You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by masaori335 <gi...@git.apache.org> on 2016/02/18 09:49:38 UTC
[GitHub] trafficserver pull request: TS-4087: Reduce SETTINGS_MAX_CONCURREN...
GitHub user masaori335 opened a pull request:
https://github.com/apache/trafficserver/pull/485
TS-4087: Reduce SETTINGS_MAX_CONCURRENT_STREAMS when too many streams
Add below variables in records.config
- proxy.config.http2.min_concurrent_streams_in
- proxy.config.http2.max_active_streams_in
When connection wide active streams are larger than proxy.config.http2.max_active_streams_in,
SETTINGS_MAX_CONCURRENT_STREAMS is reduced to proxy.config.http2.min_concurrent_streams_in.
[TS-4087](https://issues.apache.org/jira/browse/TS-4087)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/masaori335/trafficserver ts-4087
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/485.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #485
----
commit ed7552d78ed12ec42b8ac95ffdcf2b0932691211
Author: Masaori Koshiba <ma...@apache.org>
Date: 2016-02-15T11:57:25Z
TS-4087: Reduce SETTINGS_MAX_CONCURRENT_STREAMS when too many streams
Add below variables in records.config
- proxy.config.http2.min_concurrent_streams_in
- proxy.config.http2.max_active_streams_in
When connection wide active streams are larger than proxy.config.http2.max_active_streams_in,
SETTINGS_MAX_CONCURRENT_STREAMS is reduced to proxy.config.http2.min_concurrent_streams_in.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-4087: Reduce SETTINGS_MAX_CONCURREN...
Posted by bryancall <gi...@git.apache.org>.
Github user bryancall commented on the pull request:
https://github.com/apache/trafficserver/pull/485#issuecomment-198585206
How would this prevent a DDOS attack if clients established a bunch of connections and then made requests up to the max number of streams per connection (100)? I think it would be better to dynamically adjust the max stream when a new stream is created.
This is better then nothing, which we have now, so I am OK with it. :+1:
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-4087: Reduce SETTINGS_MAX_CONCURREN...
Posted by masaori335 <gi...@git.apache.org>.
Github user masaori335 commented on the pull request:
https://github.com/apache/trafficserver/pull/485#issuecomment-188585450
1. Removed `max_active_streams_per_thread_in` and related code.
2. Set default value of `proxy.config.http2.max_active_streams_in` 0 for backward compatibility. ( 0 means no limitation)
PTAL
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-4087: Reduce SETTINGS_MAX_CONCURREN...
Posted by bryancall <gi...@git.apache.org>.
Github user bryancall commented on the pull request:
https://github.com/apache/trafficserver/pull/485#issuecomment-187823737
I will take a look at this.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-4087: Reduce SETTINGS_MAX_CONCURREN...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/trafficserver/pull/485
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-4087: Reduce SETTINGS_MAX_CONCURREN...
Posted by masaori335 <gi...@git.apache.org>.
Github user masaori335 commented on the pull request:
https://github.com/apache/trafficserver/pull/485#issuecomment-199581399
That is good point. This patch doesn't cover such cases.
> I think it would be better to dynamically adjust the max stream when a new stream is created.
I agree. I'll file a new issue on JIRA.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-4087: Reduce SETTINGS_MAX_CONCURREN...
Posted by masaori335 <gi...@git.apache.org>.
Github user masaori335 commented on a diff in the pull request:
https://github.com/apache/trafficserver/pull/485#discussion_r54039631
--- Diff: proxy/http2/Http2ConnectionState.cc ---
@@ -1160,3 +1162,31 @@ Http2ConnectionState::send_window_update_frame(Http2StreamId id, uint32_t size)
SCOPED_MUTEX_LOCK(lock, this->ua_session->mutex, this_ethread());
this->ua_session->handleEvent(HTTP2_SESSION_EVENT_XMIT, &window_update);
}
+
+// Return min_concurrent_streams_in when current client streams number is larger than max_active_streams_in.
+// Main purpose of this is preventing DDoS Attacks.
+unsigned
+Http2ConnectionState::_adjust_concurrent_stream()
+{
+ int64_t current_client_streams = 0;
+ RecGetRawStatSum(http2_rsb, HTTP2_STAT_CURRENT_CLIENT_STREAM_COUNT, ¤t_client_streams);
--- End diff --
Ah, `RecGetRawStatSum` gets global + thread local stats. I'll fix this. Thanks.
I thought `RecGetGlobalRawStatSum` is global and `RecGetRawStatSum` is thread local one;)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-4087: Reduce SETTINGS_MAX_CONCURREN...
Posted by bryancall <gi...@git.apache.org>.
Github user bryancall commented on a diff in the pull request:
https://github.com/apache/trafficserver/pull/485#discussion_r54014800
--- Diff: proxy/http2/Http2ConnectionState.cc ---
@@ -1160,3 +1162,31 @@ Http2ConnectionState::send_window_update_frame(Http2StreamId id, uint32_t size)
SCOPED_MUTEX_LOCK(lock, this->ua_session->mutex, this_ethread());
this->ua_session->handleEvent(HTTP2_SESSION_EVENT_XMIT, &window_update);
}
+
+// Return min_concurrent_streams_in when current client streams number is larger than max_active_streams_in.
+// Main purpose of this is preventing DDoS Attacks.
+unsigned
+Http2ConnectionState::_adjust_concurrent_stream()
+{
+ int64_t current_client_streams = 0;
+ RecGetRawStatSum(http2_rsb, HTTP2_STAT_CURRENT_CLIENT_STREAM_COUNT, ¤t_client_streams);
--- End diff --
This is getting the total stream value across all the threads and then you are comparing it to the per thread value below.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---