From 858f13abad7800e8b2d8ee76b9cb3095a1308176 Mon Sep 17 00:00:00 2001 From: Pablo Vicente Date: Mon, 3 Dec 2018 14:30:57 +0100 Subject: [PATCH 1/5] Add settings and code for configuring server timeouts and headers timeouts --- app.js | 31 +++++++++++++++++++++++++++++++ config/default/config.json | 4 +++- schema/config.js | 19 ++++++++++++++++++- 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/app.js b/app.js index 9464135f91c..0d1dd75f37b 100644 --- a/app.js +++ b/app.js @@ -761,6 +761,23 @@ d.run(() => { * @param {function} cb - Callback function */ function(scope, cb) { + // Slowloris prevention + scope.network.server.headersTimeout = + appConfig.api.options.limits.headersTimeout; + + scope.network.server.setTimeout( + appConfig.api.options.limits.serverSetTimeout + ); + + scope.network.server.on('timeout', socket => { + scope.logger.info( + `Disconnecting idle socket: ${socket.remoteAddress}:${ + socket.remotePort + }` + ); + socket.destroy(); + }); + scope.network.server.listen( scope.config.httpPort, scope.config.address, @@ -771,6 +788,20 @@ d.run(() => { if (!err) { if (scope.config.api.ssl.enabled) { + // Slowloris prevention + scope.network.https.headersTimeout = + appConfig.api.options.limits.headersTimeout; + scope.network.https.setTimeout( + appConfig.api.options.limits.serverTimeout + ); + scope.network.https.on('timeout', socket => { + scope.logger.info( + `Disconnecting idle socket: ${socket.remoteAddress}:${ + socket.remotePort + }` + ); + socket.destroy(); + }); scope.network.https.listen( scope.config.api.ssl.options.port, scope.config.api.ssl.options.address, diff --git a/config/default/config.json b/config/default/config.json index 5aed04e1897..4f6c42ce57b 100644 --- a/config/default/config.json +++ b/config/default/config.json @@ -48,7 +48,9 @@ "max": 0, "delayMs": 0, "delayAfter": 0, - "windowMs": 60000 + "windowMs": 60000, + "headersTimeout": 5000, + "serverSetTimeout": 20000 }, "cors": { "origin": "*", diff --git a/schema/config.js b/schema/config.js index 3c1c49eb1a4..53e39f23e82 100644 --- a/schema/config.js +++ b/schema/config.js @@ -190,8 +190,25 @@ module.exports = { windowMs: { type: 'integer', }, + headersTimeout: { + type: 'integer', + minimum: 1, + maximum: 40000, + }, + serverSetTimeout: { + type: 'integer', + minimum: 1, + maximum: 120000, + }, }, - required: ['max', 'delayMs', 'delayAfter', 'windowMs'], + required: [ + 'max', + 'delayMs', + 'delayAfter', + 'windowMs', + 'headersTimeout', + 'serverSetTimeout', + ], }, cors: { type: 'object', From d06fe007942927651ea7eb6171d179f5405fcd32 Mon Sep 17 00:00:00 2001 From: Maciej Baj Date: Tue, 4 Dec 2018 12:11:44 +0100 Subject: [PATCH 2/5] Add comment about security vulnerability fix Co-Authored-By: pablitovicente --- app.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.js b/app.js index 0d1dd75f37b..c6152dc24db 100644 --- a/app.js +++ b/app.js @@ -761,7 +761,7 @@ d.run(() => { * @param {function} cb - Callback function */ function(scope, cb) { - // Slowloris prevention + // Security vulnerabilities fixed by Node v8.14.0 - "Slowloris (cve-2018-12122)" scope.network.server.headersTimeout = appConfig.api.options.limits.headersTimeout; From b0f0ceed5795b048ab3d0b77cebac00b9d72f88d Mon Sep 17 00:00:00 2001 From: Maciej Baj Date: Tue, 4 Dec 2018 12:12:23 +0100 Subject: [PATCH 3/5] Disconnect idle clients using configurable time Co-Authored-By: pablitovicente --- app.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.js b/app.js index c6152dc24db..c446ef07487 100644 --- a/app.js +++ b/app.js @@ -764,7 +764,7 @@ d.run(() => { // Security vulnerabilities fixed by Node v8.14.0 - "Slowloris (cve-2018-12122)" scope.network.server.headersTimeout = appConfig.api.options.limits.headersTimeout; - + // Disconnect idle clients scope.network.server.setTimeout( appConfig.api.options.limits.serverSetTimeout ); From d3216ea84d30956b053d463c58dab242d0d8110f Mon Sep 17 00:00:00 2001 From: Maciej Baj Date: Tue, 4 Dec 2018 12:13:51 +0100 Subject: [PATCH 4/5] Add comment about security vulnerability fix Co-Authored-By: pablitovicente --- app.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.js b/app.js index c446ef07487..98dbdde99ff 100644 --- a/app.js +++ b/app.js @@ -788,7 +788,7 @@ d.run(() => { if (!err) { if (scope.config.api.ssl.enabled) { - // Slowloris prevention + // Security vulnerabilities fixed by Node v8.14.0 - "Slowloris (cve-2018-12122)" scope.network.https.headersTimeout = appConfig.api.options.limits.headersTimeout; scope.network.https.setTimeout( From 08b10a26006a52e242618b6b787cb9bc3fa518b4 Mon Sep 17 00:00:00 2001 From: Pablo Vicente Date: Tue, 4 Dec 2018 12:37:18 +0100 Subject: [PATCH 5/5] Update config for 1.3.1 --- package.json | 2 +- scripts/update_config.js | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index a7bcda75e83..d17b1c2f88b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "lisk", - "version": "1.3.0", + "version": "1.3.1-rc.0", "description": "Lisk blockchain application platform", "author": "Lisk Foundation , lightcurve GmbH ", diff --git a/scripts/update_config.js b/scripts/update_config.js index 5e2fd28e26a..f6274c25d7b 100644 --- a/scripts/update_config.js +++ b/scripts/update_config.js @@ -232,6 +232,13 @@ history.version('1.2.0-rc.x', version => { return config; }); }); +history.version('1.3.1-rc.0', version => { + version.change('add http timeout items', config => { + config.api.options.limits.headersTimeout = 5000; + config.api.options.limits.serverSetTimeout = 20000; + return config; + }); +}); const askPassword = (message, cb) => { if (program.password && program.password.trim().length !== 0) {