590e8e0b86
This commit makes number of concurrent HTTP/2 streams per connection
configurable as a mean to fight DDoS attacks. As soon as the limit is
reached, BIND terminates the whole session.
The commit adds a global configuration
option (http-streams-per-connection) which can be overridden in an
http <name> {...} statement like follows:
http local-http-server {
...
streams-per-connection 100;
...
};
For now the default value is 100, which should be enough (e.g. NGINX
uses 128, but it is a full-featured WEB-server). When using lower
numbers (e.g. ~70), it is possible to hit the limit with
e.g. flamethrower.
32 lines
840 B
Plaintext
32 lines
840 B
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
tls local-tls {
|
|
key-file "key.pem";
|
|
cert-file "cert.pem";
|
|
};
|
|
|
|
http local-http-server {
|
|
endpoints { "/dns-query"; };
|
|
listener-clients 100;
|
|
streams-per-connection 100;
|
|
};
|
|
|
|
options {
|
|
listen-on { 10.53.0.1; };
|
|
http-port 80;
|
|
https-port 443;
|
|
http-listener-clients 100;
|
|
http-streams-per-connection 100;
|
|
listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; };
|
|
listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
|
|
};
|