[core] add config opt to send GOAWAY for bad auth

add global config opt to send GOAWAY for invalid auth
(adds cost to and reduces speed of brute force auth password attacks)

global setting; default enabled to preserve existing behavior

Disable with:
  server.feature-flags += ("auth.http-goaway-invalid-creds" => 0)
for networks with proxies where multiple requests from *different* clients
are multiplexed on the same h2 connection to lighttpd.
This commit is contained in:
Glenn Strauss 2023-08-13 16:30:41 -04:00
parent 7dddbc9960
commit 52a509ff2b
1 changed files with 5 additions and 2 deletions

View File

@ -3117,13 +3117,16 @@ h2_upgrade_h2c (request_st * const r, connection * const con)
static void
h2_send_goaway_delayed (connection * const con)
request_st * const h2r = &con->request;
if (h2r->keep_alive >= 0) {
h2r->keep_alive = -1;
h2_send_goaway(con, H2_E_NO_ERROR);
if (config_feature_bool(con->srv, "auth.http-goaway-invalid-creds", 1)){
h2r->keep_alive = -1;
h2_send_goaway(con, H2_E_NO_ERROR);
else /*(abort connection upon second request to close h2 connection)*/