Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add vmod_h2 to control http rapid reset rate limits per session #3999

Merged
merged 2 commits into from
Oct 18, 2023

Conversation

nigoroll
Copy link
Member

@nigoroll nigoroll commented Oct 16, 2023

(edit: reduced to just two commits now that #3997 has been merged)

During bugwash on 2023-10-16, I suggested to support overrides of the rate limits from VCL, because nowadays many environments can provide friend/foe metrics like "has a valid session" or "has passed a Turing test".

Using tight rate limits is important to keep adversaries in check, but for (likely) known good clients, one might want to lift limits.

This patch adds such per-session controls in the form of vmod h2.

The implementation via a custom vmod was preferred during bugwash over adding session variables like sess.h2_rapid_reset because they are transport specific. During the last VDD, we also agreed to move protocols into extensions with additional controls provided by vmods. This patch is a first step in this direction.

Ref #3996

@nigoroll nigoroll force-pushed the vmod_builtin_http2 branch 2 times, most recently from 1cb8b08 to 98c06b9 Compare October 17, 2023 14:07
@nigoroll
Copy link
Member Author

nigoroll commented Oct 18, 2023

Agreed on irc. Will merge after issues with previous commits have been addressed in the interest of future bisects.

@nigoroll nigoroll changed the title Add vmod builtin_http2 to control http rapid reset rate limits per session Add vmod_h2 to control http rapid reset rate limits per session Oct 18, 2023
This will allow per-session adjustments and also significantly
lower the risk of inconsistent calculations in the rate limit
code during parameter changes.

Ref varnishcache#3996
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant