTimeout, metrics.GetReadHeaderTimeout())
+}
diff --git a/config/types.go b/config/types.go
@@ -68,9 +68,10 @@ type Logger struct {
 }
 
 type Metrics struct {
-	Enabled bool   `json:"enabled"`
-	Address string `json:"address"`
-	Path    string `json:"path"`
+	Enabled           bool          `json:"enabled"`
+	Address           string        `json:"address"`
+	Path              string        `json:"path"`
+	ReadHeaderTimeout time.Duration `json:"readHeaderTimeout" jsonschema:"oneof_type=string;integer"`
 }
 
 type Pool struct {

diff --git a/gatewayd.yaml b/gatewayd.yaml
@@ -24,6 +24,7 @@ metrics:
     enabled: True
     address: localhost:9090
     path: /metrics
+    readHeaderTimeout: 10s # duration, prevents Slowloris attacks
 
 clients:
   default: