From 244bfd9102db8b3cd2eb7ed7a3c05af880f06c69 Mon Sep 17 00:00:00 2001 From: Samir Aguiar Date: Mon, 20 May 2024 21:08:36 +0000 Subject: [PATCH] auth web: make request/response timeout configurable --- .github/actions/spell-check/allow.txt | 1 + .github/actions/spell-check/expect.txt | 1 + docs/http-api/index.rst | 3 ++- docs/settings.rst | 10 ++++++++++ pdns/auth-main.cc | 1 + pdns/webserver.cc | 5 +++-- pdns/webserver.hh | 5 +++++ pdns/ws-auth.cc | 1 + 8 files changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/actions/spell-check/allow.txt b/.github/actions/spell-check/allow.txt index cc0e68a3b3d84..926d94d8f66e2 100644 --- a/.github/actions/spell-check/allow.txt +++ b/.github/actions/spell-check/allow.txt @@ -523,6 +523,7 @@ conflictor confx connectionmanagement connectionroom +connectiontimeout connectlogstr connectstr connstr diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index 43b7f2bacdf56..fd686eb1ddeff 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -215,6 +215,7 @@ configname configsetting configurability confs +connectiontimeout conntrack Conntracking Consolas diff --git a/docs/http-api/index.rst b/docs/http-api/index.rst index 256033f9f42cb..b57a8003a6eae 100644 --- a/docs/http-api/index.rst +++ b/docs/http-api/index.rst @@ -20,6 +20,7 @@ The following webserver related configuration items are available: * :ref:`setting-webserver-port`: Port to bind the webserver to. * :ref:`setting-webserver-allow-from`: Netmasks that are allowed to connect to the webserver * :ref:`setting-webserver-max-bodysize`: Maximum request/response body size in megabytes +* :ref:`setting-webserver-connection-timeout`: Request/response timeout in seconds Metrics Endpoint @@ -290,7 +291,7 @@ Prometheus can then be configured to scrape metrics from this endpoint using a s - job_name: 'pdns_auth' scrape_interval: 1m static_configs: - - targets: ['pdns_auth_host:pdns_auth_ws_port'] + - targets: ['pdns_auth_host:pdns_auth_ws_port'] Further details can be gathered from the `prometheus docs `_. diff --git a/docs/settings.rst b/docs/settings.rst index d1d37a30ecbb0..ee91827987be0 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -1953,6 +1953,16 @@ The value between the hooks is a UUID that is generated for each request. This c Maximum request/response body size in megabytes. +.. _setting-webserver-connection-timeout: + +``webserver-connection-timeout`` +-------------------------- + +- Integer +- Default: 5 + +Request/response timeout in seconds. + .. _setting-webserver-password: ``webserver-password`` diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc index f69bf6e20b56e..c9b0542988cf4 100644 --- a/pdns/auth-main.cc +++ b/pdns/auth-main.cc @@ -242,6 +242,7 @@ static void declareArguments() ::arg().set("webserver-allow-from", "Webserver/API access is only allowed from these subnets") = "127.0.0.1,::1"; ::arg().set("webserver-loglevel", "Amount of logging in the webserver (none, normal, detailed)") = "normal"; ::arg().set("webserver-max-bodysize", "Webserver/API maximum request/response body size in megabytes") = "2"; + ::arg().set("webserver-connection-timeout", "Webserver/API request/response timeout in seconds") = "5"; ::arg().setSwitch("webserver-hash-plaintext-credentials", "Whether to hash passwords and api keys supplied in plaintext, to prevent keeping the plaintext version in memory at runtime") = "no"; ::arg().setSwitch("query-logging", "Hint backends that queries should be logged") = "no"; diff --git a/pdns/webserver.cc b/pdns/webserver.cc index 62ca90d4e122f..98e8ca735f0eb 100644 --- a/pdns/webserver.cc +++ b/pdns/webserver.cc @@ -530,7 +530,7 @@ void WebServer::serveConnection(const std::shared_ptr& client) const { YaHTTP::AsyncRequestLoader yarl; yarl.initialize(&req); req.max_request_size=d_maxbodysize; - int timeout = 5; + int timeout = d_connectiontimeout; client->setNonBlocking(); try { @@ -598,7 +598,8 @@ WebServer::WebServer(string listenaddress, int port) : d_listenaddress(std::move(listenaddress)), d_port(port), d_server(nullptr), - d_maxbodysize(2*1024*1024) + d_maxbodysize(2*1024*1024), + d_connectiontimeout(5) { } diff --git a/pdns/webserver.hh b/pdns/webserver.hh index c75dd99ad09a5..29f0ddefe07f7 100644 --- a/pdns/webserver.hh +++ b/pdns/webserver.hh @@ -209,6 +209,10 @@ public: d_maxbodysize = s * 1024 * 1024; } + void setConnectionTimeout(int t) { // in seconds + d_connectiontimeout = t; + } + void setACL(const NetmaskGroup &nmg) { d_acl = nmg; } @@ -282,6 +286,7 @@ protected: std::unique_ptr d_webserverPassword{nullptr}; ssize_t d_maxbodysize; // in bytes + int d_connectiontimeout; // in seconds NetmaskGroup d_acl; diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index 27c50b651c0e5..d13e735a242de 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -80,6 +80,7 @@ AuthWebServer::AuthWebServer() : d_ws->setACL(acl); d_ws->setMaxBodySize(::arg().asNum("webserver-max-bodysize")); + d_ws->setConnectionTimeout(::arg().asNum("webserver-connection-timeout")); d_ws->bind(); }