# HG changeset patch # User Roman Arutyunyan # Date 1627563697 -10800 # Node ID c35b255d80dc70f111efa13cc8806c292768ab57 # Parent 59d2d47ad3c6b4e9aa8167861855fc75b79ac8d2 HTTP/3: close connection on keepalive_requests * 2. After receiving GOAWAY, client is not supposed to create new streams. However, until client reads this frame, we allow it to create new streams, which are gracefully rejected. To prevent client from abusing this algorithm, a new limit is introduced. Upon reaching keepalive_requests * 2, server now closes the entire QUIC connection claiming excessive load. diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c --- a/src/http/v3/ngx_http_v3_request.c +++ b/src/http/v3/ngx_http_v3_request.c @@ -81,6 +81,15 @@ ngx_http_v3_init(ngx_connection_t *c) clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module); + n = c->quic->id >> 2; + + if (n >= clcf->keepalive_requests * 2) { + ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_EXCESSIVE_LOAD, + "too many requests per connection"); + ngx_http_close_connection(c); + return; + } + h3c = ngx_http_v3_get_session(c); if (h3c->goaway) { @@ -89,8 +98,6 @@ ngx_http_v3_init(ngx_connection_t *c) return; } - n = c->quic->id >> 2; - if (n + 1 == clcf->keepalive_requests || ngx_current_msec - c->quic->parent->start_time > clcf->keepalive_time)