lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity

[core] add config opt to send GOAWAY for bad auth 

add global config opt to send GOAWAY for invalid auth
(adds cost to and reduces speed of brute force auth password attacks)

global setting; default enabled to preserve existing behavior

Disable with:
  server.feature-flags += ("auth.http-goaway-invalid-creds" => 0)
for networks with proxies where multiple requests from *different* clients
are multiplexed on the same h2 connection to lighttpd.
This commit is contained in:
Glenn Strauss 2023-08-13 16:30:41 -04:00
parent 7dddbc9960
commit 52a509ff2b
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/h2.c
View File

@ -3117,13 +3117,16 @@ h2_upgrade_h2c (request_st * const r, connection * const con)
__attribute_cold__
__attribute_noinline__
static void
h2_send_goaway_delayed (connection * const con)
{
request_st * const h2r = &con->request;
if (h2r->keep_alive >= 0) {
h2r->keep_alive = -1;
h2_send_goaway(con, H2_E_NO_ERROR);
if (config_feature_bool(con->srv, "auth.http-goaway-invalid-creds", 1)){
h2r->keep_alive = -1;
h2_send_goaway(con, H2_E_NO_ERROR);
}
http_response_delay(con);
}
else /*(abort connection upon second request to close h2 connection)*/