Add configurable resource limits to prevent potential DoS vectors
via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers.
New configuration plugins:
- grpc_server: configure max_streams, max_connections
- https: configure max_connections
- https3: configure max_streams
Changes:
- Use netutil.LimitListener for connection limiting
- Use gRPC MaxConcurrentStreams and message size limits
- Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting
- Set secure defaults: 256 max streams, 200 max connections
- Setting any limit to 0 means unbounded/fallback to previous impl
Defaults are applied automatically when plugins are omitted from
config.
Includes tests and integration tests.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* fix: prevent QUIC reload panic by lazily initializing the listener
ServePacket on reload receives the reused PacketConn before the new
ServerQUIC has recreated its quic.Listener, so quicListener is nil and
the process panics. Lazily initialise quicListener from the provided
PacketConn when it’s nil and then proceed with ServeQUIC.
fixes: #7679
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
* test: add regression test for QUIC reload panic
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
---------
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
