HTTP/2 max concurrent streams can be configured (projectcontour#5850)

Adds a global Listener configuration field for admins to be able to
protect their installations of Contour/Envoy with a limit. Default is no
limit to ensure existing behavior is not impacted for valid traffic.
This field can be used for tuning resource usage or mitigated DOS
attacks like in CVE-2023-44487.

Also fixes omitempty tags on MaxRequestsPerIOCycle field.

Fixes: projectcontour#5846

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

apis/projectcontour/v1alpha1/contourconfig.go

@@ -370,7 +370,18 @@ type EnvoyListenerConfig struct {
 	//
 	// +kubebuilder:validation:Minimum=1
 	// +optional
-	MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle"`
+	MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle,omitempty"`
+
+	// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
+	// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
+	// for a peer on a single HTTP/2 connection. It is recommended to not set this lower
+	// than 100 but this field can be used to bound resource usage by HTTP/2 connections
+	// and mitigate attacks like CVE-2023-44487. The default value when this is not set is
+	// unlimited.
+	//
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	HTTP2MaxConcurrentStreams *uint32 `json:"httpMaxConcurrentStreams,omitempty"`
 }
 
 // EnvoyTLS describes tls parameters for Envoy listneners.

changelogs/unreleased/5850-sunjayBhatia-minor.md

@@ -0,0 +1,11 @@
+## HTTP/2 max concurrent streams is configurable
+
+This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
+It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.
+
+The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:
+
+```
+listener:
+  http2-max-concurrent-streams: 50
+```

cmd/contour/serve.go

@@ -365,6 +365,7 @@ func (s *Server) doServe() error {
 		ServerHeaderTransformation:   contourConfiguration.Envoy.Listener.ServerHeaderTransformation,
 		XffNumTrustedHops:            *contourConfiguration.Envoy.Network.XffNumTrustedHops,
 		ConnectionBalancer:           contourConfiguration.Envoy.Listener.ConnectionBalancer,
+		HTTP2MaxConcurrentStreams:    contourConfiguration.Envoy.Listener.HTTP2MaxConcurrentStreams,
 	}
 
 	if listenerConfig.RateLimitConfig, err = s.setupRateLimitService(contourConfiguration); err != nil {

cmd/contour/servecontext.go

@@ -455,6 +455,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
 				ServerHeaderTransformation: serverHeaderTransformation,
 				ConnectionBalancer:         ctx.Config.Listener.ConnectionBalancer,
 				MaxRequestsPerIOCycle:      ctx.Config.Listener.MaxRequestsPerIOCycle,
+				HTTP2MaxConcurrentStreams:  ctx.Config.Listener.HTTP2MaxConcurrentStreams,
 				TLS: &contour_api_v1alpha1.EnvoyTLS{
 					MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
 					CipherSuites:           cipherSuites,

cmd/contour/servecontext_test.go

@@ -702,10 +702,12 @@ func TestConvertServeContext(t *testing.T) {
 		"envoy listener settings": {
 			getServeContext: func(ctx *serveContext) *serveContext {
 				ctx.Config.Listener.MaxRequestsPerIOCycle = ref.To(uint32(10))
+				ctx.Config.Listener.HTTP2MaxConcurrentStreams = ref.To(uint32(30))
 				return ctx
 			},
 			getContourConfiguration: func(cfg contour_api_v1alpha1.ContourConfigurationSpec) contour_api_v1alpha1.ContourConfigurationSpec {
 				cfg.Envoy.Listener.MaxRequestsPerIOCycle = ref.To(uint32(10))
+				cfg.Envoy.Listener.HTTP2MaxConcurrentStreams = ref.To(uint32(30))
 				return cfg
 			},
 		},

examples/contour/01-crds.yaml

@@ -180,6 +180,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerIOCycle:
                         description: Defines the limit on number of HTTP requests
                           that Envoy will process from a single connection in a single
@@ -3208,6 +3220,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerIOCycle:
                             description: Defines the limit on number of HTTP requests
                               that Envoy will process from a single connection in

examples/render/contour-deployment.yaml

@@ -393,6 +393,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerIOCycle:
                         description: Defines the limit on number of HTTP requests
                           that Envoy will process from a single connection in a single
@@ -3421,6 +3433,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerIOCycle:
                             description: Defines the limit on number of HTTP requests
                               that Envoy will process from a single connection in

examples/render/contour-gateway-provisioner.yaml

@@ -194,6 +194,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerIOCycle:
                         description: Defines the limit on number of HTTP requests
                           that Envoy will process from a single connection in a single
@@ -3222,6 +3234,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerIOCycle:
                             description: Defines the limit on number of HTTP requests
                               that Envoy will process from a single connection in

examples/render/contour-gateway.yaml

@@ -399,6 +399,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerIOCycle:
                         description: Defines the limit on number of HTTP requests
                           that Envoy will process from a single connection in a single
@@ -3427,6 +3439,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerIOCycle:
                             description: Defines the limit on number of HTTP requests
                               that Envoy will process from a single connection in

examples/render/contour.yaml

@@ -393,6 +393,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerIOCycle:
                         description: Defines the limit on number of HTTP requests
                           that Envoy will process from a single connection in a single
@@ -3421,6 +3433,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerIOCycle:
                             description: Defines the limit on number of HTTP requests
                               that Envoy will process from a single connection in

internal/contourconfig/contourconfiguration_test.go

@@ -55,6 +55,7 @@ func TestOverlayOnDefaults(t *testing.T) {
 				UseProxyProto:              ref.To(true),
 				DisableAllowChunkedLength:  ref.To(true),
 				DisableMergeSlashes:        ref.To(true),
+				HTTP2MaxConcurrentStreams:  ref.To(uint32(10)),
 				ServerHeaderTransformation: contour_api_v1alpha1.PassThroughServerHeader,
 				ConnectionBalancer:         "yesplease",
 				TLS: &contour_api_v1alpha1.EnvoyTLS{

internal/envoy/v3/listener.go

@@ -165,6 +165,7 @@ type httpConnectionManagerBuilder struct {
 	serverHeaderTransformation    http.HttpConnectionManager_ServerHeaderTransformation
 	forwardClientCertificate      *dag.ClientCertificateDetails
 	numTrustedHops                uint32
+	http2MaxConcurrentStreams     *uint32
 }
 
 // RouteConfigName sets the name of the RDS element that contains
@@ -265,6 +266,11 @@ func (b *httpConnectionManagerBuilder) NumTrustedHops(num uint32) *httpConnectio
 	return b
 }
 
+func (b *httpConnectionManagerBuilder) HTTP2MaxConcurrentStreams(http2MaxConcurrentStreams *uint32) *httpConnectionManagerBuilder {
+	b.http2MaxConcurrentStreams = http2MaxConcurrentStreams
+	return b
+}
+
 func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBuilder {
 
 	// Add a default set of ordered http filters.
@@ -507,6 +513,12 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_listener_v3.Filter {
 		}
 	}
 
+	if b.http2MaxConcurrentStreams != nil {
+		cm.Http2ProtocolOptions = &envoy_core_v3.Http2ProtocolOptions{
+			MaxConcurrentStreams: wrapperspb.UInt32(*b.http2MaxConcurrentStreams),
+		}
+	}
+
 	return &envoy_listener_v3.Filter{
 		Name: wellknown.HTTPConnectionManager,
 		ConfigType: &envoy_listener_v3.Filter_TypedConfig{