Set a header read timeout on HTTP servers (#9181)

Newer versions of golangci-lint flag `http.Server` instances that do not set a `ReadHeaderTimeout` as being vulnerable to "slowloris" attacks, wherein clients initiate requests that hold connections open indefinitely. This change sets a `ReadHeaderTimeout` of 10s. This timeout is fairly conservative so that clients can eagerly create connections, but is still constrained enough that these connections won't remain open indefinitely. This change also updates kubert to v0.9.1, which instruments a header read timeout on the policy admission server. Signed-off-by: Oliver Gould <ver@buoyant.io>
2022-08-16 11:10:23 -07:00 · 2022-08-16 11:10:23 -07:00 · 04a66bacea
parent d957ec6003
commit 04a66bacea
6 changed files with 19 additions and 11 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -915,9 +915,9 @@ dependencies = [

 [[package]]
 name = "kubert"
-version = "0.9.0"
+version = "0.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "950ff2a1ad61768b9fe9b3a1eded194feba83c5b4f94252dcff9fa6dae51ce4d"
+checksum = "6b8b65e116e2617ea081f5fcbd31d508243ab0c1c6da3fa2a7177680a61af855"
 dependencies = [
 "ahash",
 "clap",
--- a/controller/webhook/server.go
+++ b/controller/webhook/server.go
@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net/http"
 	"sync/atomic"
+	"time"

 	"github.com/linkerd/linkerd2/controller/k8s"
 	pkgk8s "github.com/linkerd/linkerd2/pkg/k8s"
@ -61,7 +62,8 @@ func NewServer(
 	}()

 	server := &http.Server{
-		Addr: addr,
+		Addr:              addr,
+		ReadHeaderTimeout: 10 * time.Second,
 		TLSConfig: &tls.Config{
 			MinVersion: tls.VersionTLS12,
 		},
--- a/controller/webhook/server_test.go
+++ b/controller/webhook/server_test.go
@ -15,7 +15,8 @@ import (
 )

 var mockHTTPServer = &http.Server{
-	Addr: ":0",
+	Addr:              ":0",
+	ReadHeaderTimeout: 10 * time.Second,
 	TLSConfig: &tls.Config{
 		MinVersion: tls.VersionTLS12,
 	},
--- a/pkg/admin/admin.go
+++ b/pkg/admin/admin.go
@ -5,6 +5,7 @@ import (
 	"net/http"
 	"net/http/pprof"
 	"strings"
+	"time"

 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
@ -22,8 +23,9 @@ func NewServer(addr string, enablePprof bool) *http.Server {
 	}

 	return &http.Server{
-		Addr:    addr,
-		Handler: h,
+		Addr:              addr,
+		Handler:           h,
+		ReadHeaderTimeout: 10 * time.Second,
 	}
 }

--- a/viz/tap/api/server.go
+++ b/viz/tap/api/server.go
@ -10,6 +10,7 @@ import (
 	"net"
 	"net/http"
 	"sync/atomic"
+	"time"

 	"github.com/julienschmidt/httprouter"
 	"github.com/linkerd/linkerd2/controller/k8s"
@ -69,7 +70,8 @@ func NewServer(
 	clientCertPool.AppendCertsFromPEM([]byte(clientCAPem))

 	httpServer := &http.Server{
-		Addr: addr,
+		Addr:              addr,
+		ReadHeaderTimeout: 10 * time.Second,
 		TLSConfig: &tls.Config{
 			ClientAuth: tls.VerifyClientCertIfGiven,
 			ClientCAs:  clientCertPool,
--- a/web/srv/server.go
+++ b/web/srv/server.go
@ -136,10 +136,11 @@ func NewServer(
 	}

 	httpServer := &http.Server{
-		Addr:         addr,
-		ReadTimeout:  timeout,
-		WriteTimeout: timeout,
-		Handler:      wrappedServer,
+		Addr:              addr,
+		ReadTimeout:       timeout,
+		ReadHeaderTimeout: timeout,
+		WriteTimeout:      timeout,
+		Handler:           wrappedServer,
 	}

 	// webapp routes