projectcontour · sunjayBhatia · Oct 13, 2023 · Oct 13, 2023 · Oct 13, 2023 · Oct 13, 2023
@@ -400,7 +400,18 @@ type EnvoyListenerConfig struct {
 	//
 	// +kubebuilder:validation:Minimum=1
 	// +optional
-	MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle"`
+	MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle,omitempty"`
+
+	// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
+	// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
+	// for a peer on a single HTTP/2 connection. It is recommended to not set this lower
+	// than 100 but this field can be used to bound resource usage by HTTP/2 connections
+	// and mitigate attacks like CVE-2023-44487. The default value when this is not set is
+	// unlimited.
+	//
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	HTTP2MaxConcurrentStreams *uint32 `json:"httpMaxConcurrentStreams,omitempty"`
 }
 
 // SocketOptions defines configurable socket options for Envoy listeners.

@@ -0,0 +1,11 @@
+## HTTP/2 max concurrent streams is configurable
+
+This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
+It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.
+
+The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:
+
+```
+listener:
+  http2-max-concurrent-streams: 50
+```
@@ -437,6 +437,7 @@ func (s *Server) doServe() error {
 		XffNumTrustedHops:             *contourConfiguration.Envoy.Network.XffNumTrustedHops,
 		ConnectionBalancer:            contourConfiguration.Envoy.Listener.ConnectionBalancer,
 		MaxRequestsPerConnection:      contourConfiguration.Envoy.Listener.MaxRequestsPerConnection,
+		HTTP2MaxConcurrentStreams:     contourConfiguration.Envoy.Listener.HTTP2MaxConcurrentStreams,
 		PerConnectionBufferLimitBytes: contourConfiguration.Envoy.Listener.PerConnectionBufferLimitBytes,
 		SocketOptions:                 contourConfiguration.Envoy.Listener.SocketOptions,
 	}

@@ -529,6 +529,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
 				PerConnectionBufferLimitBytes: ctx.Config.Listener.PerConnectionBufferLimitBytes,
 				MaxRequestsPerConnection:      ctx.Config.Listener.MaxRequestsPerConnection,
 				MaxRequestsPerIOCycle:         ctx.Config.Listener.MaxRequestsPerIOCycle,
+				HTTP2MaxConcurrentStreams:     ctx.Config.Listener.HTTP2MaxConcurrentStreams,
 				TLS: &contour_api_v1alpha1.EnvoyTLS{
 					MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
 					MaximumProtocolVersion: ctx.Config.TLS.MaximumProtocolVersion,

@@ -877,10 +877,12 @@ func TestConvertServeContext(t *testing.T) {
 		"envoy listener settings": {
 			getServeContext: func(ctx *serveContext) *serveContext {
 				ctx.Config.Listener.MaxRequestsPerIOCycle = ref.To(uint32(10))
+				ctx.Config.Listener.HTTP2MaxConcurrentStreams = ref.To(uint32(30))
 				return ctx
 			},
 			getContourConfiguration: func(cfg contour_api_v1alpha1.ContourConfigurationSpec) contour_api_v1alpha1.ContourConfigurationSpec {
 				cfg.Envoy.Listener.MaxRequestsPerIOCycle = ref.To(uint32(10))
+				cfg.Envoy.Listener.HTTP2MaxConcurrentStreams = ref.To(uint32(30))
 				return cfg
 			},
 		},

@@ -196,6 +196,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3646,6 +3658,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see

@@ -415,6 +415,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3865,6 +3877,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see

@@ -207,6 +207,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3657,6 +3669,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see

@@ -418,6 +418,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3868,6 +3880,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see

@@ -415,6 +415,18 @@ spec:
                           slashes from request URL paths. \n Contour's default is
                           false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                          Envoy will advertise in the SETTINGS frame in HTTP/2 connections
+                          and the limit for concurrent streams allowed for a peer
+                          on a single HTTP/2 connection. It is recommended to not
+                          set this lower than 100 but this field can be used to bound
+                          resource usage by HTTP/2 connections and mitigate attacks
+                          like CVE-2023-44487. The default value when this is not
+                          set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       maxRequestsPerConnection:
                         description: Defines the maximum requests for downstream connections.
                           If not specified, there is no limit. see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-msg-config-core-v3-httpprotocoloptions
@@ -3865,6 +3877,18 @@ spec:
                               duplicate slashes from request URL paths. \n Contour's
                               default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS
+                              Envoy will advertise in the SETTINGS frame in HTTP/2
+                              connections and the limit for concurrent streams allowed
+                              for a peer on a single HTTP/2 connection. It is recommended
+                              to not set this lower than 100 but this field can be
+                              used to bound resource usage by HTTP/2 connections and
+                              mitigate attacks like CVE-2023-44487. The default value
+                              when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           maxRequestsPerConnection:
                             description: Defines the maximum requests for downstream
                               connections. If not specified, there is no limit. see

@@ -57,6 +57,7 @@ func TestOverlayOnDefaults(t *testing.T) {
 				DisableAllowChunkedLength:  ref.To(true),
 				DisableMergeSlashes:        ref.To(true),
 				MaxRequestsPerConnection:   ref.To(uint32(1)),
+				HTTP2MaxConcurrentStreams:  ref.To(uint32(10)),
 				ServerHeaderTransformation: contour_api_v1alpha1.PassThroughServerHeader,
 				ConnectionBalancer:         "yesplease",
 				TLS: &contour_api_v1alpha1.EnvoyTLS{

@@ -172,6 +172,7 @@ type httpConnectionManagerBuilder struct {
 	numTrustedHops                uint32
 	tracingConfig                 *http.HttpConnectionManager_Tracing
 	maxRequestsPerConnection      *uint32
+	http2MaxConcurrentStreams     *uint32
 	enableWebsockets              bool
 }
 
@@ -284,6 +285,11 @@ func (b *httpConnectionManagerBuilder) MaxRequestsPerConnection(maxRequestsPerCo
 	return b
 }
 
+func (b *httpConnectionManagerBuilder) HTTP2MaxConcurrentStreams(http2MaxConcurrentStreams *uint32) *httpConnectionManagerBuilder {
+	b.http2MaxConcurrentStreams = http2MaxConcurrentStreams
+	return b
+}
+
 func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBuilder {
 
 	// Add a default set of ordered http filters.
@@ -538,6 +544,12 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_listener_v3.Filter {
 		cm.CommonHttpProtocolOptions.MaxRequestsPerConnection = wrapperspb.UInt32(*b.maxRequestsPerConnection)
 	}
 
+	if b.http2MaxConcurrentStreams != nil {
+		cm.Http2ProtocolOptions = &envoy_core_v3.Http2ProtocolOptions{
+			MaxConcurrentStreams: wrapperspb.UInt32(*b.http2MaxConcurrentStreams),
+		}
+	}
+
 	if b.enableWebsockets {
 		cm.UpgradeConfigs = append(cm.UpgradeConfigs,
 			&http.HttpConnectionManager_UpgradeConfig{