You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2020/11/04 20:13:27 UTC

[GitHub] [trafficcontrol] dsouza93 opened a new issue #5244: Limit request_header_max_size per DS

dsouza93 opened a new issue #5244:
URL: https://github.com/apache/trafficcontrol/issues/5244


   <!--
   ************ STOP!! ************
   If this issue identifies a security vulnerability, DO NOT submit it! Instead, contact
   the Apache Traffic Control Security Team at security@trafficcontrol.apache.org and follow the
   guidelines at https://www.apache.org/security/ regarding vulnerability disclosure.
   
   - For *SUPPORT QUESTIONS*, use the Traffic Control slack (https://s.apache.org/atc-slack)
   or Traffic Control mailing lists (https://trafficcontrol.apache.org/mailing_lists).
   - Before submitting, please **SEARCH GITHUB** for a similar issue or PR.
   -->
   
   ## I'm submitting a ...
   <!-- delete all those that don't apply -->
   <!--- security vulnerability (STOP!! - see above)-->
   -  new feature / enhancement request
   
   ## Traffic Control components affected ...
   <!-- delete all those that don't apply -->
   -  Documentation
   -  Traffic Ops
   -  Traffic Ops ORT
   -  Traffic Portal
   
   ## Current behavior:
   <!-- Describe how the current features are insufficient. -->
   Currently, ATS' request_header_max_size is only configurable globally. It is not set on a per delivery service basis. Delivery service owners should have the ability to increase their header_max_size above the global limit if their origin is capable of handling that request and it is required for their delivery lane.
   
   ## New behavior:
   <!-- Describe how the feature would improve Traffic Control -->
   It would be ideal if Request Max Header Size was an additional configurable value in the Delivery Service config and integrated into Traffic Portal as a field.  
   
   The request_header_max_size value is not overridable using header rewrite, so ATC would likely need to configure ATS under the hood by injecting: 
   
   cond %{REMAP_PSEUDO_HOOK}
   cond %<cqhl> > {Configured Value in Bytes} 
   set-status 400
   into the delivery services header rewrite. 
   
   It is also worth noting that we would keep the global variable in play, set higher than our default as a last line of defense. If the Delivery service configured value is higher than the global, it will be useless as the global takes precedence. It would be nice if either the Portal or TO could prevent the user from that misconfiguration. 
   
   <!--
       Licensed to the Apache Software Foundation (ASF) under one
       or more contributor license agreements.  See the NOTICE file
       distributed with this work for additional information
       regarding copyright ownership.  The ASF licenses this file
       to you under the Apache License, Version 2.0 (the
       "License"); you may not use this file except in compliance
       with the License.  You may obtain a copy of the License at
   
       https://apache.org/licenses/LICENSE-2.0
   
       Unless required by applicable law or agreed to in writing,
       software distributed under the License is distributed on an
       "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
       KIND, either express or implied.  See the License for the
       specific language governing permissions and limitations
       under the License.
   -->
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] rob05c commented on issue #5244: Limit request_header_max_size per DS

Posted by GitBox <gi...@apache.org>.
rob05c commented on issue #5244:
URL: https://github.com/apache/trafficcontrol/issues/5244#issuecomment-722018689


   +1 - this is something every DS owner should at least think about. Setting it poorly is a security vulnerability on their end.
   The options are DS field, Parameter, or custom Header Rewrite text. The latter two are unintuitive and dangerous. IMO this is important enough to warrant a DS field.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] rob05c closed issue #5244: Limit request_header_max_size per DS

Posted by GitBox <gi...@apache.org>.
rob05c closed issue #5244:
URL: https://github.com/apache/trafficcontrol/issues/5244


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] srijeet0406 commented on issue #5244: Limit request_header_max_size per DS

Posted by GitBox <gi...@apache.org>.
srijeet0406 commented on issue #5244:
URL: https://github.com/apache/trafficcontrol/issues/5244#issuecomment-737584389


   Talked to @dsouza93 and @rob05c .
   Dylan said that the check to see if the DS specific request header size is > the global max value is not needed.
   Rob mentioned that the ORT effort should be its own separate issue/ ticket. So the PR https://github.com/apache/trafficcontrol/pull/5345 just deals with adding an extra field to the DS structure in TO/TP.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org