Skip to content

Commit

Permalink
Limit GRPC Active streams (#33936)
Browse files Browse the repository at this point in the history
Originally there was a default limit of 100 max concurrent streams, however in 2017 the GRPC team removed this default: grpc/grpc-go#1624

With the recent HTTP/2 Rapid Reset DoS, it is now being encouraged to re-introduce a limit.  The fix requires this value to be configured in fact: grpc/grpc-go#6703
  • Loading branch information
jentfoo committed Oct 27, 2023
1 parent 151cef3 commit 43a18f5
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 2 deletions.
2 changes: 2 additions & 0 deletions lib/auth/grpcserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ import (
wanlib "github.com/gravitational/teleport/lib/auth/webauthn"
"github.com/gravitational/teleport/lib/authz"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/httplib"
"github.com/gravitational/teleport/lib/joinserver"
Expand Down Expand Up @@ -5128,6 +5129,7 @@ func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error) {
PermitWithoutStream: true,
},
),
grpc.MaxConcurrentStreams(defaults.GRPCMaxConcurrentStreams),
}
server := grpc.NewServer(opts...)
authServer := &GRPCServer{
Expand Down
4 changes: 4 additions & 0 deletions lib/defaults/defaults.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,10 @@ const (
// By default all users use /bin/bash
DefaultShell = "/bin/bash"

// GRPCMaxConcurrentStreams is the max GRPC streams that can be active at a time. Once the limit is reached new
// RPC calls will queue until capacity is available.
GRPCMaxConcurrentStreams = 1000

// HTTPMaxIdleConns is the max idle connections across all hosts.
HTTPMaxIdleConns = 2000

Expand Down
4 changes: 3 additions & 1 deletion lib/observability/tracing/collector.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ import (
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
"google.golang.org/protobuf/proto"

"github.com/gravitational/teleport/lib/defaults"
)

// Collector is a simple in memory implementation of an OpenTelemetry Collector
Expand Down Expand Up @@ -75,7 +77,7 @@ func NewCollector(cfg CollectorConfig) (*Collector, error) {
c := &Collector{
grpcLn: grpcLn,
httpLn: httpLn,
grpcServer: grpc.NewServer(grpc.Creds(creds)),
grpcServer: grpc.NewServer(grpc.Creds(creds), grpc.MaxConcurrentStreams(defaults.GRPCMaxConcurrentStreams)),
tlsConfing: tlsConfig,
exportedC: make(chan struct{}, 1),
}
Expand Down
2 changes: 2 additions & 0 deletions lib/proxy/peer/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
"github.com/gravitational/teleport/api/metadata"
"github.com/gravitational/teleport/api/utils/grpc/interceptors"
"github.com/gravitational/teleport/lib/auth"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/utils"
)

Expand Down Expand Up @@ -141,6 +142,7 @@ func NewServer(config ServerConfig) (*Server, error) {
MinTime: peerKeepAlive,
PermitWithoutStream: true,
}),
grpc.MaxConcurrentStreams(defaults.GRPCMaxConcurrentStreams),
)

proto.RegisterProxyServiceServer(server, config.service)
Expand Down
3 changes: 3 additions & 0 deletions lib/service/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -3878,6 +3878,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
otelgrpc.StreamServerInterceptor(),
),
grpc.Creds(credentials.NewTLS(serverTLSConfig)),
grpc.MaxConcurrentStreams(defaults.GRPCMaxConcurrentStreams),
)

process.RegisterCriticalFunc("proxy.ssh", func() error {
Expand Down Expand Up @@ -5394,6 +5395,7 @@ func (process *TeleportProcess) initPublicGRPCServer(
// available for some time.
MaxConnectionIdle: 10 * time.Second,
}),
grpc.MaxConcurrentStreams(defaults.GRPCMaxConcurrentStreams),
)
joinServiceServer := joinserver.NewJoinServiceGRPCServer(conn.Client)
proto.RegisterJoinServiceServer(server, joinServiceServer)
Expand Down Expand Up @@ -5443,6 +5445,7 @@ func (process *TeleportProcess) initSecureGRPCServer(cfg initSecureGRPCServerCfg
grpc.Creds(credentials.NewTLS(
copyAndConfigureTLS(serverTLSConfig, process.log, cfg.accessPoint, clusterName),
)),
grpc.MaxConcurrentStreams(defaults.GRPCMaxConcurrentStreams),
)

kubeServer, err := kubegrpc.New(kubegrpc.Config{
Expand Down
5 changes: 4 additions & 1 deletion lib/teleterm/apiserver/apiserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"google.golang.org/grpc"

api "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/v1"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/teleterm/apiserver/handler"
"github.com/gravitational/teleport/lib/utils"
)
Expand All @@ -41,7 +42,9 @@ func New(cfg Config) (*APIServer, error) {
}

grpcServer := grpc.NewServer(cfg.TshdServerCreds,
grpc.ChainUnaryInterceptor(withErrorHandling(cfg.Log)))
grpc.ChainUnaryInterceptor(withErrorHandling(cfg.Log)),
grpc.MaxConcurrentStreams(defaults.GRPCMaxConcurrentStreams),
)

// Create Terminal service.

Expand Down

0 comments on commit 43a18f5

Please sign in to comment.