Hardening of Vulcan

[pquerna]

Right now Vulcan probably isn't that awesome to expose to the general internet.

We need to add many limits and hardening of what is accepted from clients, and better understand abusive upstreams.

For example:

• Request bodies are not limited in any way, and may consume all memory.
• Response Bodies are not streamed, and are buffered completely in memory.
• Add or improve timeouts of clients, upstreams, etc.
• Improve limits on number of headers, size of headers, etc.

[klizhentas]

Some notes from conversation with @pquerna:

• Check for multipliers, cases when user sent one byte to the server and it uses 10 bytes. These are opening doors for attacks.
• Introduce hard limits on request body size
• Limits on header size and count
• Introduce bandwidth limiting algorithms (use token bucket for request bodies)
• if streaming use TCP to make a back pressure
• content-length header, something to check
• cookie size limits (subset of header size limit)
• Deflate attacks?
• Don't close the socket if someone hit the limit, just half close for read.
• Add support for TLS

Examples of tests

• Proxy a hundred gig file and it does not increase memory usage on vulcan

Feel free to add more if something else comes to mind, we'll start working on this.

Thanks,
Sasha