HTTP/2: per-iteration stream handling limit.

To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced.  This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.

Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.

1 files changed, 2 insertions, 0 deletions

diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index cb9014ccf..6751b3026 100644
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -131,6 +131,8 @@ struct ngx_http_v2_connection_s {
     ngx_uint_t                       processing;
     ngx_uint_t                       frames;
     ngx_uint_t                       idle;
+    ngx_uint_t                       new_streams;
+    ngx_uint_t                       refused_streams;
     ngx_uint_t                       priority_limit;
 
     size_t                           send_window;