[gorouter] Add property to restrict header count and size

[maxmoehl]

We deploy gorouter behind HAProxy which limits the amount of headers and the size of each header for requests and responses. For requests towards CF this isn't much of an issue since the request is rejected with 400: Bad Request and it never reaches the application. However, response headers are processed by the gorouter and the request shows up as 200: OK but is later rejected by HAProxy and returned as a 502: Bad Gateway to the client.

To avoid this behaviour which is confusing for users, we would like to introduce two properties:

• max_headers: int to limit the amount of req/res headers
• max_header_size: int to limit the number of bytes a single header is allowed to occupy the request/response line and headers (without body) are allowed to occupy

This allows us to reject responses in gorouter and show the error message in the app logs which are visible to the user.

We can implement this feature but would like to first discuss if there are any concerns/questions. Leave a 👍 if you like this / don't see any issues with it.

[ameowlia]

max_headers

• Adding max_headers as described technically sounds good, as long as you provide a way to make it unlimited so it is not a breaking change.
• ❓ However, I don't understand the use case behind limiting the total number of headers instead of the total size. Can you explain the use case?

max_header_size

• The property router.max_header_kb already exists, which is very similar to what you want for max_header_size.
• However router.max_header_kb only applies to requests (I believe) and not responses.
• Maybe you could use that property and also add a property enforce_header_limit_on_response or something? It's not the cleanest, but I am always worried about causing breaking changes.
• Happy to hear other suggestions for how to keep these properties are clear as possible, while not causing a breaking change.

[maxmoehl]

@ameowlia thanks for the feedback!

First of all: yes, we always want to make sure to not break any existing setups, the properties would be disabled by default and only considered when explicitly enabled.

I should've provided a bit more detail in my initial issue: HAProxy has two main buffer sizes: tune.bufsize and tune.maxrewrite:

• tune.bufsize is the base buffer size
• tune.maxrewrite is the portion of tune.bufsize that is reserved for modification while processing the request
• the buffer size available for the request/response line + headers (without body) is then tune.bufsize - tune.maxrewrite ¹
• tune.http.maxhdr the maximum amount of headers on each response/request

max_headers

We want to be able to set some limit that applies to request and response headers. The main reason to add such a property is to fail in gorouter and show the failure in logs the user can access (+ the x_cf_routererror header to give more details).

max_header_size

Agreed, this covers our use-case. Adding a flag to enforce the limit on responses as well sounds good!

Footnotes

1. there is one mistake in my original issue: what I proposed as a per-header limit is actually the limit for all headers + request/response line (so it's the same as max_header_kb), I will update the issue accordingly. ↩

[ameowlia]

Sounds good to me; I look forward to the PR! (Also I learned about markdown footnotes 😮.)

[MarcPaquette]

Hey @maxmoehl & @ameowlia,
Is this issue still open? Is there any further work to do or can we close this out?