add timeouts to prevent slowloris attacks#22739
Conversation
github-actions
bot
added
theme/cli
sanikachavan5
added
backport/all
sanikachavan5
force-pushed
the
fix-slowloris-http-endpoints
branch
from
15b7ae5 to
50dfa2e
Compare
boruszak
left a comment
boruszak
left a comment
There was a problem hiding this comment.
I reviewed the docs updates and left suggestions to align with style guidelines. Otherwise LGTM!
|
|
||
| Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDuration) for additional information. | ||
|
|
||
| #### Duration validation |
There was a problem hiding this comment.
| #### Duration validation | |
| #### Duration formatting validation |
|
|
||
| #### Duration validation | ||
|
|
||
| When configuring timeout and duration values, Consul validates the format and enforces minimum values where applicable. Invalid duration strings will cause the agent to fail to start with a descriptive error message. |
There was a problem hiding this comment.
| When configuring timeout and duration values, Consul validates the format and enforces minimum values where applicable. Invalid duration strings will cause the agent to fail to start with a descriptive error message. | |
| When you configure timeout and duration values, Consul validates the formatting and enforces minimum values where applicable. When you use invalid duration strings, the agent will fail to start and the output will include a descriptive error message. |
| **Valid examples:** | ||
| - `"10s"` - 10 seconds | ||
| - `"1.5m"` - 1.5 minutes (90 seconds) | ||
| - `"2h30m45s"` - Complex duration with hours, minutes, and seconds | ||
| - `"0s"` - Zero duration (where allowed) |
There was a problem hiding this comment.
| **Valid examples:** | |
| - `"10s"` - 10 seconds | |
| - `"1.5m"` - 1.5 minutes (90 seconds) | |
| - `"2h30m45s"` - Complex duration with hours, minutes, and seconds | |
| - `"0s"` - Zero duration (where allowed) | |
| **Examples of valid duration formatting**: | |
| - `"10s"` - 10 seconds | |
| - `"1.5m"` - 1.5 minutes, equivalent to 90 seconds (`90s`) | |
| - `"2h30m45s"` - Complex duration with hours, minutes, and seconds | |
| - `"0s"` - Zero duration, although not all fields support this value. |
| **Invalid examples that will cause errors:** | ||
| - `"10"` - Missing unit specification | ||
| - `"10x"` - Invalid unit (`x` is not a recognized unit) | ||
| - `""` - Empty string | ||
| - `"abc"` - Non-numeric string | ||
| - `"-5s"` - Negative durations (not accepted for timeout configurations) |
There was a problem hiding this comment.
| **Invalid examples that will cause errors:** | |
| - `"10"` - Missing unit specification | |
| - `"10x"` - Invalid unit (`x` is not a recognized unit) | |
| - `""` - Empty string | |
| - `"abc"` - Non-numeric string | |
| - `"-5s"` - Negative durations (not accepted for timeout configurations) | |
| **Examples of invalid formatting that produce errors**: | |
| - `"10"` - Missing unit specification | |
| - `"10x"` - Invalid unit, as `x` is not a recognized duration | |
| - `""` - Empty string | |
| - `"abc"` - Non-numeric string | |
| - `"-5s"` - Negative durations are not accepted for timeout configurations |
| - `"abc"` - Non-numeric string | ||
| - `"-5s"` - Negative durations (not accepted for timeout configurations) | ||
|
|
||
| **Minimum value enforcement:** Some timeout configurations enforce minimum values to prevent misconfigurations that could cause connection issues or security vulnerabilities. For example, handshake timeouts typically require a minimum of 1 second. When a configured value is below the minimum, Consul will report a validation error during startup. |
There was a problem hiding this comment.
| **Minimum value enforcement:** Some timeout configurations enforce minimum values to prevent misconfigurations that could cause connection issues or security vulnerabilities. For example, handshake timeouts typically require a minimum of 1 second. When a configured value is below the minimum, Consul will report a validation error during startup. | |
| Some timeout configurations enforce minimum values to prevent connection issues or security vulnerabilities. For example, handshake timeouts typically require a minimum of 1 second. When a configured value is below the minimum, Consul reports a validation error during startup. |
boruszak
added
backport/1.21
…22741) * - Added support for IPv6 virtual IP offset calculation and validation. - Upgraded `github.com/miekg/dns` dependency to v1.1.68. - Included `BindAddr` in agent endpoint and enabled binding logic in IP offset calculations. - Updated `go.mod` and `go.sum` to reflect dependency changes. * Refactored `addIPOffset` to utilize `BindAddr` and introduced `getAgentBindAddr` for improved binding logic and IP offset calculation. Added utility function isDualStack * Executed go mod tidy * Refactored network utilities into `netutil` package and updated `catalog.go` to use new functions for improved modularity and clarity. Removed duplicate implementations of `GetAgentConfig` and `isDualStack`. * Added comprehensive unit tests for `netutil` package covering `GetAgentConfig`, `GetAgentBindAddr`, and `IsDualStack`. Refactored functions to support mocking for improved testability. * only retaining utility function changes. * added changelog
* "Get started" section redirects * deploy & secure * Consul operations complete * register & discover * Finish service networking * Enterprise, Runtimes, and Plugins sections * Reference docs
* Adding private key JWT support for OIDC
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
11 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20] please perform the backport manually and add the following snippet to your backport PR description: |
3 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.18,1.20] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.20] please perform the backport manually and add the following snippet to your backport PR description: |
3 similar comments
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.20] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.20] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.20] please perform the backport manually and add the following snippet to your backport PR description: |
## Description Ports hashicorp/consul#22739 to the web-unified docs. [Preview link](https://unified-docs-frontend-preview-a4nk8p4f1-hashicorp.vercel.app/consul/docs/reference/agent/configuration-file#duration-formatting-validation)
…and configuration options
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.20] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @sanikachavan5! a backport is missing for this PR [22739] for versions [1.20] please perform the backport manually and add the following snippet to your backport PR description: |
…ut defaults and configuration options into release/1.22.x (#23248) docs(#22739): update security note with HTTP server timeout defaults and configuration options (#23246) * docs(#22739): update security note with HTTP server timeout defaults and configuration options * fix the changelog * update 22739.txt Co-authored-by: Sanika Chavan <sanika.vikaschavan@hashicorp.com>
13 participants
This pull request introduces security enhancements and configurability improvements for HTTP server timeouts in the agent and connect proxy, aiming to mitigate Slowloris and related denial-of-service attacks. It adds new configuration options for HTTP timeouts, ensures they are correctly parsed and validated, and updates both the agent and proxy to use these values. Comprehensive tests are added to verify correct behavior and edge cases.
Description
Security and HTTP Timeout Enhancements:
read_timeout,read_header_timeout,write_timeout,idle_timeout) toHTTPConfigandRuntimeConfig, with sensible defaults and minimums, to protect against Slowloris and similar attacks (agent/config/config.go,agent/config/runtime.go,agent/config/builder.go,agent/agent.go). [1] [2] [3] [4]agent/agent.go).--pprof-timeout) and set minimums for security (command/connect/proxy/proxy.go). [1] [2] [3]Testing & Reproduction steps
Links
PR Checklist
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.