Merge commit from fork

Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-12-20 09:05:14 -05:00 · 2025-12-18 05:08:59 +02:00
parent 0fb05f225c
commit 0d8cbb1a6b
24 changed files with 1689 additions and 24 deletions
--- a/plugin/grpc_server/setup.go
+++ b/plugin/grpc_server/setup.go
@@ -0,0 +1,79 @@
+package grpc_server
+
+import (
+	"strconv"
+
+	"github.com/coredns/caddy"
+	"github.com/coredns/coredns/core/dnsserver"
+	"github.com/coredns/coredns/plugin"
+)
+
+func init() {
+	caddy.RegisterPlugin("grpc_server", caddy.Plugin{
+		ServerType: "dns",
+		Action:     setup,
+	})
+}
+
+func setup(c *caddy.Controller) error {
+	err := parseGRPCServer(c)
+	if err != nil {
+		return plugin.Error("grpc_server", err)
+	}
+	return nil
+}
+
+func parseGRPCServer(c *caddy.Controller) error {
+	config := dnsserver.GetConfig(c)
+
+	// Skip the "grpc_server" directive itself
+	c.Next()
+
+	// Get any arguments on the "grpc_server" line
+	args := c.RemainingArgs()
+	if len(args) > 0 {
+		return c.ArgErr()
+	}
+
+	// Process all nested directives in the block
+	for c.NextBlock() {
+		switch c.Val() {
+		case "max_streams":
+			args := c.RemainingArgs()
+			if len(args) != 1 {
+				return c.ArgErr()
+			}
+			val, err := strconv.Atoi(args[0])
+			if err != nil {
+				return c.Errf("invalid max_streams value '%s': %v", args[0], err)
+			}
+			if val < 0 {
+				return c.Errf("max_streams must be a non-negative integer: %d", val)
+			}
+			if config.MaxGRPCStreams != nil {
+				return c.Err("max_streams already defined for this server block")
+			}
+			config.MaxGRPCStreams = &val
+		case "max_connections":
+			args := c.RemainingArgs()
+			if len(args) != 1 {
+				return c.ArgErr()
+			}
+			val, err := strconv.Atoi(args[0])
+			if err != nil {
+				return c.Errf("invalid max_connections value '%s': %v", args[0], err)
+			}
+			if val < 0 {
+				return c.Errf("max_connections must be a non-negative integer: %d", val)
+			}
+			if config.MaxGRPCConnections != nil {
+				return c.Err("max_connections already defined for this server block")
+			}
+			config.MaxGRPCConnections = &val
+		default:
+			return c.Errf("unknown property '%s'", c.Val())
+		}
+	}
+
+	return nil
+}