3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

proxy: support websocket timeouts (#1362)

Browse source
This commit is contained in:
Caleb Doxsey 2020-09-02 07:55:57 -06:00 committed by GitHub
parent e4e6abfd29
commit f6b622c7dc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/reference/readme.md
View file

@ -1216,7 +1216,7 @@ If set, enables proxying of websocket connections.
:::warning :::warning
**Use with caution:** websockets are long-lived connections, so [global timeouts](#global-timeouts) are not enforced. Allowing websocket connections to the proxy could result in abuse via [DOS attacks](https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/). **Use with caution:** websockets are long-lived connections, so [global timeouts](#global-timeouts) are not enforced (though the policy-specific `timeout` is enforced). Allowing websocket connections to the proxy could result in abuse via [DOS attacks](https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/).
::: :::

8
internal/controlplane/xds_routes.go
View file

@ -223,8 +223,12 @@ func getRequestHeadersToRemove(options *config.Options, policy *config.Policy) [
func getRouteTimeout(options *config.Options, policy *config.Policy) *durationpb.Duration { func getRouteTimeout(options *config.Options, policy *config.Policy) *durationpb.Duration {
var routeTimeout *durationpb.Duration var routeTimeout *durationpb.Duration
if policy.AllowWebsockets { if policy.AllowWebsockets {
// disable the route timeout for websocket support if policy.UpstreamTimeout != 0 {
routeTimeout = ptypes.DurationProto(0) routeTimeout = ptypes.DurationProto(policy.UpstreamTimeout)
} else {
// disable the default route timeout for websocket support
routeTimeout = ptypes.DurationProto(0)
}
} else { } else {
if policy.UpstreamTimeout != 0 { if policy.UpstreamTimeout != 0 {
routeTimeout = ptypes.DurationProto(policy.UpstreamTimeout) routeTimeout = ptypes.DurationProto(policy.UpstreamTimeout)

33
internal/controlplane/xds_routes_test.go
View file

@ -276,6 +276,14 @@ func Test_buildPolicyRoutes(t *testing.T) {
PreserveHostHeader: true, PreserveHostHeader: true,
PassIdentityHeaders: true, PassIdentityHeaders: true,
}, },
{
Source: &config.StringURL{URL: mustParseURL("https://example.com")},
Path: "/websocket-timeout",
AllowWebsockets: true,
PreserveHostHeader: true,
PassIdentityHeaders: true,
UpstreamTimeout: time.Second * 10,
},
}, },
}, "example.com") }, "example.com")
@ -429,7 +437,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
{ "enabled": true, "upgradeType": "spdy/3.1"} { "enabled": true, "upgradeType": "spdy/3.1"}
] ]
} }
}, },
{ {
"name": "policy-7", "name": "policy-7",
"match": { "match": {
@ -452,6 +460,29 @@ func Test_buildPolicyRoutes(t *testing.T) {
{ "enabled": true, "upgradeType": "spdy/3.1"} { "enabled": true, "upgradeType": "spdy/3.1"}
] ]
} }
},
{
"name": "policy-8",
"match": {
"path": "/websocket-timeout"
},
"metadata": {
"filterMetadata": {
"envoy.filters.http.lua": {
"remove_pomerium_authorization": true,
"remove_pomerium_cookie": "pomerium"
}
}
},
"route": {
"autoHostRewrite": false,
"cluster": "policy-8",
"timeout": "10s",
"upgradeConfigs": [
{ "enabled": true, "upgradeType": "websocket"},
{ "enabled": false, "upgradeType": "spdy/3.1"}
]
}
} }
] ]
`, routes) `, routes)