Merge pull request #37 from tolstenko/master

feat(router): Add ability to set MaxHeaderSize and MaxFieldSize globally

Author: Cryptophobia

README.md

@@ -257,6 +257,8 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="default-app-name"></a>deis-router | deployment | [router.deis.io/nginx.DefaultAppName](#default-app-name) | `""` | Default back-end application name for traffic hitting router on /. In order to work correctly both `defaultServiceIP` and `DefaultServiceEnabled` MUST also be set.  |
 | <a name="default-service-ip"></a>deis-router | deployment | [router.deis.io/nginx.defaultServiceIP](#default-service-ip) | `""` | Default back-end service ip for traffic hitting router on /. In order to work correctly both `DefaultAppName` and `DefaultServiceEnabled` MUST also be set. |
 | <a name="http2-enabled"></a>deis-router | deployment | [router.deis.io/nginx.http2Enabled](#http2-enabled) | `"true"` | Whether to enable HTTP2 for apps on the SSL ports. |
+| <a name="http2MaxHeaderSize"></a>deis-router | deployment | [router.deis.io/nginx.http2MaxHeaderSize](#http2MaxHeaderSize) | `"32k"` | The max header size. |
+| <a name="http2MaxFieldSize"></a>deis-router | deployment | [router.deis.io/nginx.http2MaxFieldSize](#http2MaxFieldSize) | `"16k"` | The max header field size. |
 | <a name="log-format"></a>deis-router | deployment | [router.deis.io/nginx.logFormat](#log-format) | `"[$time_iso8601] - $app_name - $remote_addr - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time"` | Nginx access log format. **Warning:** if you change this to a non-default value, log parsing in monitoring subsystem will be broken. Use this parameter if you completely understand what you're doing. |
 | <a name="ssl-enforce"></a>deis-router | deployment | [router.deis.io/nginx.ssl.enforce](#ssl-enforce) | `"false"` | Whether to respond with a 301 for all HTTP requests with a permanent redirect to the HTTPS equivalent address. |
 | <a name="ssl-protocols"></a>deis-router | deployment | [router.deis.io/nginx.ssl.protocols](#ssl-protocols) | `"TLSv1 TLSv1.1 TLSv1.2"` | nginx `ssl_protocols` setting. |

model/model.go

@@ -72,6 +72,8 @@ type RouterConfig struct {
 	LogFormat                string              `key:"logFormat"`
 	ProxyBuffersConfig       *ProxyBuffersConfig `key:"proxyBuffers"`
 	ReferrerPolicy           string              `key:"referrerPolicy" constraint:"^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url|none)$"`
+	HTTP2MaxHeaderSize       string              `key:"http2MaxHeaderSize" constraint:"^[0-9]\\d*[kKmM]?$"`
+	HTTP2MaxFieldSize        string              `key:"http2MaxFieldSize" constraint:"^[0-9]\\d*[kKmM]?$"`
 }
 
 func newRouterConfig() (*RouterConfig, error) {
@@ -108,6 +110,8 @@ func newRouterConfig() (*RouterConfig, error) {
 		LogFormat:                `[$time_iso8601] - $app_name - $remote_addr - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time`,
 		ProxyBuffersConfig:       proxyBuffersConfig,
 		ReferrerPolicy:           "",
+		HTTP2MaxHeaderSize:       "32k",
+		HTTP2MaxFieldSize:        "16k",
 	}, nil
 }
 

nginx/config.go

@@ -161,6 +161,10 @@ http {
 			return 200;
 		}
 
+		# set header size limits
+		{{ if $routerConfig.HTTP2Enabled }} http2_max_header_size {{ $routerConfig.HTTP2MaxHeaderSize }}; {{ end }}
+		{{ if $routerConfig.HTTP2Enabled }} http2_max_field_size  {{ $routerConfig.HTTP2MaxFieldSize }};  {{ end }}
+
 		location / {
 			proxy_buffering {{ if $routerConfig.ProxyBuffersConfig.Enabled }}on{{ else }}off{{ end }};
 			proxy_buffer_size {{ $routerConfig.ProxyBuffersConfig.Size }};
@@ -183,6 +187,11 @@ http {
 	server {
 		listen 8080 default_server reuseport{{ if $routerConfig.UseProxyProtocol }} proxy_protocol{{ end }};
 		listen 6443 default_server ssl {{ if $routerConfig.HTTP2Enabled }}http2{{ end }} {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }};
+        
+		# set header size limits
+		{{ if $routerConfig.HTTP2Enabled }} http2_max_header_size {{ $routerConfig.HTTP2MaxHeaderSize }}; {{ end }}
+		{{ if $routerConfig.HTTP2Enabled }} http2_max_field_size  {{ $routerConfig.HTTP2MaxFieldSize }};  {{ end }}
+		
 		set $app_name "router-default-vhost";
 		{{ if $routerConfig.PlatformCertificate }}
 		ssl_protocols {{ $sslConfig.Protocols }};
@@ -251,6 +260,10 @@ http {
 		modsecurity_rules_file /opt/router/conf/modsecurity.conf;
 		{{- end }}
 
+		# set header size limits
+		{{ if $routerConfig.HTTP2Enabled }} http2_max_header_size {{ $routerConfig.HTTP2MaxHeaderSize }}; {{ end }}
+		{{ if $routerConfig.HTTP2Enabled }} http2_max_field_size  {{ $routerConfig.HTTP2MaxFieldSize }};  {{ end }}
+        
 		{{ if index $appConfig.Certificates $domain }}
 		listen 6443 ssl {{ if $routerConfig.HTTP2Enabled }}http2{{ end }} {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }};
 		ssl_protocols {{ $sslConfig.Protocols }};