diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index c85148d6852b..09319d899d7c 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -36,6 +36,7 @@ New Features ------------ * access log: added the :ref:`formatters ` extension point for custom formatters (command operators). * http: added support for :ref:`:ref:`preconnecting `. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic, especially if using HTTP/1.1. +* http: change frame flood and abuse checks to the upstream HTTP/2 codec to ON by default. It can be disabled by setting the `envoy.reloadable_features.upstream_http2_flood_checks` runtime key to false. * tcp_proxy: add support for converting raw TCP streams into HTTP/1.1 CONNECT requests. See :ref:`upgrade documentation ` for details. Deprecated diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 6e926319ca89..73f96216c09c 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -89,6 +89,7 @@ constexpr const char* runtime_features[] = { "envoy.reloadable_features.upstream_host_weight_change_causes_rebuild", "envoy.reloadable_features.vhds_heartbeats", "envoy.reloadable_features.unify_grpc_handling", + "envoy.reloadable_features.upstream_http2_flood_checks", "envoy.restart_features.use_apple_api_for_dns_lookups", }; @@ -108,8 +109,6 @@ constexpr const char* disabled_runtime_features[] = { "envoy.reloadable_features.enable_type_url_downgrade_and_upgrade", // TODO(alyssawilk) flip true after the release. "envoy.reloadable_features.new_tcp_connection_pool", - // TODO(yanavlasov) flip true after all tests for upstream flood checks are implemented - "envoy.reloadable_features.upstream_http2_flood_checks", // Sentinel and test flag. "envoy.reloadable_features.test_feature_false", }; diff --git a/test/integration/http2_flood_integration_test.cc b/test/integration/http2_flood_integration_test.cc index 3863d39b291c..96267012d99c 100644 --- a/test/integration/http2_flood_integration_test.cc +++ b/test/integration/http2_flood_integration_test.cc @@ -131,8 +131,6 @@ INSTANTIATE_TEST_SUITE_P(IpVersions, Http2FloodMitigationTest, TestUtility::ipTestParamsToString); bool Http2FloodMitigationTest::initializeUpstreamFloodTest() { - config_helper_.addRuntimeOverride("envoy.reloadable_features.upstream_http2_flood_checks", - "true"); setDownstreamProtocol(Http::CodecClient::Type::HTTP2); setUpstreamProtocol(FakeHttpConnection::Type::HTTP2); // set lower upstream outbound frame limits to make tests run faster @@ -178,8 +176,6 @@ void Http2FloodMitigationTest::beginSession() { std::vector Http2FloodMitigationTest::serializeFrames(const Http2Frame& frame, uint32_t num_frames) { - // make sure all frames can fit into 16k buffer - ASSERT(num_frames <= ((16u * 1024u) / frame.size())); std::vector buf(num_frames * frame.size()); for (auto pos = buf.begin(); pos != buf.end();) { pos = std::copy(frame.begin(), frame.end(), pos); @@ -1557,4 +1553,15 @@ TEST_P(Http2FloodMitigationTest, RequestMetadata) { EXPECT_EQ(1, test_server_->counter("cluster.cluster_0.http2.outbound_flood")->value()); } +// Validate that the default configuration has flood protection enabled. +TEST_P(Http2FloodMitigationTest, UpstreamFloodDetectionIsOnByDefault) { + setDownstreamProtocol(Http::CodecClient::Type::HTTP2); + setUpstreamProtocol(FakeHttpConnection::Type::HTTP2); + initialize(); + + floodClient(Http2Frame::makePingFrame(), + Http2::Utility::OptionsLimits::DEFAULT_MAX_OUTBOUND_CONTROL_FRAMES + 1, + "cluster.cluster_0.http2.outbound_control_flood"); +} + } // namespace Envoy diff --git a/test/integration/http2_integration_test.cc b/test/integration/http2_integration_test.cc index a0e73bdbde68..95ed212e7e2c 100644 --- a/test/integration/http2_integration_test.cc +++ b/test/integration/http2_integration_test.cc @@ -111,7 +111,9 @@ TEST_P(Http2IntegrationTest, CodecStreamIdleTimeout) { hcm.mutable_stream_idle_timeout()->set_nanos(IdleTimeoutMs * 1000 * 1000); }); initialize(); - envoy::config::core::v3::Http2ProtocolOptions http2_options; + envoy::config::core::v3::Http2ProtocolOptions http2_options = + ::Envoy::Http2::Utility::initializeAndValidateOptions( + envoy::config::core::v3::Http2ProtocolOptions()); http2_options.mutable_initial_stream_window_size()->set_value(65535); codec_client_ = makeRawHttpConnection(makeClientConnection(lookupPort("http")), http2_options); auto response = codec_client_->makeHeaderOnlyRequest(default_request_headers_);